1. Cyber
Security
The not-so-obvious skill all
professionals must learn
orelse…
Darwin Jayson Mariano
Dealing with cyber security in the government sector is a high stakes game,
especially if the attack could affect thousands, if not millions of individuals, being
served by a particular government agency or department. To combat cyber-attacks
most effectively, cyber security professionals can no longer just be equipped with
IT security skills, according to Naeem Musa, Chief Information Security Officer
for Federal Energy Regulatory Commission, US Government. They also need to
learn a skill many IT professionals don’t even consider.
Q
A
How would you characterize the current level of cyber-attacks in the USA?
What strategies do you employ to address these?
Naeem Musa: Not only has there been an increased level of attack, we’ve also noticed
an increase in the level of sophistication of these attacks. Whether it’s state sponsored
or triggered by criminals looking to achieve financial gain, we need to stay vigilant. In
the United States, we depend on IT systems in almost every aspect of our lives so we
have to make sure that we have the means to keep our IT systems safe and secure.
For more information about 4th Annual Cybersecurity for Government Asia,
visit www.cybersecurityasia.com, email enquiry@iqpc.com.sg or call +65 6722 938

2. My role obviously involves protecting our infrastructure to ensure that our data
remains confidential. However, lately, we see a heightened level of attacks on our
financial institutions, mostly driven by organised crime whose objective is to commit
financial fraud and identity theft. There are state sponsored attacks that our government
is also obviously addressing but that is not something I’m directly involved in.
In addressing these issues, one of the most effective strategies is to educate the user
community. But in dealing with the larger issue of cyber security, it is important to be
aware of this “three-legged stool” strategy, which is: 1) technology, 2) process and 3)
people. You really have to focus on each of those areas.
You have to have a streamlined process and procedures in place to respond to an
incident. You have to have the right level of technology in terms of the right firewalls
and Trojan infection mechanisms. However, all of that would be futile if you’re not
educating your user community. In our case, we’re doing a lot of education to the user
level to ensure that when those people are targeted by phishing attacks, whether by
unscrupulous individuals targeting them or them visiting different websites, potentially
getting infected, they know how to respond and act in a way that will not compromise
our IT security.
We’re also trying to create mechanisms to prevent people from going to the wrong
sites so the chance of getting infected is minimised. We have this whitelisting and
blacklisting of sites, we deploy all kinds of technologies to prevent unauthorised
executables on the entire network. At the same time, we monitor and scan our network
regularly to see if there is any anomaly and then we try to detect, analyse and figure
out if those anomalies can pose a threat or if they are within the tolerance level.
So, really, a combination of the three: focus on the technology, focus on the processes
and creating awareness in the user community.
Q
A
From your perspective, how can governments in Asia, given the relative
uniqueness of this region, address issues related to cyber security?
Q
A
Given the nature of these attacks, should special emphasis be put on public
sector as opposed to private sector?
Naeem Musa: I think the cyber world is borderless. Organised crime does not
discriminate and will always go after the gain. They could launch targeted attacks in
Malaysia, Southeast Asia, Canada, Australia or the USA. As long as there’s a gain to be
had, they’re going to go after it. So in that regard, everybody is facing the same set of
challenges, especially from organised crime and state-sponsored espionage. We’ve
also heard in the news how specific countries are even targeting telecommunications
companies within the European continent. Bottom line is: the same potential for
attacks exists for everybody regardless of the region and physical geography.
Naeem Musa: Yes, certainly. Because the public sector is engaged in services to citizens,
any time there are attacks or disruptions; it impacts the level of services you give to the
public. In addition, you need to deal with whether it’s critical infrastructure that is at
risk or national security information that is at stake, which could potentially harm the
country. So you definitely have to have more focus on the public sector to ensure that
the information’s confidentiality, integrity and availability are protected.
For more information about 4th Annual Cybersecurity for Government Asia,
visit www.cybersecurityasia.com, email enquiry@iqpc.com.sg or call +65 6722 938

3. Q
A
What are the best practices that you use to implement a robust cyber security
program for government agencies?
Naeem Musa: I think every security professional has to understand that security is
a journey, not a destination. That means you could never do enough as the level of
sophistication of attacks increases at a very rapid pace. The bad guys are always one
step ahead. So the best strategy is to understand that it’s a continuous process,
a journey.
You have to continuously implement measures and put mitigating procedures in place.
You need to emphasise awareness among your employees and staff and get them the
right training. You have to practise incident response and be able to understand where
your data is in order to protect and assess the damage in case that data is compromised.
I think data leak prevention technology is maturing with time and if put in place, it
will help aid security professionals discover attacks. In the end, it all boils down to
combination of people, process and technology.
The other important thing that you need to ensure is buy-in from management.
Educate your management, don’t scare them. Educating and convincing your
management to be on your side is a lot better than using fear tactics.
Cyber security professionals are no longer just IT professionals, they are politicians. You
have got to be smart, be able to sell your ideas, lobby and be able to get support for
what you’re trying to implement. It is important to be able to get the funding that you
need for your programs because just like anybody else, you need budget. And it’s not
going to come easy unless you have the sophistication to lobby and sell your ideas to
the CFO or the agency that will fund you.
Naeem Musa, Chief Information Security Officer,
Federal Energy Regulatory Commission, USA ,
will be speaking about “Preventing Government Data
Leaks in an Increasingly Connected World” at the
4th Annual Cybersecurity for Government Asia
happening on 5-6 March 2014 in Malaysia. For more
information, visit www.cybersecurityasia.com
For more information about 4th Annual Cybersecurity for Government Asia,
visit www.cybersecurityasia.com, email enquiry@iqpc.com.sg or call +65 6722 938