Aseanfic Cyberstandards Final

Copyright © 2013 CyberSecurity Malaysia Copyright © 2013 CyberSecurity Malaysia

Cybersecurity Standards:

A Case Study on Malaysian

Banking Sector

Anwer Yusoff

Head, Industry & Business Department

CyberSecurity Malaysia

Sept 18th 2013

Copyright © 2013 CyberSecurity Malaysia 2

Sources: Internet World Stats (30 June 2012)

Internet use in

Malaysia

,723,000 i n t e r n e t u s e r s 17

Copyright © 2013 CyberSecurity Malaysia 3 Source: The Nielsen Company (April 2011)

The highest usage was recorded among people

aged 20-24. almost 6 in 10 (57%) regularly

use the internet.

Malaysian internet users (aged 20-24) spend an average of 22.3 hours online per week

87.9% of Malaysians on the internet access Facebook

Once online, Malaysian’s Top 3 activities

1. social networking sites 2. instant messaging 3. reading local news

Internet use in

Malaysia


HIGH LEVEL U S A G E = HIGH

RISK

Copyright © 2013 CyberSecurity Malaysia

81 196 527 347

860 625 912 915 754

1,372 1,038

2,123

3,566

8,090

15,218

9,986

7753

-

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Cyber Security Incidents (1997-2013)

Reported to Cyber999 Help Centre

Type of incidents: • Fraud and scams • Intrusion and web defacement • Destruction • Denial-of-Service • Virus / Malware • Harassment • Content-related • Intrusion attempts

Number of cyber security incidents referred to CyberSecurity

Malaysia (excluding spams)

As at 31st August 2013


RISK


The cybercrime situation in

Malaysia

6

in 18,386 cases in 2012

lost to scams


RISK

Billion RM 1.6

Source: Federal commercial crime investigation department (CCID)


Which are more common

Our Honeynet project detected

millions of Malware in

2009, 2010, and 2011 during the height of

Conficker Worm

Outbreak.

7

We believe Malicious attacks are more

common in Malaysia

malicious attacks or accidental breaches?


Which are more common malicious attacks or accidental breaches?

We believe Malicious attacks are more

common in Malaysia

According to Sophos Security Threat Report 2013:

Malaysia is 6th

Riskiest country TER of 17.44%

(TER is measured as the percentage of PCs that experienced a malware attack, whether successful or failed, over a three-month period)

Norway with 1.81% TER

Indonesia with 23.54% TER

Threat Exposure Rate (TER)


DETECTED by

9

Year Malicious Code to

Cyber999 Total Botnet & Malware

(by unique IP)

Up to 31 May, 2013

1158 263,625

2012 645 1,477,810

2011 1012 5,779,546

2010 1199 5,307,790

2009 283 1,889,165

Malaysians hardly report Malware attacks perhaps due to ignorance?

MALWARE REPORTED to Cyber999 MyCERT Honeynet V S

Due to

Conficker


Year Reported to Cyber999

Detected Spam Emails

Spam Networks

Up to 31 May, 2013

723 349,827 173,321

2012 526 58,950 63,495

2011 3751 80,607 29,688

2010 1268 129,788 24,644

2009 n/a 93,094 90,992

tend to IGNORE spams rather than report them to Cyber999.

* Spamming is one of the method of spreading Malware*

MALAYSIANS

DETECTED via SPAM REPORTED to Cyber999 MyCERT Honeynet V S


11


Cyber criminals everywhere…..

Edward Snowden


12


Challenges for legal regime…


The world is becoming more digitized and interconnected, opening the door to emerging threats and leaks….

Organizations continue to move to new

platforms including cloud, virtualization,

mobile, social business and more

EVERYTHING

IS EVERYWHERE

With the advent of Enterprise 2.0 and social

business, the line between personal and

professional hours, devices and data has

disappeared

CONSUMERIZATION

OF IT

The age of Big Data – the explosion of digital

information – has arrived and is facilitated by

the pervasiveness of applications accessed

from everywhere

DATA

EXPLOSION

The speed and dexterity of attacks has

increased coupled with new actors with new

motivations from cyber crime to terrorism

to state-sponsored intrusions

ATTACK

SOPHISTICATION


What steps are taken by the

Malaysian Government to keep cyber threats under control ?

One of the most

important

step is creating :

National Cyber

Security Policy

(NCSP)

Establishing

CyberSecurity

Malaysia to

implement NCSP


Copyright © 2012

CyberSecurity Malaysia 15

Malaysian’s Critical National Information

Infrastructure will be secure, resilient and

self-reliant. Infused with a culture of

security, it will promote stability, social

well being and wealth creation.

National Cyber Security Policy


Objectives:

Address The Risks To The Critical

National Information Infrastructure

To Ensure That Critical

Infrastructure Are Protected To A

Level That Is Commensurate With

The Risks

To Develop And Establish A

Comprehensive Program And A

Series Of Frameworks

The National

Cyber Security

Policy

formulated by

MOSTI

NCSP Adoption

and

Implementation

The policy recognises the critical and

highly interdependent nature of the CNII

and aims to develop and establish a

comprehensive programme and a series

of frameworks that will ensure the

effectiveness of cyber security controls

over vital assets

The National Cyber Security Policy


NC

SP T

HR

UST

CN

II S

ECTO

R

VISION Malaysia's Critical National Information Infrastructure shall be secure, resilient and self-reliant. Infused with a culture of

security, it will promote stability, social well being and wealth creation.

NATIONAL CYBER SECURITY POLICY

De

fen

ce

& S

ecu

rity

Tran

spo

rtat

ion

Ban

kin

g &

Fi

nan

ce

Go

vern

me

nt

Info

rmat

ion

&

Co

mm

un

icat

ion

s

Ener

gy

Emer

gen

cy

Serv

ices

Wat

er

Foo

d &

A

gric

ult

ure

Hea

lth

S

ervi

ces

NSC | Effective Governance | Establishment of a national info security coordination centre, effective institutional arrangements & Public –Private Cooperation

T1 AGC| Legislation & Regulatory Framework | Reduction of cybercrime & increased success in the prosecution in cyber

crime T2 MOSTI | Cyber Security Technology Framework | Expansion of national certification scheme for InfoSec management & assurance T3

MOSTI | Culture Of Security & Capacity Building | Reduced no. of InfoSec incidents through improved awareness &

skill level T4

MOSTI | R & D Towards Self Reliance | Acceptance & utilization of locally developed info security products

T5 MICC | Compliance & Enforcement | Strengthen or include

infosec enforcement role in all CNII regulators

MICC | International Cooperation | International cooperation & branding on CNII protection with improved

awareness & skill level

T6 NSC | Cyber Security Emergency Readiness | CNII resilience against cyber crime, terrorism, info warfare

T7

T8 CNII | Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on: National Defense & Security | National Economic Strength | National Image | Government capability to function | Public Health & Safety


Governance



new laws or

legislation

Are there any

being introduced in Malaysia to help

combat cybercrime?


The Malaysian Parliament has passed a total of eight (8)

Cyber Laws

We believe that Malaysia is going into the right

direction concerning cyber laws.

1. Digital Signature Act 1997;

2. Computer Crimes Act 1997;

3. Copyright (Amendment) Act 1997; (from Copyright Act

1987)

4. Telemedicine Act 1997;

5. Communications and Multimedia Act 1998;

6. Communications and Multimedia Commission Act 1998;

7. Electronic Commerce Act 2006; and

8. Personal Data Protection Bill 2010.


We believe that Malaysia is going into the right

direction concerning cyber laws.

Existing Penal Code (Act 574) can serve as a general law on criminal

offenses in Malaysia -- Because most cybercrimes are traditional by

nature, instead ICT is used as a medium to commit criminal acts.

Other laws that, while not exactly amount to being a Cyber Law, are in

fact indirectly applicable to the cyberspace as well such as the;

a. Security Offences (Special Measures) Act,

b. Defamation Act,

c. Sedition Act,

d. Evidence Act 114A.


The ISMS standard has been mandated by Cabinet

for CNII organizations

On 24 February 2010, the Cabinet agreed that CNIIs

should implement and undergo certification for MC

ISO/IEC 27001:2007 Information Security Management

System (ISMS) within 3 years


BNM Financial Sector Blue Print






27 Commercial banks 16 Islamic financial institutions

Considerations for the Banking industry


1. Bank Negara Malaysia’s Guidelines

on Data Management and MIS

Framework

2. Guidelines on Management of IT

Environment (GPIS 1)

3. Guidelines on Internet Insurance

4. Disaster Recovery Capabilities of

Banking Institutions

5. BNM DDOS circular to commercial

banks

Bank Negara Malaysia specific

measures to mitigate cyber risks


What’s the future for us? • Future Cyber Laws must recognizes the people development component-

crucial for a K-Economy. • The existing Cyber Laws created the necessary impact… but constant review

is necessary. • # Technology innovations # Business innovations # “Criminal” innovations # Globalization • An exclusive legislative process may shorten review cycle.

• Malaysian Government envisions to reinvent governance activities through e-Government projects and applications.

• Several test-beds are already in place to provide ICT which enabled solutions such as e-judiciary, e-passport tele-healthcare and etc.

• Such e-applications inevitably come with legal impediments that would slow down the reinvention process unless they are properly addressed and solved.


Laptop-controlled rocket launched in Japan

Successful launch: Children reacting to a projected live transmission image displaying the

launch of the new solid-fuel Epsilon rocket carrying satellites from the Uchinoura Space Centre

in Kagoshima, at the National Museum of Emerging Science and Innovation in Tokyo. — AFP

TOKYO: Japan’s new solid-fuel rocket successfully blasted off carrying a telescope for

remote observation of planets in a launch coordinated from a laptop computer-

based command centre.

The Japan Aerospace Exploration Agency (Jaxa) launched the Epsilon rocket from the

Uchinoura Space Centre in Kagoshima, southwestern Japan, at 2pm.

TheStar Malaysia

Published: Sunday September 15, 2013


Copyright © 2013 CyberSecurity

Malaysia

More 2 billion people are connected to the Internet Cellular phone subscriptions passing the 5 billion mark at the end of 2010, More than 50 billion objects are expected to be digitally connected by 2020, including cars, appliances and cameras. The amount of digital information created and replicated in the world will grow to an almost inconceivable 35 trillion gigabytes by 2020

About $ 8 trillion traded thru e-commerce last year


P T P

P = People P = Process T = Technology

Bottom Line……PPT


Computerworld Malaysia Forum: Governance, Risk and Compliance (GRC) 2013

30 Mar ’07 : NISER officially registered as 1998 - 2005

1997

• NITC Meeting on 7 Apr 2006 agreed to implement NCSP and establishment of the Malaysia Cyber Security Centre to administer NCSP.

• NCSP was endorsed by the Cabinet in May 2006.

• NISER was tasked to be the Malaysia Cyber Security Centre.

March 2006

CyberSecurity Malaysia

was launched by the

Prime Minister of Malaysia

on 20 Aug 2007

About us…CyberSecurity

Malaysia



34

www.cybersafe.my



Find out More

www.cybersecurity.my

www.mycert.org.my

[email protected]

Personal

[email protected]

mobile: +6012-2499476

http://www.cybersecurity.my


http://www.mycert.org.my

http://www.mycert.org.my








Where it all started…..

3

8





What about this

guy….know him?









Aseanfic Cyberstandards Final

Documents

malaysia malicious attacks

high risk copyright

conficker copyright

malware attacks

high level u s

common malicious attacks

millions of malware

n t e r n e t u s e