Copyright © 2013 CyberSecurity Malaysia Copyright © 2013 CyberSecurity Malaysia Cybersecurity Standards: A Case Study on Malaysian Banking Sector Anwer Yusoff Head, Industry & Business Department CyberSecurity Malaysia Sept 18 th 2013
Dec 25, 2015
Copyright © 2013 CyberSecurity Malaysia Copyright © 2013 CyberSecurity Malaysia
Cybersecurity Standards:
A Case Study on Malaysian
Banking Sector
Anwer Yusoff
Head, Industry & Business Department
CyberSecurity Malaysia
Sept 18th 2013
Copyright © 2013 CyberSecurity Malaysia 2
Sources: Internet World Stats (30 June 2012)
Internet use in
Malaysia
,723,000 i n t e r n e t u s e r s 17
Copyright © 2013 CyberSecurity Malaysia 3 Source: The Nielsen Company (April 2011)
The highest usage was recorded among people
aged 20-24. almost 6 in 10 (57%) regularly
use the internet.
Malaysian internet users (aged 20-24) spend an average of 22.3 hours online per week
87.9% of Malaysians on the internet access Facebook
Once online, Malaysian’s Top 3 activities
1. social networking sites 2. instant messaging 3. reading local news
Internet use in
Malaysia
Copyright © 2013 CyberSecurity Malaysia
81 196 527 347
860 625 912 915 754
1,372 1,038
2,123
3,566
8,090
15,218
9,986
7753
-
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Cyber Security Incidents (1997-2013)
Reported to Cyber999 Help Centre
Type of incidents: • Fraud and scams • Intrusion and web defacement • Destruction • Denial-of-Service • Virus / Malware • Harassment • Content-related • Intrusion attempts
Number of cyber security incidents referred to CyberSecurity
Malaysia (excluding spams)
As at 31st August 2013
HIGH LEVEL U S A G E = HIGH
RISK
Copyright © 2013 CyberSecurity Malaysia
The cybercrime situation in
Malaysia
6
in 18,386 cases in 2012
lost to scams
HIGH LEVEL U S A G E = HIGH
RISK
Billion RM 1.6
Source: Federal commercial crime investigation department (CCID)
Copyright © 2013 CyberSecurity Malaysia
Which are more common
Our Honeynet project detected
millions of Malware in
2009, 2010, and 2011 during the height of
Conficker Worm
Outbreak.
7
We believe Malicious attacks are more
common in Malaysia
malicious attacks or accidental breaches?
Copyright © 2013 CyberSecurity Malaysia 8
Which are more common malicious attacks or accidental breaches?
We believe Malicious attacks are more
common in Malaysia
According to Sophos Security Threat Report 2013:
Malaysia is 6th
Riskiest country TER of 17.44%
(TER is measured as the percentage of PCs that experienced a malware attack, whether successful or failed, over a three-month period)
Norway with 1.81% TER
Indonesia with 23.54% TER
Threat Exposure Rate (TER)
Copyright © 2013 CyberSecurity Malaysia
DETECTED by
9
Year Malicious Code to
Cyber999 Total Botnet & Malware
(by unique IP)
Up to 31 May, 2013
1158 263,625
2012 645 1,477,810
2011 1012 5,779,546
2010 1199 5,307,790
2009 283 1,889,165
Malaysians hardly report Malware attacks perhaps due to ignorance?
MALWARE REPORTED to Cyber999 MyCERT Honeynet V S
Due to
Conficker
Copyright © 2013 CyberSecurity Malaysia 10
Year Reported to Cyber999
Detected Spam Emails
Spam Networks
Up to 31 May, 2013
723 349,827 173,321
2012 526 58,950 63,495
2011 3751 80,607 29,688
2010 1268 129,788 24,644
2009 n/a 93,094 90,992
tend to IGNORE spams rather than report them to Cyber999.
* Spamming is one of the method of spreading Malware*
MALAYSIANS
DETECTED via SPAM REPORTED to Cyber999 MyCERT Honeynet V S
Copyright © 2013 CyberSecurity Malaysia
11
Copyright © 2013 CyberSecurity Malaysia
Cyber criminals everywhere…..
Edward Snowden
Copyright © 2013 CyberSecurity Malaysia
12
Copyright © 2013 CyberSecurity Malaysia
Challenges for legal regime…
Copyright © 2013 CyberSecurity Malaysia
The world is becoming more digitized and interconnected, opening the door to emerging threats and leaks….
Organizations continue to move to new
platforms including cloud, virtualization,
mobile, social business and more
EVERYTHING
IS EVERYWHERE
With the advent of Enterprise 2.0 and social
business, the line between personal and
professional hours, devices and data has
disappeared
CONSUMERIZATION
OF IT
The age of Big Data – the explosion of digital
information – has arrived and is facilitated by
the pervasiveness of applications accessed
from everywhere
DATA
EXPLOSION
The speed and dexterity of attacks has
increased coupled with new actors with new
motivations from cyber crime to terrorism
to state-sponsored intrusions
ATTACK
SOPHISTICATION
Copyright © 2013 CyberSecurity Malaysia
What steps are taken by the
Malaysian Government to keep cyber threats under control ?
One of the most
important
step is creating :
National Cyber
Security Policy
(NCSP)
Establishing
CyberSecurity
Malaysia to
implement NCSP
Copyright © 2013 CyberSecurity Malaysia
Copyright © 2012
CyberSecurity Malaysia 15
Malaysian’s Critical National Information
Infrastructure will be secure, resilient and
self-reliant. Infused with a culture of
security, it will promote stability, social
well being and wealth creation.
National Cyber Security Policy
Copyright © 2013 CyberSecurity Malaysia 16
Objectives:
Address The Risks To The Critical
National Information Infrastructure
To Ensure That Critical
Infrastructure Are Protected To A
Level That Is Commensurate With
The Risks
To Develop And Establish A
Comprehensive Program And A
Series Of Frameworks
The National
Cyber Security
Policy
formulated by
MOSTI
NCSP Adoption
and
Implementation
The policy recognises the critical and
highly interdependent nature of the CNII
and aims to develop and establish a
comprehensive programme and a series
of frameworks that will ensure the
effectiveness of cyber security controls
over vital assets
The National Cyber Security Policy
Copyright © 2013 CyberSecurity Malaysia
NC
SP T
HR
UST
CN
II S
ECTO
R
VISION Malaysia's Critical National Information Infrastructure shall be secure, resilient and self-reliant. Infused with a culture of
security, it will promote stability, social well being and wealth creation.
NATIONAL CYBER SECURITY POLICY
De
fen
ce
& S
ecu
rity
Tran
spo
rtat
ion
Ban
kin
g &
Fi
nan
ce
Go
vern
me
nt
Info
rmat
ion
&
Co
mm
un
icat
ion
s
Ener
gy
Emer
gen
cy
Serv
ices
Wat
er
Foo
d &
A
gric
ult
ure
Hea
lth
S
ervi
ces
NSC | Effective Governance | Establishment of a national info security coordination centre, effective institutional arrangements & Public –Private Cooperation
T1 AGC| Legislation & Regulatory Framework | Reduction of cybercrime & increased success in the prosecution in cyber
crime T2 MOSTI | Cyber Security Technology Framework | Expansion of national certification scheme for InfoSec management & assurance T3
MOSTI | Culture Of Security & Capacity Building | Reduced no. of InfoSec incidents through improved awareness &
skill level T4
MOSTI | R & D Towards Self Reliance | Acceptance & utilization of locally developed info security products
T5 MICC | Compliance & Enforcement | Strengthen or include
infosec enforcement role in all CNII regulators
MICC | International Cooperation | International cooperation & branding on CNII protection with improved
awareness & skill level
T6 NSC | Cyber Security Emergency Readiness | CNII resilience against cyber crime, terrorism, info warfare
T7
T8 CNII | Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on: National Defense & Security | National Economic Strength | National Image | Government capability to function | Public Health & Safety
Copyright © 2013 CyberSecurity Malaysia
new laws or
legislation
Are there any
being introduced in Malaysia to help
combat cybercrime?
Copyright © 2013 CyberSecurity Malaysia
The Malaysian Parliament has passed a total of eight (8)
Cyber Laws
We believe that Malaysia is going into the right
direction concerning cyber laws.
1. Digital Signature Act 1997;
2. Computer Crimes Act 1997;
3. Copyright (Amendment) Act 1997; (from Copyright Act
1987)
4. Telemedicine Act 1997;
5. Communications and Multimedia Act 1998;
6. Communications and Multimedia Commission Act 1998;
7. Electronic Commerce Act 2006; and
8. Personal Data Protection Bill 2010.
Copyright © 2013 CyberSecurity Malaysia
We believe that Malaysia is going into the right
direction concerning cyber laws.
Existing Penal Code (Act 574) can serve as a general law on criminal
offenses in Malaysia -- Because most cybercrimes are traditional by
nature, instead ICT is used as a medium to commit criminal acts.
Other laws that, while not exactly amount to being a Cyber Law, are in
fact indirectly applicable to the cyberspace as well such as the;
a. Security Offences (Special Measures) Act,
b. Defamation Act,
c. Sedition Act,
d. Evidence Act 114A.
Copyright © 2013 CyberSecurity Malaysia
The ISMS standard has been mandated by Cabinet
for CNII organizations
On 24 February 2010, the Cabinet agreed that CNIIs
should implement and undergo certification for MC
ISO/IEC 27001:2007 Information Security Management
System (ISMS) within 3 years
Copyright © 2013 CyberSecurity Malaysia 26
27 Commercial banks 16 Islamic financial institutions
Considerations for the Banking industry
Copyright © 2013 CyberSecurity Malaysia 27
1. Bank Negara Malaysia’s Guidelines
on Data Management and MIS
Framework
2. Guidelines on Management of IT
Environment (GPIS 1)
3. Guidelines on Internet Insurance
4. Disaster Recovery Capabilities of
Banking Institutions
5. BNM DDOS circular to commercial
banks
Bank Negara Malaysia specific
measures to mitigate cyber risks
Copyright © 2013 CyberSecurity Malaysia
What’s the future for us? • Future Cyber Laws must recognizes the people development component-
crucial for a K-Economy. • The existing Cyber Laws created the necessary impact… but constant review
is necessary. • # Technology innovations # Business innovations # “Criminal” innovations # Globalization • An exclusive legislative process may shorten review cycle.
• Malaysian Government envisions to reinvent governance activities through e-Government projects and applications.
• Several test-beds are already in place to provide ICT which enabled solutions such as e-judiciary, e-passport tele-healthcare and etc.
• Such e-applications inevitably come with legal impediments that would slow down the reinvention process unless they are properly addressed and solved.
Copyright © 2013 CyberSecurity Malaysia
Laptop-controlled rocket launched in Japan
Successful launch: Children reacting to a projected live transmission image displaying the
launch of the new solid-fuel Epsilon rocket carrying satellites from the Uchinoura Space Centre
in Kagoshima, at the National Museum of Emerging Science and Innovation in Tokyo. — AFP
TOKYO: Japan’s new solid-fuel rocket successfully blasted off carrying a telescope for
remote observation of planets in a launch coordinated from a laptop computer-
based command centre.
The Japan Aerospace Exploration Agency (Jaxa) launched the Epsilon rocket from the
Uchinoura Space Centre in Kagoshima, southwestern Japan, at 2pm.
TheStar Malaysia
Published: Sunday September 15, 2013
Copyright © 2013 CyberSecurity Malaysia 30
Copyright © 2013 CyberSecurity
Malaysia
More 2 billion people are connected to the Internet Cellular phone subscriptions passing the 5 billion mark at the end of 2010, More than 50 billion objects are expected to be digitally connected by 2020, including cars, appliances and cameras. The amount of digital information created and replicated in the world will grow to an almost inconceivable 35 trillion gigabytes by 2020
About $ 8 trillion traded thru e-commerce last year
Copyright © 2013 CyberSecurity Malaysia
P T P
P = People P = Process T = Technology
Bottom Line……PPT
Copyright © 2013 CyberSecurity Malaysia
Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013
30 Mar ’07 : NISER officially registered as 1998 - 2005
1997
• NITC Meeting on 7 Apr 2006 agreed to implement NCSP and establishment of the Malaysia Cyber Security Centre to administer NCSP.
• NCSP was endorsed by the Cabinet in May 2006.
• NISER was tasked to be the Malaysia Cyber Security Centre.
March 2006
CyberSecurity Malaysia
was launched by the
Prime Minister of Malaysia
on 20 Aug 2007
About us…CyberSecurity
Malaysia
Copyright © 2013 CyberSecurity Malaysia
Find out More
www.cybersecurity.my
www.mycert.org.my
Personal
mobile: +6012-2499476
Copyright © 2013 CyberSecurity Malaysia
Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013
Copyright © 2013 CyberSecurity Malaysia
Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013
What about this
guy….know him?
Copyright © 2013 CyberSecurity Malaysia
Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013
Copyright © 2013 CyberSecurity Malaysia
Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013
Copyright © 2013 CyberSecurity Malaysia
Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013