Weitere ähnliche Inhalte Ähnlich wie Malaysia's National Cyber Security Policy (20) Mehr von Directorate of Information Security | Ditjen Aptika (20) Kürzlich hochgeladen (20) Malaysia's National Cyber Security Policy1. Copyright © 2013 CyberSecurity Malaysia
MALAYSIA’S NATIONAL CYBER
SECURITY POLICY
An Integrated Approach For Cyber Security And
Critical Information Infrastructure Protection
10 September 2013
Bandung, Indonesia
MOHD SHAMIR B HASHIM
Vice President
Government and Multilateral Engagement
2. Copyright © 2013 CyberSecurity Malaysia
§ Critical infrastructures are increasingly dependent on information and communication.
§ The potential natural disasters or terrorist attacks, which threaten the critical infrastructure and critical
information infrastructure as well, are dramatically increasing today.
§ Risks to the CIIs include man-made attacks, natural disasters and technical failures.
§ The high dependence on CNIIs, their cross-border interconnectedness and interdependencies with
other infrastructures, as well as the vulnerabilities and threats they face raise the need to address their
security and resilience in a systematic perspective as the frontline of defense against failures and
attacks.
Cyber Threats
CRITICAL INFORMATION INFRASTRUCTURES
POWER GENERATION
SERVICES
DISTRIBUTION
Interdependencies
The high degree of
interdependency between the
critical infrastructure sectors
means failures in one sector
can propagate into others.
2
3. Copyright © 2013 CyberSecurity Malaysia
Cyber
Content
Related
Threats
Technology
Related
Threats
Hack Threat
Fraud
Denial of Service Attack
Intrusion
Malicious Code
Harassment
Threats to National
Security
Sedition / Defamation
Online Porn
Hate Speech
3
Cyber Threats
CLASIFICATIONS
4. Copyright © 2013 CyberSecurity Malaysia 4
2005
National Cyber
Security Policy
formulated by MOSTI
NCSP
Adoption
and Implementation
2006
CyberSecurity Malaysia
launched by
Prime Minister of Malaysia
on 20 Aug 2007
2007
The policy recognises the critical and highly interdependent nature of the CNII and aims to
develop and establish a comprehensive programme and a series of frameworks that will ensure
the effectiveness of cyber security controls over vital assets
NCSP
Objectives
Address The Risks To
The Critical National
Information
Infrastructure
Ensure That Critical
Infrastructure Are
Protected To A Level
That Is
Commensurate With
The Risks
Develop And
Establish A
Comprehensive
Program And A
Series Of
Frameworks
Cyber Security Governance
NATIONAL CYBER SECURITY POLICY
4
5. Copyright © 2013 CyberSecurity Malaysia
VISION
Malaysia's Critical National Information Infrastructure shall be secure, resilient and
self-reliant. Infused with a culture of security, it will promote stability, social well being
and wealth creation
5
DEFENCE & SECURITY
• Ministry of Defense, Military
• Ministry of Home Affairs, Police
TRANSPORTATION
• Ministry of Transport
BANKING & FINANCE
• Ministry of Finance
• Central Bank
• Securities Commission
HEALTH SERVICES
• Ministry of Health
EMERGENCY SERVICES
Ministry of Housing & Local Municipality
CRITICAL NATIONAL
INFORMATION
INFRASTRUCTURE
Assets (real & virtual),
systems and functions
that are vital to the nation
that their incapacity or
destruction would have a
devastating impact on
• National Defense &
Security
• National Economic
Strength
• National Image
• Government capability
to function
• Public Health & Safety
ENERGY
• Energy Commission
INFORMATION &
COMMUNICATIONS
• Ministry of Communications &
Multimedia
GOVERNMENT
• Malaysia Administrative, Modernisation
and Management Planning Unit
FOOD & AGRICULTURE
• Ministry of Agriculture
WATER
• National Water Service Commission
National Cyber Security Policy
CNII SECTORS
6. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
6
National Cyber Security Policy
POLICY THRUST
7. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
7
National Cyber Security Policy
POLICY THRUST
8. Copyright © 2013 CyberSecurity Malaysia
CyberSecurity Malaysia (www.cybersecurity.my)
A NATIONAL CYBER SECURITY SPECIALIST AGENCY UNDER
THE MINISTRY OF SCIENCE, TECHNOLOGY AND
INNOVATION (www.mosti.gov.my).
Pt 1: Effective Governance
CYBERSECURITY MALAYSIA
Ministerial Function
Act1969, Amendment 2009
Provides specialised ICT
security services and
continuously identifies
possible areas that may be
detrimental to national security
Cabinet Notes 2005
Ministry of Finance and Ministry of
Science, Technology & Innovation
CyberSecurity Malaysia as a
National Body to monitor
aspects of the National e-
Security
VISION
To be a globally recognised National
Cyber Security Reference and Specialist
Centre by 2020
MISSION
Creating and Sustaining a Safer
Cyberspace to Promote National
Sustainability, Social Well-Being and
Wealth Creation
8
Establishment of a national
info security coordination
centre
9. Copyright © 2013 CyberSecurity Malaysia
STRATEGY
ENGAGEMENT &
RESEARCH
INFO SECURITY
PROFESSIONAL
DEVELOPMENT &
OUTREACH
SECURITY QUALITY
MANAGEMENT
SERVICES
CYBER SECURITY
EMERGENCY
SERVICES
Digital Forensics
Security
Management & Best
Practices
Info Security
Professional
Development
Outreach
Strategy
Engagement
Research
Information Security
Certification Body
CyberSecurity Malaysia
CORE FUNCTIONS / SERVICES
Security Assurance
Security Incident
Handling
9
10. Copyright © 2013 CyberSecurity Malaysia
National Security Council
Chair : Y.A.B. Prime Minister
Secretariat: NSC
E-Sovereignty Working Group
Chair : Under Secretary of NSC
National
Cyber
Security
Coordination
Committee
Chair : NSC
Secretariat : NSC
Government
Communication
Strategy
Enhancement
Committee
Chair : PMO
Secreatriat :
BHEUU
National
Cyber Crisis
Coordination
Committee
Chair : PMO
Secretariat : NSC
Cyber Law
Committee
Chair : AGC
Secretariat : AGC
National
Acculturation
& Capacity
Building
Committee
Chair : MOSTI
Secretariat :
MOSTI
MICC
compliance &
Enforcement
Committee
Chair : MICC
Secretariat :
MICC
E-Sovereignty Committee
Chair : Y.A.B. Deputy Prime Minister
Secretariat: NSC
National IT Council (NITC)
Chair : Y.A.B. Prime Minister
Secretariat: MOSTI
POLICY
CONTENT
CRISIS
MANAGEMENT
LEGISLATION
ACCULTURATION
&
CAPACITY
BUILDING
COMPLIANCE
&
ENFORCEMENT
Pt 1: Effective Governance
ORGANIZATION STRUCTURE
10
11. Copyright © 2013 CyberSecurity Malaysia 11
• MAMPU
• National Security Council
• Attorney General’s Chambers
• Chief Government Security Office
• Ministry of Science, Technology & Innovation
• Ministry of Defense
• Ministry of Foreign Affairs
• Ministry of Energy, Green Technology & Water
• Ministry of Information, Communication & Culture
• Ministry of Transportation
• Ministry of Home Affairs
• Royal Malaysian Police
• Southeast Asia Regional Center for Counter-Terrorism
• Bank Negara Malaysia
• National Water Services Commission
• Malaysian Communication & Multimedia Commission
• Energy Commission
• Securities Commission Malaysia
• Khazanah Nasional Berhad
• CyberSecurity Malaysia
• MIMOS Berhad
• Standards Malaysia
Pt 1: Effective Governance
NATIONAL COORDINATION COMMITTEE
12. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
12
National Cyber Security Policy
POLICY THRUST
13. Copyright © 2013 CyberSecurity Malaysia 13
Cyber Specific Laws
Specific legislation governing
online matters
• Communications and Multimedia Act 1998
• Optical Disk Act 2000
• Computer Crimes Act 1997
• Digital Signature Act 1997
• Telemedicine Act 1997
• Electronic Commerce Act 2006
• Electronic Government’s Activities Act 2007
• Personal Data Protection Act 2010
Non Cyber Specific Laws
Legislation that may be used to
regulate online matters whenever
applicable
• Copyright Act 1987
• Sedition Act 1948
• Penal Code
• Defamation Act 1957
Pt 2: Legislative & Regulatory Framework
CYBER LAWS OF MALAYSIA
Reduction of & increased in
success in, the prosecution in
cyber crime.
14. Copyright © 2013 CyberSecurity Malaysia 14
A study on the laws of Malaysia to accommodate legal challenges
in the Cyber Environment
14
Pt 2: Legislative & Regulatory Framework
CYBER LAW REVIEW STUDY
15. Copyright © 2013 CyberSecurity Malaysia 15
Pt 2: Legislative & Regulatory Framework
CYBER LAW REVIEW STUDY
16. Copyright © 2013 CyberSecurity Malaysia 16
Pt 2: Legislative & Regulatory Framework
AMENDMENTS – EVIDENCE ACT
17. Copyright © 2013 CyberSecurity Malaysia 17
DIGITAL FORENSICS LAB
ANALYZE & INVESTIGATE
DIGITAL EVIDENCE
DATA RECOVERY LAB
RECOVER CORRUPTED &
DELETED DATA
EXPERT DEVELOPMENT
LAB
PLATFORM FOR RESEARCH &
JOB ATTACHMENT
EVIDENCE PRESERVATION
FACILITY
A SECURE ENVIRONMENT FOR
DIGITAL EVIDENCE
CyberCSI™
Pt 2: Legislative & Regulatory Framework
DIGITAL FORENSICS
18. Copyright © 2013 CyberSecurity Malaysia 18
Notification of Declaration under Subsection 399(2) - Digital Forensics Analyst
Pt 2: Legislative & Regulatory Framework
EXPERT WITNESS
19. Copyright © 2013 CyberSecurity Malaysia
MODULES LEVEL
1 Information Security Essentials Fundamental
2 ISMS Essentials Fundamental
3 Digital Forensics Essentials Fundamental
4 Forensics on Internet Application Fundamental
5 Digital Forensics for First
Responder
Intermediate
DIGITAL FORENSICS MODULES
Duration: 11 days
19
Pt 2: Legislative & Regulatory Framework
DIGITAL FORENSICS TRAINING
20. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
20
National Cyber Security Policy
POLICY THRUST
21. Copyright © 2013 CyberSecurity Malaysia
§ Guidelines: Computer Security Handbook, ICT
Outsourcing Information Security
§ Best practices: Social Networking, Protecting Your
Mobile Device
§ 3rd Party Information Security Assessment Guideline
§ Wireless Local Area Network (LAN) Security Guideline
§ Joint development of the National Cyber Crisis
Management Plan (NCCMP) with National Security
Council.
§ Business Continuity Management (BCM)
implementation for organization.
§ Development of Information Security Standards at the
national level.
§ Information Security Management System (ISMS)
certification programme for Critical National
Information Infrastructure (CNII) agencies.
§ Develop Information Security Guidelines and Best
Practices.
21
Pt 3: Cyber Security Technology Framework
SECURITY MANAGEMENT BEST PRACTICES
Expansion of national certification
scheme for infosec mgmt &
assurance
22. Copyright © 2013 CyberSecurity Malaysia
Phase 2 – Building the Infrastructure
SECURITY STANDARDS
MODULES LEVEL
1 Information Security Essentials Fundamental
2 ISMS Essentials Fundamental
3 ISMS Implementation Intermediate
4 ISMS Internal Auditor Advance
ISO 27001 Information Security Management System
Duration: 9 days
ISO/IEC 27001
Information Security
Management –
Confidential
Information Remain
Confidential
22
23. Copyright © 2013 CyberSecurity Malaysia
SECURITY ASSURANCE OFFERS 2 TYPES OF SERVICE FOR THE ENHANCEMENT OF
NATIONAL INFORMATION SECURITY ASSURANCE :
MyVAC
(National Vulnerability
Assessment Center)
MySEF
(Malaysian ICT Security
Evaluation Facilities)
• Vulnerability Assessment And
Penetration Testing Services for
CNII sectors
• Common Criteria (CC)
evaluation service
• Security Assessment for control
system (SCADA/DCS)
• ICT Product Security
Assessment (IPSA) service
• Common Criteria (CC)
Protection Profile (PP)
evaluation service
23
Pt 3: Cyber Security Technology Framework
ASSESSMENT & ASSUARANCE
24. Copyright © 2013 CyberSecurity Malaysia
CERTIFICATE AUTHORISING PARTICIPANTS
CERTIFICATE CONSUMING PARTICIPANTS
• Participants that represent a compliant Certification
Body
• Mutually recognizes certified products/systems
produced by the Certificate Authorising Participants
based on ISO/IEC 15408
Participants that have a national
interest in recognising CC certificates
produced by the Certificate Authorising
Participants based on ISO/IEC 15408
CCRA is an international recognition arrangement for
Common Criteria Standard (ISO/IEC 15408)
CyberSecurity Malaysia is the National Certification
Body - Malaysian Common Criteria Certification Body
(MyCB) ITALY
JAPAN
NETHERLANDS
SWEDEN
TURKEY
NEW
ZEALAND
AUSTRALIA
UNITED
KINGDOM
CANADA
FRANCE
UNITED
STATES
GERMANY
SPAIN
REP.
OF
KOREA
NORWAY
AUSTRIA
GREECE
FINLAND
DENMARK
CZECH
REP
HUNGARY
SINGAPORE
PAKISTAN
ISRAEL
INDIA
24
Pt 3: Cyber Security Technology Framework
COMMON CRITERIA RECOGNITION ARRANGEMENT
25. Copyright © 2013 CyberSecurity Malaysia
1. International collaboration in the area of CERT in the Asia
Pacific region and OIC countries.
2. Coordinate the implementation of the NCSP.
3. Secretariat for the Operational Task Force under National
Security Council.
4. Secretariat for the NC3 chaired by National Security Council
1. Cyber media research
2. Cyber War Research
3. Development of National Cryptography Policy
4. Cyber Laws Study
5. Co-Chair for CSCAP Study Group on Cyber Security that includes the
Issues of Transnational Cyber Crime
6. Co-Leading Nation for ASEAN Regional Forum in Counter
Radicalization Work Plan for Counter-Terrorism & Transnational
Crime in collaboration with Ministry of Foreign Affairs
25
Pt 3: Cyber Security Technology Framework
STRATEGIC RESEARCH & ENGAGEMENT
26. Copyright © 2013 CyberSecurity Malaysia
CYBER CONFLICTS
Tactics
• Cyber espionage
• Web vandalism
• Propaganda
• Gathering data
• Distributed Denial-of-Service Attacks
• Equipment disruption
• Attacking critical infrastructure
• Compromised Counterfeit Hardware
(source: http://en.wikipedia.org/wiki/Cyberwarfare)
26
Emerging Threats
Pt 3: Cyber Security Technology Framework
STRATEGIC RESEARCH & ENGAGEMENT
27. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
27
National Cyber Security Policy
POLICY THRUST
28. Copyright © 2013 CyberSecurity Malaysia 28
Pt 4: Culture Of Cyber Security & Capacity Bldg
IT’S ABOUT PEOPLE
29. Copyright © 2013 CyberSecurity Malaysia 29
An area where today’s youth are at greatest risk is social networking
http://www.jdpower.com/autos/car-photos/ Identity-Theft/Identity-Theft/2009
Pt 4: Culture Of Cyber Security & Capacity Bldg
PEOPLE – WEAKEST LINK
30. Copyright © 2013 CyberSecurity Malaysia 30
National
Strategy for
Cyber Security
Acculturation
and Capacity
Building
Program
Pt 4: Culture Of Cyber Security & Capacity Bldg
CYBER SECURITY ACCULTURATION & CAPACITY BLDG
Reduced no. of InfoSec incidents
through improved awareness & skill
level
31. Copyright © 2013 CyberSecurity Malaysia
§ Man behind the machine is the critical factor
Current Ratio of
Professionals : Internet User
1 : 8,924
Target 1:1,500
(Conduct Study to determine number of Info Pro)
" Help nurture the information security workforce with the
required knowledge and skills by providing information
security competency and capability courses and
certifications.
" Through strategic collaborations with reputable
organizations in Malaysia and international accreditation
institutions this program is accomplished.
" Malaysia requires sufficient skilled people to deal with
sophisticated cyber threats & uncertainty of cyber space.
31
Pt 4: Culture Of Cyber Security & Capacity Bldg
CAPACITY BLDG – INFOSEC PRO DEVELOPMENT
32. Copyright © 2013 CyberSecurity Malaysia
PROFESSIONAL COURSES
• Business Continuity Management Professional
Certification (BCLE2000)
• Certified Information System Security Professional
(CISSP) CBK Review Seminar
• Certified Secure System Lifecycle Professional
(CSSLP)
• ISO 27001 Lead Auditor
• Professional in Critical Information Infrastructure
Protection (PCIP)
• System Security Certified Practitioner (SSCP) CBK
Review Seminar
SPECIALIZED COURSES
• Digital Forensics for Law Practitioner
• Forensics on Internet Applications
• ISO 27001 Internal Auditor
INTERMEDIATE COURSES
• Cryptography for Information Security Professional
• Digital Forensic for First Responder
• Incident Response & Handling for Computer Security
& Incident Response Team (CSIRTS)
• Incident Handling and Network Security Training
(IHNS)
• ISO 27001 Implementation
• MyCC 2.0 - Foundation Evaluator Training
FUNDAMENTAL COURSES
• Business Continuity Management For Beginners
• Cryptography for Beginners
• CSM Security Essential Training
• Data Encryption for Beginners
• Digital Forensics Essential
• Google-Fu Power Search Technique
32
Pt 4: Culture Of Cyber Security & Capacity Bldg
TRAINING COURSES
33. Copyright © 2013 CyberSecurity Malaysia 33
CyberSecurity
Malaysia’s
CyberSAFE
Cyber
Security
Awareness
For
Everyone
PROGRAM
•
It
is
everyone’s
responsibility
•
To
explore
smart
partnership
CyberSecurity
Malaysia
and
YOU
Pt 4: Culture Of Cyber Security & Capacity Bldg
AWARENESS
34. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
34
National Cyber Security Policy
POLICY THRUST
35. Copyright © 2013 CyberSecurity Malaysia
Development of the National R&D Roadmap for Self Reliance in
Cyber Security Technologies is facilitated by MIMOS Berhad, a
Government R&D institution
35
To Identify Technologies
That Are Relevant and
Desirable by the CNII
To Promote Collaboration
with International Centres
of Excellence
To Provide Domain
Competency Development
To Nurture the Growth of
Local Cyber Security
Industry
To Update the National R&D
Roadmap
Pt 5: Research & Development Towards Self Reliance
R & D ROADMAP
Acceptance & utilization of
local developed info security
products
36. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
36
National Cyber Security Policy
POLICY THRUST
37. Copyright © 2013 CyberSecurity Malaysia 37
• To study the need to introduce a Cyber
Security Safety Standards Act to ensure
mandatory compliance by CNII to ISMS
Standards (ISO27001) and other
selected standards.
• Audit and certification of ISMS
compliance of CNIIs within 3 years
from the date of Cabinet mandate 24
Feb 2010
Ensure
Mandatory
Compliance
to
Informa;on
Security
Standards
by
CNII
• Government Agencies dialogue session
to implement ISMS compliance for CNIIs
• ISMS (ISO/IEC-27001) training and
workshops for CNIIs and regulatory
bodies
• CNII Information Security Standards
Adoption Program
Capability
and
Awareness
Programmes
for
CNIIs
• Local Developers to obtain products
certification under ISO 15408 (Common
Criteria EAL2)
• Develop Cyber Security Industry
Directory to list Malaysian IT security
companies, products and IT security
professionals
• Cyber Security Trade Event to promote
locally developed products under
Common Criteria (Nov2012)
Facilitate
Industry
Development
In
progress
Case
for
change:
n Cabinet
mandate
for
CNII
organizaTons
to
obtain
ISMS
cerTficaTon
within
3
years
24
Feb
2010
n CriTcal
NaTonal
InformaTon
Infrastructure
(CNII)
exposed
to
cyber
threats
n Lack
of
compliance
to
informaTon
security
standards
(eg
ISMS
27001)
amongst
CNII
n Weak
ecosystem
of
local
industry
to
support
the
requirements
of
CNII
e.g.
Products
cerTfied
under
Common
Criteria
RecommendaTon:
n Ensure
mandatory
compliance
of
ISMS
Standards
for
CNII
n Capability
and
Awareness
for
CNIIs
n Facilitate
Industry
Development
*
CollaboraTon
with
PEMANDU
(Performance
Management
and
Delivery
Unit)
SRI
(Strategic
Reform
IniTaTve)
In
progress
In
progress
Pt 6: Compliance & Enforcement
STANDARDS & GUIDELINES
Strengthen or include infosec
enforcement role in all CNII
regulatorsI
38. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of Information,
Communications &
Culture
1
2
3
4
5
6
7
8
38
National Cyber Security Policy
POLICY THRUST
39. Copyright © 2013 CyberSecurity Malaysia
Number
of
cyber
security
incidents
referred
to
CyberSecurity
Malaysia
31
Aug
2012
(excluding
spams)
INCIDENTS
§ Intrusion
§ Intrusion Attempt
§ Spam
§ DOS
§ Cyber Harassment
§ Fraud
§ Content Related
§ Malicious Code
§ Vulnerabilities Report
39
As of 30th
April 2013
CNII resilience against cyber
crime, terrorism, info warfare
Pt 7: Cybersecurity Emergency Readiness
CYBER INCIDENTS 1997 - 2012
40. Copyright © 2013 CyberSecurity Malaysia
0
100
200
300
400
500
600
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
30
58
49
48
91
105
137
190
172
131
59
13
5
20
45
41
116
160
212
428
442
349
Forensic
Analysis
Data
recovery
• 75% cases - from law enforcement agencies (PDRM, BNM, AG, SKMM etc).
• Types of cases – Financial Fraud, Sexual Assault, National threats, etc.
[
As
of
31st
August
2012
]
43
63
93
69
132
221
297
600
402
573
408
40
Pt 7: Cybersecurity Emergency Readiness
DIGITAL FORENSICS CASES (2002 – 2012)
41. Copyright © 2013 CyberSecurity Malaysia 41
Cyber999™
Cyber Early Warning Services
1. Incident Handling
2. Cyber Early Warning
3. Technical Coordination Centre
4. Malware Research Center
§ Email
o cyber999@cybersecurity.my
o mycert@mycert.org.my
§ Phone
o +603 8992 6969
o 1 300 88 2999
§ Fax
o +603 8945 3442
§ SMS
o 15888 Cyber999 Report
§ Mobile (24x7)
o +6019 266 5850
§ Online – http://www.mycert.org.my
§ Office Hours – MYT 0830 - 1730
Pt 7: Cybersecurity Emergency Readiness
COMPUTER EMERGENCY RESPONSE TEAM
42. Copyright © 2013 CyberSecurity Malaysia 42
Emerging
Threats
LebahNet
Project
Malware
Research
Threats
VisualizaTon
Advisory
&
Alerts
EXPLOIT
ADVISORIES & ALERTS
§ Software vulnerabilities (advisories)
§ 0 day vulnerabilities
§ Patch & upgrades
OUTBREAKS ALERTS
§ H1N1 flu
§ Trojan-Michael Jackson Death
§ Conficker
§ IE/Acrobat/Office/Flash 0 day
MA-321.072012 : MyCERT Alert - Microsoft Security Bulletin Summary For July 2012
21/06/2012
MA-320.062012 : MyCERT Alert - Critical Vulnerability in Microsoft XML Core Services
19/06/2012
MA-319.062012 : MyCERT Alert - Increase in Web Defacement Incidents
13/06/2012
MA-318.062012 : MyCERT Alert - Microsoft Security Bulletin Summary For June 2012
13/06/2012
MA-317.062012 : MyCERT Alert - Oracle Java SE Critical Patch Update Advisory - June 2012
11/06/2012
MA-316.062012 : MyCERT Alert - Critical Vulnerability in MySQL and MariaDB
11/06/2012
MA-315.062012 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player
07/06/2012
Pt 7: Cybersecurity Emergency Readiness
MALWARE RESEARCH CENTER
43. Copyright © 2013 CyberSecurity Malaysia
Incident
Handling
Technical
Coordination
Centre
MODULES LEVEL
1 Information Security Essentials Fundamental
2 ISMS Essentials Fundamental
3 Incident Handling & Network
Security (IHNS)
Intermediate
4 Ethical Hacking and Penetration
Testing
Intermediate
5 Security Audit and Assessment Intermediate
INCIDENT HANDLING MODULES
Duration: 13 days
43
Pt 7: Cybersecurity Emergency Readiness
COMPUTER EMERGENCY RESPONSE TEAM
44. Copyright © 2013 CyberSecurity Malaysia
• Effective GovernanceNational Security
Council
• Legislation & Regulatory FrameworkAttorney General’s
Office
• Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
• Culture of Security and Capacity
Building
Ministry of Science,
Technology and
Innovation
• Research & Development Towards Self
Reliance
Ministry of Science,
Technology and
Innovation
• Compliance & Enforcement
Ministry of Information,
Communications &
Culture
• Cyber Security Emergency ReadinessNational Security
Council
• International Collaboration
Ministry of
Communications &
Multimedia
1
2
3
4
5
6
7
8
44
National Cyber Security Policy
POLICY THRUST
45. Copyright © 2013 CyberSecurity Malaysia 45
APCERT
OIC-CERT
ENGAGE
Participate in
relevant cyber
security meetings
and events to
promote
Malaysia’s
positions and
interests in the
said meetings and
events
PRIORITIZE
Evaluate
Malaysia’s
interests at
international cyber
security platforms
and act on
elements where
Malaysia can get
tangible benefits
and voice third
world interests
LEADERSHIP
Explore opportunities at
international cyber
security platforms
where Malaysia can vie
for positions to play a
leadership role to
project Malaysia’s
image and promote
Malaysia’s interests
Pt 8: International Collaboration
MISSIONS International branding on CNII
protection with improved
awareness & skill level
46. Copyright © 2013 CyberSecurity Malaysia
q The National Cyber Security Policy is a holistic
approach for cyber defence of the CNIIs and the
nation.
q Encouraging Public Private Cooperation as essential
element in mitigating cyber threats
q Commitment from stakeholders is critical in ensuring
the success of the policy’s implementation.
46
NATIONAL CYBER SECURITY POLICY
In Conclusion