INFORMATION AND NETWORK SECURITY – SECURITY …
Transcript of INFORMATION AND NETWORK SECURITY – SECURITY …
Let’s collaborate @ MTSFB!
Nicholas NgVice ChairmanTrust & Privacy Sub Working GroupSecurity Trust & Privacy Working Group, MTSFB26 August 2021
INFORMATION AND NETWORK SECURITY –SECURITY POSTURE ASSESSMENT (SPA)
MCMC MTSFB TC G016:2018
Let’s collaborate @ MTSFB!
Presentation Outline
123
Background and Introduction
Objective, Scope & Structure
Benefits of TC
4 Requirements and The Summary of Each Clause
5 Challenges
2
Let’s collaborate @ MTSFB!
1 Background and Introduction
3
Let’s collaborate @ MTSFB!
• This technical code was developed by Trust & Privacy Sub Working Group which supervised by
Security, Trust and Privacy Working Group under the Malaysian Technical Standards Forum Bhd
(MTSFB)
• This technical code for Information and Network Security – Security Posture Assessment (SPA)
was developed pursuant to section 185 of the Act 588 by the Malaysian Technical Standards
Forum Bhd (MTSFB) via its Application Security Sub Working Group.
• Registered date 15 Oct 2018
BACKGROUND AND INTRODUCTION
4
Let’s collaborate @ MTSFB!
THE TECHNICAL CODE
Title Technical Code number Registration date
Information and Network Security – Security Posture Assessment
(SPA)
MCMC MTSFB TC G016:2018
15 Oct 2018
Information and Network Security – Security Posture Assessment
(First Revision) MTSFB2105R1 Under development
5
Let’s collaborate @ MTSFB!
CONTRIBUTORS• Celcom Axiata Berhad• Kementerian Sains, Teknologi dan Inovasi• Pejabat Ketua Pegawai Keselamatan Kerajaan
Malaysia• Provintell Technologies Sdn Bhd• Telekom Applied Business Sdn Bhd• Telekom Malaysia Berhad• TIME dotCom Berhad• Universiti Kuala Lumpur• webe digital sdn bhd
6
Let’s collaborate @ MTSFB! 7
KEY CONTRIBUTORS
Let’s collaborate @ MTSFB!
2 Objective, Scope and Structure
8
Let’s collaborate @ MTSFB!
OBJECTIVE
Support CMI organisation in the planning and implementing a cost-effective and quality SPA programme.
Support the technical vulnerability management requirements to regularly assess the cyber security risks, vulnerabilities and threats imposed on the critical infrastructure.
Support the information security assessors and auditors in managing a successful SPA programme.
9
Let’s collaborate @ MTSFB!
SCOPE
10
GENERAL REQUIREMENTS
(Section 5)
PLANNING REQUIREMENTS(Section 6 to 9)
QUALITY ASSURANCE REQUIREMENTS
(Section 10 to 14)
What you can do?
How to do it right?
How to make sure it is right?
Y2021 TC revision is in progress
Let’s collaborate @ MTSFB!
Benefits of TC
Let’s collaborate @ MTSFB!
3
11
Let’s collaborate @ MTSFB!
Benefits of TC• TC G016:2018 Security Posture Assessment (SPA) Technical Code is developed for Malaysia’s
Communications and Multimedia Industry (CMI). • The information provided herein is applicable and not limited to:
12
CMI service and technology providers;
Critical National Information Infrastructure (CNII)
operators;
Application service providers;
Digital content providers;
ICT supply chain vendors;
ICT security professionals and information security
auditors.
Let’s collaborate @ MTSFB!
4 Requirements and The Summary of Each Clause
13
Let’s collaborate @ MTSFB! 14
Technical Code Structure (Y2018)
5. GENERAL REQUIREMENTS6. ENGAGEMENT OBJECTIVE, SCOPE AND LIMITATION7. SECURITY ASSESSOR QUALIFICATION8. ASSURANCE OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY (CIA)9. SECURITY POSTURE ASSESSMENT (SPA) PROGRAMME PLANNING AND
MANAGEMENT10. PROJECT MANAGEMENT11. REPORTING REQUIREMENTS12. PROTECTION OF TEST DATA AND SECURE INFORMATION TRANSFER13. COMPLIANCE TO LEGAL AND CONTRACTUAL REQUIREMENTS14. VULNERABILITY CATEGORY AND RISK RATING
PLA
NN
ING
QUA
LITY
A
SSUR
AN
CE
Let’s collaborate @ MTSFB! 15
Source:https://www.gsma.com/security/wp-content/uploads/2020/02/2020-SECURITY-THREAT-LANDSCAPE-REPORT-FINAL.pdf
Let’s collaborate @ MTSFB! 16
THE MAIN THREATSSOFTWARE SUPPLY CHAIN ATTACK AND DATA BREACH
Source:https://www.gsma.com/security/wp-content/uploads/2020/02/2020-SECURITY-THREAT-LANDSCAPE-REPORT-FINAL.pdf
Let’s collaborate @ MTSFB! 17
GENERAL REQUIREMENTS (Section 5.0)
Data Network and Telecommunication Infrastructure
Security Configuration and Policy Compliance
TECHNOLOGY SECURITY PEOPLE AND PROCESS SECURITY
SPA PROGRAMME OVERVIEW
Let’s collaborate @ MTSFB! 18
DATA NETWORK AND TELECOMMUNICATION INFRASTRUCTURE SECURITY ASSESSMENT
INFRASTRUCTURE PENETRATION TEST
APPLICATION SECURITY TEST
CUSTOMER PREMISE EQUIPMENT (CPE)
SECURITY TEST
TELECOMMUNICATIONS AND SIGNALING TECHNOLOGIES SECURITY TEST
SIM AND SMART CARD SECURITY TEST
• User interface;• Authentication mechanisms;• Network services;• Communication security;• Security configuration;• Software/Firmware security;• Hardware security;• Cryptographic key
management.
• Eavesdropping;• Data/Signal tampering;• Authentication mechanisms;• ID spoofing;• Denial-of-service;• Cryptographic key
management.
• Data tampering;• Authentication mechanisms;• Hardware security; • Communication security;• OS/Software security;• Cryptographic key
management.
• External Penetration Test (EPT)• Internal Penetration Test (IPT)
• Dynamic Application Security Test (DAST)
• Static Application Security Test (SAST)
Let’s collaborate @ MTSFB! 19
SECURITY CONFIGURATION AND POLICY COMPLIANCE ASSESSMENT
HOST OS CONFIGURATION AND VULNERABILITY ASSESSMENT
- Secured operating system configurations;- Known vulnerabilities due outdated
system components;- Physical security.
PERIMETER SECURITY DEVICE CONFIGURATION AND
VULNERABILITY ASSESSMENT- Secured operating system configurations;- Access control; e.g. packet filtering policies- Communications security;- Known vulnerabilities due outdated system
components;- Physical security.
DATABASE SYSTEM CONFIGURATION AND VULNERABILITY ASSESSMENT
- Secured operating system configurations;- Secured database configurations; - Known vulnerabilities due outdated
system components;- Physical security.
SECURITY POLICY REVIEW
- Security policies and procedures review;- Security controls review;- Gap analysis and areas for improvement.
Let’s collaborate @ MTSFB! 20
PLANNING REQUIREMENTS
•Define clear engagement scope and objectives.
6.0 ENGAGE OBJECTIVE, SCOPE AND LIMITATION
•Organization experience and service records.•Security Assessor qualifications and past experience.•Conflict of interest avoidance.
7.0 SECURITY ASSESSOR QUALIFICATION
Data protection and prevent service disruption.
8.0 ASSURANCE OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY
•Establish SPA Plan. •Managing SPA Programme phases (Pre-Assessment, Assessment and Post Assessment).
9.0 SPA PROGRAMME PLANNING AND MANAGEMENT
Let’s collaborate @ MTSFB! 21
QUALITY ASSURANCE REQUIREMENTS
• Project team structure.• Project manager qualifications.
10.0 PROJECT MANAGEMENT
• SPA reporting requirements.
11.0 REPORTING REQUIREMENTS
Prevention of data leakage, loss and modification.
12.0 PROTECTION OF TEST DATA AND SECURE INFORMATION TRANSFER
• Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security.
13.0 COMPLIANCE TO LEGAL AND CONTRACTUAL REQUIREMENTS
Let’s collaborate @ MTSFB! 22
QUALITY ASSURANCE REQUIREMENTS
• Define risk rating methodology to effectively determine the risk level of the vulnerabilities identified in the SPA Programme.
14.0 VULNERABILITY CATEGORY AND RISK RATING
Let’s collaborate @ MTSFB!
Y2021 REVISION
1. New technical definitions for Attack Surface Analysis, Intelligence Gathering and Threat Modelling.
2. Updated with new technical guidelines, approaches and methodologies – Section 5.2 Vulnerability Assessment and Penetration Test (VAPT) and Section 11 Reporting Requirements.
3. New technical references:• Penetration Testing Execution Standard (PTES) Technical Guidelines;• OWASP Web Security Testing Guide (WSTG), Version 4.2; • Center of Internet Security, CIS Controls Version 8, CIS Benchmarks.
23
Let’s collaborate @ MTSFB! 24
Y2021 REVISION
Important dates :• Public Comment exercise (1 month duration): Mid September 2021• Submission to MCMC: November 2021
MTSFB2105R1Information and Network Security –Security Posture Assessment (First Revision)
Let’s collaborate @ MTSFB!
5 Challenges and Conclusion
25
Let’s collaborate @ MTSFB!
Challenges and Conclusions1. Industry experts and academic researchers of the emerging technologies
especially on the 5G technology.
2. Support and participation of new team members especially from the CMIorganisations.
3. Timely revision and update with the latest industry standards, guidelinesand best practices.
26
MTSFBmtsfb_cyberjaya
Let’s Collaborate