IMPROVING CYBERSECURITY COMPETENCY AND READINESS: … · LABORATORY ACCREDITATION Security...

IMPROVING CYBERSECURITYCOMPETENCY AND READINESS:

MALAYSIA EXPERIENCE

Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia

Mohd Zabri Adil Talib

Head of Digital Forensics Department

CyberSecurity [email protected] @ 0123249259

Agenda

i. CyberSecurity Malaysia background as expert organization

ii. Malaysia National Cyber Security Policy

iii.The importance of information security certification

Copyright © 2015 CyberSecurity Malaysia

certification

iv. Definition of security, cyber security, competency and readiness

v. Information security guidelines as improvisation checklist

vi. Forensic readiness to response to cyber security incident

vii.The way forward: CSM CyberDEF approach2

CyberSecurity Malaysia:Our history 30 Mar ’07

NISER officially registered as

National ICT Security and

Emergency Response Centre

1997 1998 2006 2007March

Copyright © 2015 CyberSecurity Malaysia 33

Core functions1997

MyCERT2001

NISER

2007CyberSecurity

Malaysia

1. National Cyber Security Policy Implementer ✔✔✔✔

2.National Technical Coordination Centre ✔✔✔✔

3.Cyber Threat Research & Risk Centre ✔✔✔✔

4.Security Quality Management Services Provider ✔✔✔✔ ✔✔✔✔

5. Information Security Professional Devt & Outreach ✔✔✔✔ ✔✔✔✔

6.Cyber Emergency Services Provider ✔✔✔✔ ✔✔✔✔

7.Malaysia’s Computer Emergency Response Team ✔✔✔✔ ✔✔✔✔ ✔✔✔✔

(Malaysia's national R&D centre in ICT)

MIMOS Berhad

Jaring

Communications

Sdn Bhd

(First Internet

service provider in

the country)

(Ministry of Science, Technology & Innovation)

A NATIONAL CYBER SECURITY SPECIALIST AGENCY A NATIONAL CYBER SECURITY SPECIALIST AGENCY A NATIONAL CYBER SECURITY SPECIALIST AGENCY A NATIONAL CYBER SECURITY SPECIALIST AGENCY UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND INNOVATION (MOSTI)UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND INNOVATION (MOSTI)UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND INNOVATION (MOSTI)UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND INNOVATION (MOSTI)

VisionVisionVisionVisionTo be a globally

recognized National Cyber

Security

MANDATEMANDATEMANDATEMANDATE

CyberSecurity Malaysia:Our objectives and mandates


Security Reference and

Specialist Centre by 2020

MissionMissionMissionMissionCreating and Sustaining a

Safer Cyberspace to Promote

National Sustainability,

Social Well-Being and Wealth

Creation

Cabinet Notes 2005Ministry of Finance and

Ministry of Science, Technology & Innovation

CyberSecurity Malaysia as a National Body to monitor aspects of the National e-

Security

Ministerial Function Act1969, Amendment 2013

Provides specialised ICT security services and continuously identifies

possible areas that may be detrimental to national security

National Security Council’s Directive No. 24: Policy and Mechanism of the National Cyber Crisis Management

2011

CyberSecurity Malaysia as expert agency to provide

technical training, assistance and support in the national cyber crisis management

CyberSecurity Malaysia:Core services

CYBER SECURITY EMERGENCY SERVICES

• Security Incident Handling

• Digital Forensics

CYBER SECURITY STRATEGIC ENGAGEMENT & RESEARCH

• Strategic Engagement• Research


SECURITY QUALITY MANAGEMENT SERVICES

• Security Assurance• Information Security

Certification Body• Security Management &

Best Practices

INFO SECURITY PROFESSIONAL DEVELOPMENT & OUTREACH

• Info Security Professional Development

• Outreach

Malaysia success story• The Global Cybersecurity Index and

Cyberwellness profile Report presents

the 2014 results of the GCI and the

Cyberwellness country profiles for

Member states

• It includes regional rankings, a selected

set of good practices and the way

forward for the next iteration

• Malaysia ranked at no 3, together with


* The report can be downloaded at http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx

• Malaysia ranked at no 3, together with

Australia and Oman with index score of

0.765

CyberSecurity Malaysia:International recognition

ISO/IEC 15408 COMMON CRITERIA RECOGNITION ARRANGEME NT (CCRA)Certificate Consuming Country

2009 - 1st organization in Malaysia and ASEAN to be recognized and accepted by CCRA.Certificate Authorizing Country

2011 - Sole organization in Malaysia to become Certification Body for ISO/IEC 15408.

ISO/IEC 27001 INFORMATION SECURITY MANAGEMENT SYSTE M2008 - Organization Certified2011 - Established Information Security Management System Audit and certification Scheme

(CSM27001)

Organisation of Islamic Cooperation – Computer Emerg ency Response Team (OIC-CERT) Secretariat for 2013 – 2015During the OIC-CERT 4th Annual General Meeting (AGM) the members elected Malaysia (through CyberSecurity Malaysia) as the Organisation of Islamic Cooperation – Computer Emergency


CyberSecurity Malaysia) as the Organisation of Islamic Cooperation – Computer Emergency Response Team (OIC-CERT) Secretariat for 2013 – 2015 term , in addition to being the Chair of the OIC-CERT .

PEOPLE / PRODUCT RECOGNITIONThe ratio of total Certification to total Employees is about 1:1 with the highest number of Honorees for Information Security International Awards in Malaysia.ASEAN Chief Security Officer 2014.CyberSecurity Malaysia's CyberSAFE portal www.cybersafe.my won the Saramad GoldenAward for "The Best Initiative in Child Online Protection“

LABORATORY ACCREDITATIONSecurity Assurance Lab obtained MS ISO/ IEC 17025:2005 accreditationASCLD/LAB Accreditation - CyberSecurity Malaysia’s Digital Forensic laboratory is the1st forensic laboratory the Asia Pacific and Malaysia that is accredited by ASCLD/LABfor ‘Digital & Multimedia Evidence’ field, based on ISO/ IEC 17025: 2005 and theASCLD/LAB International 2011’

7

Malaysia cyber security landscape:How we nurture it?


Malaysia National Cyber Security Policy


• National Cyber Security Policy has been designed to facilitateMalaysia's move towards a knowledge based economy (K-economy)

• The Policy was formulated based on a National Cyber SecurityFramework that comprises legislation and regulatory, technology,public-private cooperation, institutional, and internationalaspects

Malaysia National Cyber Security Policy


* The policy brochure can be downloaded at http://cnii.cybersecurity.org.my/main/ncsp/NCSP-

Policy2.pdf

Information security certification:MyCC, CSM27001, MTPS


*Please refer to http://www.cybersecurity.my/en/our_services/iscb/main/detail/2327/index.html

Cybersecurity Malaysia:Information Security Management System Audit and Certification (CSM27001) Scheme


• CSM27001 certification established in 2011• To support the pillar of 'National'National'National'National SecuritySecuritySecuritySecurity andandandand PublicPublicPublicPublic

Safety'Safety'Safety'Safety' under the Economic Transformation Program by wayof building resiliency in both the Critical NationalInformation Infrastructure (CNII) and the industry

• To support the pillar of 'Catalyst'Catalyst'Catalyst'Catalyst ofofofof growthgrowthgrowthgrowth forforforforIndustry'Industry'Industry'Industry' by providing MS ISO/IEC 27001 certifiedorganization a benchmark to compete effectively againstsimilar organizations on a global scale

How did we improve Malaysia cyber security competency and readiness?


Definition:

SecuritySecuritySecuritySecurity


• “ SecuritySecuritySecuritySecurity is the degree of resistance

to, or protection from, harm. It appliesto any vulnerable and valuable asset,such as a person, dwelling, community,nation, or organization.”

– https://en.wikipedia.org/wiki/Security

Definition:

Cyber security, competency and readinessCyber security, competency and readinessCyber security, competency and readinessCyber security, competency and readiness

• A competency is defined as a group of related skills and abilities that

• Security (including physical security) applied to computing


influence a major job function, indicate successful job performance, are measurable against standards, and are subject to improvement through training and experience.

– http://www.careeronestop.org/ COMPETENCYMODEL/userguide_competency.aspx.

15

security) applied to computing devices such as computers, smartphones as well as to both private and public computer networks including the whole Internet

– https://en.wikipedia.org/wiki/Computer_security

• The condition of being ready– http://dictionary.reference.com/browse/r

eadiness

CyberSecurity Malaysia: Information Security Guidelines for SMEsInformation Security Guidelines for SMEsInformation Security Guidelines for SMEsInformation Security Guidelines for SMEs

• This guideline serves toinculcate awareness, theunderstanding and guidancefor target audience (SMEs)in relation to informationsecurity and the way


security and the wayforward in managing it

* The guideline can be downloaded at http://www.cybersecurity.my/properties_v3/images/guidelines/03%20SMEs.pdf

Information Security Guidelines for SMEs:Practicing information security

1)1)1)1) Practicing information securityPracticing information securityPracticing information securityPracticing information security

i. Exercise due care due care due care due care and due due due due diligence diligence diligence diligence on protecting assets (information)

– Protect your computers


– Protect your computers (Desktops and laptops)

– Keep your data safe

– Use Internet safely

– Protect your network

– Protect your server

– Secure line of business application

– Manage computer from servers

ii. Invest in IT security tool suchas Firewall, IntrusionPrevention System (IPS) andIntrusion Detection System(IDS), in order to monitor any

Information Security Guidelines for SMEs:Practicing information security


intrusions and breachesattempts

iii.Establish incident responseteam to coordinate incidenthandling process includingrepresentatives from themanagement team

iv. Document appropriate processes(follow policy, procedure and18

2)2)2)2) Information security Information security Information security Information security governance and processesgovernance and processesgovernance and processesgovernance and processes

i. Information security is notonly about technicalmatters but it is also

Information Security Guidelines for SMEs:Information security governance and processes


matters but it is alsoabout encompass businessand operational aspects aswell

ii. It is crucial to enhancethe technologicalcapabilities andcommercialization tocompete in globaltechnology environment 19

3)3)3)3) Integrating People, Process and Integrating People, Process and Integrating People, Process and Integrating People, Process and TechnologyTechnologyTechnologyTechnology

– Understand the existing resources, processes and technologies

Information Security Guidelines for SMEs:Integrating People, Process and Technology


technologiesi. Understand the type of people in

terms of their knowledge(educational background),experiences and skills

ii. Adopt international industrystandards like CMMI level, 6 sigmaand ISO to ensure quality resultin service delivery

iii.Perform preliminary studies anddue diligence to customizespecific needs prior to technology

20

Information Security Guidelines for SMEs:Implement information security based on the identified risks

4)4)4)4) Implement information security Implement information security Implement information security Implement information security based on the identified risksbased on the identified risksbased on the identified risksbased on the identified risks

i. Protecting information mustcome from the riskperspective by implementing


perspective by implementinginformation security based onrisk identification

ii. Learn how to implement thephases of risk assessment

iii.Without careful and properrisk assessment, effort todeploy or mitigate risks thatare unlikely to occur iswastefully

21

Information Security Guidelines for SMEs:Appoint a dedicated team of staff

5)5)5)5) Appoint a dedicated team of Appoint a dedicated team of Appoint a dedicated team of Appoint a dedicated team of staffstaffstaffstaff

i. It is crucial to appointdedicated staff to beresponsible in related


responsible in relatedareas of informationsecurity

ii. If not, no one will takethe initiative to manageincidents and be the‘ champions’ on the

subject matter

Information Security Guidelines for SMEs:Continuous awareness on information security

6)6)6)6) Continuous awareness on information Continuous awareness on information Continuous awareness on information Continuous awareness on information securitysecuritysecuritysecurity

i. Awareness like security acculturation programmes for the staff and management can inculcate the knowledge


management can inculcate the knowledge and practice related to information security

ii. Efforts like produce awareness posters, regular awareness emails to staff and management, and briefings from invited subject matter speakers

iii.Staff should be reminded on related information security practices in order to minimize the risks of

Achieving cyber security readiness

• Cyber security readinesscan be measured / achievedthrough testing eg. cyberdrill

• Testing techniques need toemulate attacks that


emulate attacks thataddress all aspects ofcyber security

• Test tools must havesufficient capacity todetermine network behaviorunder an avalanche ofattempted breaches

• Testing methodology needsto get more sophisticated

* Watch X-Maya 5 promo video at

https://www.youtube.com/watch?v=mT1NeIeDY4g

Definition:Forensic readiness

• “ The ability of an organization to maximize its potential to use digital evidence whilst minimizing the costs of an investigation”-A Ten Step Process for Forensic Readiness, International Journal of Digital Forensics, Volume 2, Issue 3, Winter 2004


Forensic readiness:The importance of digital evidence

• Information securityprogrammes often focuson the measures of‘ prevention & detection’perspective and there isonly a little need for


only a little need fordigital evidence

• But from the businessperspective, there is arequirement for digitalevidence to be availablebefore an incidentoccurs

Information security and forensic readinesssymbiosis relation

Incident anticipationIncident anticipationIncident anticipationIncident anticipationIncident responseIncident responseIncident responseIncident response


Incident anticipationIncident anticipationIncident anticipationIncident anticipation

- Concerns itself withenabling the businessrequirement to usedigital evidence

Incident responseIncident responseIncident responseIncident response

- Concerns itself withensuring that thebusiness utility ofinformation systems ismaintained


• Being prepared to gatherand use evidence isbeneficial to theorganization especiallyas deterrent to the


as deterrent to theinsider threat

Source:

http://www.bangkokpost.com/news/general/601584/swi

ss-man-accused-of-najib-smear-plan


• Digital evidence can:– Help manage impact of some important

business risks

– Support a legal process / defence

– Verify the terms of commercial transaction


transaction

– Lend support to internal disciplinary actions


• Any computer data may be used in a formal processand may need to be subject to forensic practices

• The ability of an organization to exploit thisdata is the focus of forensic readiness

• To collect admissible evidence, the organization


• To collect admissible evidence, the organizationneeds to review the legality of its monitoringactivity, as the digital evidence must beobtained in a lawful manner

• Forensic readiness can extend the target ofinformation security to the wider threat fromcyber crime such as intellectual propertyprotection, fraud or extortion, violation oforganization policy and etc

The way forward:CSM CyberDEF services launched on May 2015


• A comprehensive solution for cyber threats detection, eradication and forensic by CyberSecurity Malaysia

The way forward:CSM CyberDEF services


Step 1: DETECTIONDETECTIONDETECTIONDETECTION• Identify security loopholes,

vulnerabilities, existingthreats, infections andreinfections of malware(C&Cs, botnets and APTs)



Step 2: ERADICATIONERADICATIONERADICATIONERADICATION• Close loopholes, patch

vulnerabilities, fix bugs,improve system andneutralize existing threats

• Perform cyber threatsexercise or drill to testthe feasibility andresiliency of the new

Step 3: FORENSICFORENSICFORENSICFORENSIC• Recover loss data,

repair and restore them• Analyze system

weaknesses andstrengthen them



strengthen them• Set up a resilient

defense system toprevent futureincidents / attacks

• Facilitate legal actionwith the authorities

Special invitation to csm-ace 2015


Overview CSM-ACE 2015

Cyber Security Malaysia - Awards, Conference & Exhibition (CSM-ACE) is a public-

private-partnership driven event and a knowledge sharing platform that recognizes

contribution of individuals and organizations in the field of cyber security

* To register please visit http://www.csm-ace.my

Reference

• Cybersecurity Workforce Competencies: Preparing Tomorrow’s Risk-Ready

Professionals https://www.isc2cares.org/uploadedFiles/University-of-Phoenix-ISC2-

cybersecurity-report.pdf

• A Ten Step Process for Forensic

Readinesshttp://www.digital4nzics.com/Student%20Library/A%20Ten%20Step%20

Process%20for%20Forensic%20Readiness.pdf

• Information security guidelines for Small Medium Enterprise (SMEs)


• Information security guidelines for Small Medium Enterprise (SMEs)

http://www.cybersecurity.my/properties_v3/images/guidelines/03%20SMEs.pdf

• X-Maya 5 Cyber Drill Promo video

https://www.youtube.com/watch?v=mT1NeIeDY4g

• The Global Cybersecurity Index and Cyberwellness profile Report

http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx

• Malaysia National Cyber Security Policyhttp://cnii.cybersecurity.org.my/main/ncsp/NCSP-Policy2.pdf

36

IMPROVING CYBERSECURITY COMPETENCY AND READINESS: … · LABORATORY ACCREDITATION Security...

Documents

Transcript of IMPROVING CYBERSECURITY COMPETENCY AND READINESS: … · LABORATORY ACCREDITATION Security...