- 1. Vol 30 - (Q1/2012) PP 15526/10/2012(031392)Securing Your
Software Development Life CycleAnalysis of Vulnerabilities
ReportBenefits of ISO/IEC 27005:2011 Information Security Risk
ManagementSecurity is, I would say, our top priority because for
all the exciting things you will be able to do withcomputers..
organizing your lives, staying in touch with people, being
creative.. if we dont solve thesesecurity problems, then people
will hold back. Businesses will be afraid to put their critical
information on itbecause it will be exposed Bill Gatese-Security |
CyberSecurity Malaysia 2012 | Vol: 30 (Q1/2012)
2. ii e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012
- All Rights Reserved 3. For the past few years, we have seen the
birth to a gamut of new age cyber threats and how they are
encroaching more into every sphere our lives and they come in
multi-dimensions. In 2011, we have also seen the emergence of
social media and mobile devices etc that has complicated the global
cyber security landcape which is further worsened by users
ignorance, technical incompetency, and lack of strategic cyber
security collaboration. We take necessary steps to curb this
situation, among others knowledge sharing initiatives via
e-Security Bulletin. It is expected that 2012 and beyond will be
challenging as cyber crime is consistently becoming sophisticated
due to the rapid advancement in technology. In 2011, CyberSecurity
Malaysia has received 5,328 online fraud incidents that include
various types of Internet scams. That number alone is more than the
total number of similar incidents in 2010 and double of those
reported in 2009. It is not an exaggeration to say that internet
scams i.e. love scams, financial fraud, identity theft etc are fast
becoming the crime of choices. For every investigation in the news,
there are hundreds that will never make the headline. We learn that
criminals can hardly get caught, and even if they do, they can be
hardly convicted.As the technology evolves, the risks posed by
cyber threats also continue to grow in both scale and
sophistication. New techniques andmethods may emerge, and the
traditional ones would become obsolete. As such, our attitudes
towards cyber security should also evolvedand innovated.The
explosion of Internet has also created the phenomenon towards
digital hacktivism. 2011 also witnessed hacktivist groups such
asAnonymous went rampage, worst than the year before. Indeed,
Anonymous is a revolutionary group, and it will be more
sophisticatedin the future. Hence our approach towards combating it
has to be equally revolutionary.Cyber security requires an
innovation or perhaps a fundamental shift in approach towards
solving the problems; and we have to act fastto stay ahead. 2012
onward, we need to understand the evolving cyber threats and how
they work, and to develop the tools and methodsto combat them. We
should create more robust and resilient cyber space that can
withstand attacks, and also help detect and preventcyber attacks
from occurring. We also need talented people with innovative ideas
and commitment from both local and global key cybersecurity
players.Until next time, have a prosperous and secure year ahead.
Thank you.Thank you and warmest regards,Lt Col Prof Dato Husin
Jazri (Retired) CISSP CBCP CEH ISLACEO, CyberSecurity
MalaysiaGreetings and welcome to the first edition of eSecurity
Bulletin for 2012. Some interesting topics have been lined up in
this editionsuch as security in Software Development Life Cycle
(SDLC), principles of security and information security risk
management.Also, short but important tips on how to secure your
iPad is included. Please spend time to read through the articles.I
would like also to highlight our CyberSecurity Clinic which started
its operation in September last year. Some of the servicesbeing
offered are data recovery (for your hard disk, thumb drive, memory
card or server), data sanitization and ICT services.Please visit
the CyberSecurity Clinic website (www.cybersecurityclinic.my) for
further information.Last but not least, I want to take this
opportunity to thank all contributors for their valuable knowledge
sharing. I look forward formore contributions from the security
professionals.Best Regards,Asmuni YusofLt Col Asmuni Yusof
(Retired), EditorMyCERT 1st Quarter 2012 Summary Report 01Security
Challenges Emerge with IPv6 Launch 15Benefits of ISO/IEC 27005:2011
Information Security04Principles of Security17Risk Management Keep
your data safe: Top 4 tips on Securing iPad21Securing Your Software
Development Life Cycle08Analysis of Vulnerabilities Report
11PUBLISHED AND DESIGN BY 4. MyCERT 4th Quarter 2011 Summary
Report1 Introductionhad increased while other incidents showeda
decrease. The MyCERT Quarterly Summary Report provides an overview
of activities Figure 1 illustrates incidents received in Q1 carried
out by the Malaysian Computer2012 and classified according to the
type of Emergency Response Team (hereinafter incidents handled by
MyCERT. referred to as MyCERT), a department within CyberSecurity
Malaysia. These activities are related to computer security
incidents and trends based on security incidents handled by MyCERT.
The summary highlight statistics of incidents according to
categories handled by MyCERT in Q1 2012, comprising of security
advisories and other activities carried out by MyCERT personnel.
The statistics provided in this report reflect only the total
number of incidents handled by MyCERT and not elements such as
monetary value or repercussions of theFigure 1: Breakdown of
Incidents by Classification in Q1 2012 incidents. Computer security
incidents handled by MyCERT are those thatFigure 2 illustrates
incidents received in Q1 occur or originate within the Malaysian
constituency. MyCERT works closely with2012 and classified
according to the type other local and global entities to resolve of
incidents handled by MyCERT as well as computer security incidents.
a comparison with the number of incidentsreceived in the previous
quarter. Incidents Trends Q1 2012 Quarter Incidents were reported
to MyCERT byCategories of IncidentsQ4 Q1Percentage various parties
within the constituency 2011 2012 as well as from foreign sources,
whichIntrusion Attempt 209 46-77.99 include home users, private
sector entities, Denial of Service 1 5400 government agencies,
security teams from Spam299 201 -32.77 various countries, foreign
CERTs, Special Interest Groups including MyCERTs proactiveFraud
1153 1491 29.31 monitoring on several cyber incidents.Vulnerability
Report 11 1645.45 Cyber Harassment105 80-23.80 From January to
March 2012, MyCERT, via Content Related11 7 -36.36 its Cyber999
service, handled a total of 3,143 incidents representing a 4.40
percent Malicious Codes 142 189 33.09 decrease compared to Q4 2011.
In Q1 2012, Intrusion 1357 1108 -18.34 incidents such as Denial of
Service, Fraud,Figure 2: Comparison of Incidents between Q4 2012
and Q1 2012 Vulnerabilities Report and Malicious Codee-Security |
Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved
5. 2Figure 3 shows the percentage of incidentsFigure 4 shows the
breakdown of domainshandled according to categories in Q1 defaced
in Q4 2011.2012.Figure 4: Percentage of Web Defacement by Domain in
Q1 012Account compromise incidents continueFigure 3: Percentage of
Incidents in Q1 2012in this quarter as was in the previous onewith
an increase of 68 incidents comparedIn Q1 2012, a total of 1,108
incidentsto 57 in Q4 2011. Account compromiseincidents has become a
trend nowadayswere received on Intrusion representingin which
unscrupulous individuals takean 18.34 percent decrease
comparedadvantage of various techniques toto the previous quarter.
The Intrusioncompromise legitimate accounts. Theincidents reported
to us were mostly webincrease in Internet banking and
usagedefacements or known as web vandalism of social networking
sites combined withfollowed by account compromises. Basedlack of
security awareness had contributedto the increase in account
compromiseon our findings, the majority of webincidents. Account
compromise incidentsdefacements wereduetovulnerable reported to us
involved mostly free basedweb applications or unpatched servers
email accounts and social networkinginvolving web servers running
on IIS andaccounts. These incidents could have beenApache.
prevented if users practised good passwordmanagement such as using
strongpasswords and properly safeguarding them.In this quarter, we
received a total of 689.MY domains defaced belonging to
variousUsers may refer the URL below for goodsectors such as
private and governmentpassword management practises:sites hosted on
servers belonging to localh t t p : / / w w w. a u s c e r t . o rg
. a u / re n d e r.web hosting companies. MyCERT responded
html?it=2260http://www.us-cert.gov/cas/tips/ST04-to web defacement
incidents by notifying002.htmlthe respective Web Administrators
torectify the defaced websites by following Incidents involving
fraud had increasedour recommendations.to about 29.31 percent in
this quartere-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia
2012 - All Rights Reserved 6. compared to the previous quarter.
Fraudas Adobe PDF Reader and Multiple Microsoft incidents continue
to be a trend in this Vulnerabilities. Attackers often compromise3
quarter and is one of the most frequentlyend-users computers
byexploiting reported incidents to Cyber999. In fact,
vulnerabilities in the users applications. fraud has become a
global trend involvingGenerally, the attacker tricks the user into
phishing, Nigerian scams, lottery scams,opening a specially crafted
file (i.e. a PDF illegal investments and job scams as itdocument)
or a web page. provides attractive financial returns to the
perpetrators.Readers can visit the following URL on A total of
1,153 incidents were received inadvisories and alerts released by
MyCERT: this quarter, from organisations and
homehttp://www.mycert.org.my/en/services/ users. Phishing incidents
involving foreignadvisories/mycert/2011/main/index. and local
brands still prevail in this quarter html. along with other types
of frauds. Incidents on job scams also increased targeting
otherConclusion industries such as hospitals and specialist
centres.In conclusion, the number of computer We continue to
receive incidents on cybersecurity incidents reported to us in this
harassment in this quarter. However, the quarter had decreased
slightly compared number had dropped to about 23.80 percentto the
previous quarter. However, several with a total of 80 incidents.
Harassment categories of incidents reported to us reports generally
involved cyberstalking,continue to increase. The slight decrease
cyberbullying, threatening done via emails could be a positive
indication that more and social networking sites. A new trend
Internet users are aware of current threats we observed in this
quarter is luring victimsand are taking proper protection measures
into posing nude in front of video camsagainst them. No severe
incidents were while chatting with the perpetrators viareported to
us in this quarter and we did Skype or MSN Messenger. The captured
nude pictures of these victims will then be usednot observe any
crisis or outbreak in our to threaten the victims to pay some
amount constituencies. Nevertheless, users and of money failing
which the pictures will beorganisations must be constantly vigilant
of publicly exposed on social networking sites. the latest computer
security threats and are We advised users to be very
precautiousadvised to always take measures to protect with whom
they communicate or chat their systems and networks from these on
the Internet especially with unknownthreats. individuals. In Q1
2012, MyCERT had handled 189Internet users and organisations may
contact incidents on malicious codes, which represented a 33.09
percentage increaseMyCERT for assistance at the below contact:
compared to the previous quarter. A few of the malicious code
incidents we handledE-mail: [email protected] were active botnet
controllers, hosting of Cyber999 Hotline: 1 300 88 2999 malware or
malware configuration files Phone: (603) 8992 6969 on compromised
machines and malwareFax: (603) 8945 3442 infections on computers.
Phone: 019-266 5850SMS: Type CYBER999 report Advisories and Alerts
& SMS to 15888http://www.mycert.org.my/ In Q1 2012, MyCERT had
issued a total of ten advisories and alerts for its constituencies
Please refer to MyCERTs website for latest involving popular
end-user applications such updates of this Quarterly Summary.
e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All
Rights Reserved 7. Benefits of ISO/IEC 27005:2011
InformationSecurity Risk Management 4BY | Noor Aida Idris, Lt Col
Asmuni Yusof (Retired)Introductionof confidentiality, integrity,
availability)and providing clients, partners andThe increasing
numbers of cyber regulators, assurance of compliancesecurity
incidents has resulted into an internationally recognised
setmanaging information security as one of of information security
requirements.the top agendas in many organisations.It is a
risk-based approach thatOrganisations have to keep up-to- provides
a holistic and structured waydate with information security risksin
managing information security forintroduced by new and
advancedorganisations.technologies, in addition to their
ownreliance with such new technology since Risk management is an
importantorganisational information now residesconcept through
information securityin a digital world as well as in physical
management. Information security riskmediums.management is needed
to ensure theconfidentiality, integrity and availabilityInformation
security management of information assets is preserved bywas
introduced toensure organisations. According to
(Humphreys,organisations were able to secure 2008), risk management
is the key totheir most valuable information information security
governance by anassets, which concerns critical organisation and to
the protection of itsbusiness information. By
proactivelyinformation assets. If the organisation isprotecting
information assets and unaware of the risk(s) it faces, it will
notmanaging information security risks,deploy or implement security
controls;organisations can reduce the likelihood thus fail to
protect its most critical assets.and/or the impact on their
informationSeveral guidance are available to assistassets from a
wide range of information organisations manage their
informationsecurity threats. Today, there are varioussecurity
risks, one of it is ISO/IECmechanisms being practised by different
27005:2011 Information Security Riskorganisations in managing
information Management. The objective of this papersecurity. Among
which is via informationis to convey benefits of
implementingsecurity management systems based information security
risk managementon ISO/IEC 27001: 2005 Informationbased on ISO/IEC
27005:2011 InformationSecurity Management Systems (ISMS) -Security
Risk Management.Requirements.ISO/IEC 27001 is one of the published
Introduction to ISO/IECstandards in the ISO 27000 family
that27005:2011- Informationprovides the general requirements for
Security Risk Managementimplementing informationsecuritymanagement
systems. This standard ISO/IEC 27005 contains description
ofprovides organisations with means for information security risk
managementprotecting their information (in termsprocesses and
activities, which providee-Security | Vol: 30-(Q1/2012)
CyberSecurity Malaysia 2012 - All Rights Reserved 8. guidelines to
organisations to managerisk assessment, information security5 their
information security risks. This risk treatment, information
security risk standard, which was first introduced acceptance,
information security risk in 2005, has been revised recently and
communication and consultation and re-published in 2011. The
standard is oneinformation security risk monitoring and of the
standards which play a significantreview. These five processes are
illustrated role for the successful implementation ofin Figure 1.
ISMS. Benefits of ISO/IEC 27005 In the authors opinion, there are
several key advantages when organisations refer to ISO/IEC 27005
for implementing information security risk management. Firstly,
this standard can be used by any type of organisation. Secondly,
this standard supports the requirements of information security
risk assessment specified in ISO/IEC 27001. And thirdly, this
standard, which has been revised to align with three other risk
management standards, can be used by organisations that wish to
manage their information security risks in similar fashion to the
way they manage other risks. This standard is applicable to any
type of organisation Figure 1: ISO/IEC 27005 Information Security
Risk Management Processes One of the attractions of ISO/IEC 27005
is the risk management processes described in the standard which is
The standardsupports risk applicable to all organisations, no
matter assessment requirements specified the size or type. As a
matter of fact, the in ISO/IEC 27001 information security risk
management processes defined by the standard canAnother key benefit
offered by the be applied not just to the organisationISO/IEC 27005
standard is that it as a whole, but to any discrete part ofsupports
the information security risk the organisation (e.g. a department,
assessment requirements specified in a physical location, a
business serviceISO/IEC 27001. Thus, organisations or a critical
function), any information that wish to be certified against ISO/
system, existing or planned or particularIEC 27001 certification
may refer to aspects of control (e.g. businessISO/IEC 27005 when
implementing the continuity planning).information security risk
assessment. Information security risk management The mapping of
clauses in ISO/IEC 27005 described in ISO/IEC 27005 consistswith
risk assessment requirements in of five processes which are:
context ISO/IEC 27001 is discussed in detail establishment,
information securitybelow:e-Security | Vol: 30-(Q1/2012)
CyberSecurity Malaysia 2012 - All Rights Reserved 9. a)Clause 7
Context establishmenton the outcome of the risk assessment,In
ISO/IEC 27005, the context of riskthe expected cost for
implementing 6management for an organisation isthese risk treatment
options and theestablished first. In establishing context expected
benefits from these options.for risk management, both external The
information security risk treatmentand internal context for setting
the processes is in line with ISO/IECbasic criteria necessary for
information 27001:2005 clause 4.2.1 f) Identify andsecurity risk
management, defining the evaluate options for the treatment ofscope
and boundaries, and establishing risks.an appropriate organisation
operating theinformation security risk management.d) Clause 10
InformationThe context establishment process issecurity risk
acceptancein line with ISO/IEC 27001:2005 clause The decision to
accept the risks4.2.1 c) Define the risk assessmentand
responsibilities for decisionsapproach of the organisation.are made
and formally recorded in the information security riskb) Clause 8
Information securityacceptance process. This process is risk
assessment important to ensure that the upperThe context
establishment processmanagement is aware of the risksis followed by
a risk assessment and also on the plans to treat theprocess.There
are three subrisks. The information security riskprocesses
includedin a riskacceptance process is in line withassessment
process which are riskISO/IEC 27001:2005 clause
4.2.1identification, risk analysis andg) Select control objectives
andrisk evaluation. Risk assessment controls for the treatment of
risksprocess determines the value of theand h) Obtain management
approvalinformation assets, identifies the of the proposed residual
risks.applicable threats and vulnerabilitiesthat exist (or could
exist), identifiese) Clause 11 Information securitythe existing
controls and their effectrisk communication andon the risk
identified, determinesconsultationthe potential consequences and
Theriskcommunication andfinally prioritises the derived
risksconsultation process involves activitiesand ranks them against
the riskto achieve an agreement on how toevaluation criteria set in
the context manage risks by exchanging and/orestablishment. The
information sharing information about those riskssecurity risk
assessment process between the decision-makers andis in line with
ISO/IEC 27001:2005 other stakeholders. The informationclause 4.2.1
d) Identify the risks and securityriskcommunicationande) Analyse
and evaluate the risks. consultation process is in line with
ISO/IEC 27001:2005 clause 4.2.4c)Clause 9 Information security c)
Communicate the actions and risk treatmentimprovements to all
interested partiesNext is the risk treatment process. Thewith a
level of detail appropriate to theinformation security risk
treatmentcircumstances and, as relevant, agreeprocess involves
planning to treat on how to proceed.the identified risks. There are
4options available for risk treatment:f)Clause 12 Information
securityrisk modification, risk retention, risk risk monitoring and
reviewavoidance and risk sharing. Selecting theOn-going monitoring
and reviewrisk treatment options should be based ofcurrent
informationsecurity e-Security | Vol: 30-(Q1/2012) CyberSecurity
Malaysia 2012 - All Rights Reserved 10. 7risks are important
because risksinformation security risk management are not static.
New threats andand implementing ISMS based on ISO/ vulnerabilities
may arise at any point IEC 27001. in time; likelihood or
consequences may change abruptly without anyConclusion indication.
Thus,constant and continuous monitoring on the risks Information
security risk management is necessary to detect these changes.is
one of the requirements in ISO/IEC By conducting regular monitoring
27001 ISMS. As stated earlier, ISO/ and review may also ensure
thatIEC 27005 is an essential companion the risk management
context, the for implementing ISMS based on ISO/ outcome of the
risk assessment IEC 27001. The advice and guidance and risk
treatment plans remaincontained in the standard is useful relevant
to the organisation. Thefor anyorganisationintending information
security risk monitoring tomanage their information and review
process is in line with security risks effectively. The three
ISO/IEC 27001:2005 clause 4.2.3 d) advantages described in this
papercan be enjoyed by organisations Review risk assessments at
plannedmanaging their information security intervals and review the
residualrisks based on ISO/IEC 27005. risks and the identified
acceptable levels of risks. Easy alignment with other risk
References management standards Another advantage for
organisations1. ISO/IEC, Information Technology that choose ISO/IEC
27005 when security techniques information implementing information
securitysecurity risk management systems, risk management is that
they can ISO/IEC 27005 International Standard, align the way they
manage other2011. risks, such as enterprise-wide risks,2. ISO/IEC,
Information Technology with information security risks.
Thissecurity techniques information security is due to ISO/IEC
27005 being revisedmanagement system Requirements, recently to
reflect changes in threeISO/IEC 27001 International Standard, risk
management standards which are:2005. ISO 31000:2009 - Risk
management3. International Organization for- Principles and
Guidelines;Standardization website, www.iso.org, ISO 31010:2009 -
Risk managementaccessed on 23 March 2012.- Risk Assessment
Techniques; and 4. ISO27001 Security website, www. ISOGuide73:2009
- Riskiso27001security.com, accessed on 23Management
Vocabulary.March 2012.5. Humphreys, E. 2008. Information As an
example, organisations thatsecurity managementstandards: have
adopted ISO 31000 for managingCompliance, governance and risk their
enterprise-wide risks may findmanagement, information security that
they can manage their information security risks in a similar
fashion. technical report 13 (2008) 247255. Thus, lesser time and
resources may6. HumphreysE.2010. Information be used when embarking
on theSecurity Risk Management Handbook journey of adopting ISO/IEC
27005 forfor ISO/IEC 27001, BSI Standards.e-Security | Vol:
30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 11.
Securing Your Software Development LifeCycle 8BY | Norahana Salimin
When an organisation(SDLC) comes into the picture asincorporates
security inan attractive preventive measure.its SDLC, inevitably it
Securing SDLC benefits from productsand applications that are
Software Development Life Cycle(SDLC) [2] is a process, modelsecure
by design.and methodology of creating ormodifying an information
system.Accordingto theInternationalIntroductionInformation Systems
SecurityCertification Consortium, Inc. (ISC)Quality software does
not really mean [3], secure SDLC phases comprisedof Requirement,
Design, Coding,secure software. Building securityTesting,
Acceptance, Deployment,into software development is
oftenOperations, Maintenanceandseemed as a major pain in the neck.
Disposal. Initially, developers mustIn certain cases, security is
treated have firm concepts of softwareas an obstacle to the
successfulsecurity. With a solid knowledge incompletion of a
software project. security concepts, only then can itbe applied to
the phases outlinedThats the reason why security isin SDLC. This
paper discusses the bestusually considered as the last
factor.practices on securing the phases of SDLC.The emergence of
worldwide cyber-attacks especially in Malaysia [1],
Requirementwhere the attackers were targetingThe requirement phase
or securesoftware (mostly web applications)requirement is defined
astheused by government agencies, critical outline of security
controls and thenational information infrastructure integration of
those security controls(CNII) and high profile corporations, into
the development process. Policy,raised a pertinent question.
Howstandards, patterns and practices (PnP),seriously did the
government andexternal regulatory and compliancethe corporate
sector viewed security? requirements must be included into
thesecurity requirements. Confidentiality,How do they ensure that
sensitiveintegrity, availability, authentication,data belonging to
ordinary citizens orauthorisation and auditing of datacustomers are
not exposed or stolen?must also be included. A way toThere are
possibilities that corrective gather these security
requirementsactions may have been taken tois by referring to the
modellingresolve the situation.However,methodologies of used and
misusedwhat about preventive measurescaseswhere understanding theto
ensure that lightning does not threats against a system will
producestrike twice? This is where securingthe countermeasures to
protect thethe software development life cycle system. e-Security |
Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved
12. Design Acceptance Secure concept in the design phase is
basicallyThe acceptance phase is secured by9 about structuring the
software from a security ensuring that the software in question
perspective. Performing a threat modelling meets the necessary
requirements before exercise will identify the surface attacks
being deployed. In the pre-deployment and security criteria that
will be valuable in stage, the completion criteria and risk
structuring the software in terms of security. acceptance levels
needs to be outlined. Security criteria must be met before a
particularSoftware documentation shouldbe software is released for
deployment. The in place. In the post-release stage, principles of
security design are many. Amongindependent testing, validation and
them are those having the least privilege, verification of the said
software by third separation of duties, complete mediation,parties
such as obtaining a Common defence in depth, fail safe, weakest
links, single Criteria certification may be applied. point of
failure, etc. The technologies being used to match these designs
are identity and Deployment, Operations, Maintenance authentication
management, information flowand Disposal control, audit management,
data protection,The deployment, operations, maintenance digital
rights management, computing anddisposalphaseconcernson environment
and integrity management.vulnerabilities that have not been
counteredby the software and future vulnerabilities Coding that may
be discovered during deployment. Secure coding involves the usage
of codingSoftware that is delivered to customers and testing
standards, applying securityshould be digitally signed to avoid
being testing tools such as fuzzing and static-tampered with.
Installation of software analysis code scanning and the review
ofshould be securely deployed with the help source codes. Knowing
common softwareof an installation manual. Configurations
vulnerabilities and countermeasures such asshould be hardened to
avoid incorrect injection, cross site scripting, buffer
overflowsystem implementations. The secure and broken session
management is a mustusage of software or system operations to
ensure these vulnerabilities are coveredshould be documented in the
operation during coding. Defensive coding practicesmanual. Patch
management and support can be applied such as type safe practises,
memory management, error handling andmanagement should be
implemented to locality. Source code versioning is also gather
information from users on errors important to ensure verified codes
are not they encountered, as this may be the overwritten by
unverified source codes. To source for attackers to launch an
attack. ensure codes are not being tampered, digitally signing
source codes is now a good practise. When software is to be
replaced or retired,several processes need to be in place to
Testingensure it is executed in a secure manner. If a Secure
testing is conducted when softwarereplacement system exists, the
replacement functionalities are complete and ready toshould be
operational before retirement enter testing trials. These trials
must nottakes place. Approval from the management be ignored. Black
box test is focused on is required before any act of removal or
testing without knowledge regarding thereplacement is carried out.
Only then the design of the software. White box test onsystems
access controls are terminated or the other hand is testing with
the requiredremoved to prevent unauthorised access. knowledge. Fuzz
testing is executed by Finally, the retired system or software
services injecting random data to observe the are to be shut down
to reduce the attack behaviour of the software while
defensivepotential, securely delete configurations coding testing
is the examination of and data from the server and eventually
common vulnerabilities in the software.uninstalling the
system.e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 -
All Rights Reserved 13. Initiatives to improve securityit was
executed in a secure process. However, the depths of verifying the
SDLC processes willon SDLC depend on the evaluation assurance level
(EAL) 10For a child, early childhood education such as chosen by
the developer for their product. Thepreschool and kindergarten is
the best method to benefit of a CC certified product is that
thefoster a greater learning development. The samedeveloper will
have some level of assurance thatconcept applies with our security
environment. their product was properly tested and verified byThe
kindergarten for most software developers is a third party on its
security features. The otherthe higher learning institutions. These
institutions benefit is that the developers potential customerscan
play an important role in the initiative to(government agencies or
corporations) maysecure product lifecycles. It can be achieved by
favour a CC certified product because of a certainemphasising more
security aspects in the syllabus to level of confidence in the
security functionalities.teach future developers the importance of
securityas a whole. Collaboration between the academicworld and
security experts from the industry can Conclusionalso speed up the
transfer of knowledge since ithas become more familiar with the
current trends The initiatives taken by developers to secureand
approaches on the how-to methodologies.overall software lifecycle
and the extraWith these efforts, our future developers will
initiatives taken to promote secure producthave a security-in-mind
attitude while developingdevelopment and usage by the
governmenttheir software, thus reducing the potential of and higher
learning institutions will eventuallydesigning unsecured
software.reduce the possibility of a successful attack and
exploitation. This will then ensure thatCyberSecurity Malaysia [4],
as the national cyberonly hack-resilient software is created.
Securingsecurity specialist centre and an agency under the software
lifecycles are not an all-in-one solutionpurview of the Ministry of
Science, Technology because it also very much depends on theand
Innovation (MOSTI) provides ICT security hosts, networks and the
people using the stated software. However, at least, security flaws
arespecialist services and continuously monitors detected at an
early stage and thus, reducethreats to national security. In
translating the software vulnerabilities from being
exploited.responsibility into implementation, CyberSecurity With
all these joint initiatives, we will at leastMalaysia is pioneering
the initiative in securinghave some assurance that our
informationICT products, regardless of the state of being i.e.and
ICT environment are secure from cyber-software, hardware or
firmware. Furthermore, attacks.this initiative was established to
promote secureproduct development for developers. Theinitiative was
implemented by establishing a Referencesproduct evaluation scheme
in Malaysia. 1. Malaysia GovernmentWebsitesThe established scheme
[5] is now known as Disrupted, http://www.bloomberg.the Malaysian
Common Criteria Evaluation and
com/news/2011-06-16/malaysia-Certification (MyCC) scheme. The
Information government-websites-attacked.htmlSecurity Certification
Body (ISCB) and the 2. System Development Life Cycle, Wikipedia,
http://Malaysian Security Evaluation Facility (MySEF)
en.wikipedia.org/wiki/Systems_Development_were established under
CyberSecurity MalaysiaLife_Cycleto execute certification and
evaluation processes3. CSSLP Candidate Information Bulletin, Inc.,
(ISC)separately. The standards [6] that are being portal,
https://www.isc2.org/cib/default.aspxused are Common Criteria (CC)
and Common 4. CyberSecurity Malaysias Web Portal,Methodology for
Information Technology Security
http://www.cybersecurity.myEvaluation, which are international
standardsthat are widely used for independent security5. Malaysian
Common Criteria Evaluationevaluation in ICT products. When a
developer and Certification (MyCC) scheme portal,enters into a CC
certification,
CyberSecurityhttp://www.cybersecurity.my/mycc/Malaysia MySEF will
evaluate not only the product6. Common Criteria Web Portal,
http://but also the SDLC phases of the product to
ensurewww.commoncriteriaportal.org/ e-Security | Vol: 30-(Q1/2012)
CyberSecurity Malaysia 2012 - All Rights Reserved 14. Analysis of
Vulnerabilities Report11 BY | Sharifah Roziah Binti Mohd
KassimIntroduction AnalysisVulnerability is referred to as security
Type ofJan Feb Marvulnerability or a flaw in a software
orVulnerabilitiesapplication that makes it
infeasibleMisconfiguration -2 0 4even when the product is used
properly. DisclosureThe presence of vulnerabilities insoftware or
application providesWeb 0 4 8opportunity to attackers to exploit
System0 1 0it andcompromiseasystem. TOTAL2 512Vulnerabilities
reports refer to reports Table 1: Vulnerabilities Report Q1 (Jan -
Mar) 2012or incidents regarding vulnerabilitiesthat are present in
a system, softwareor application.Vulnerabilities Report is sub
classifiedinto the followings: Misconfiguration: A problem exists
with certainmisconfigurations which may allow root access or system
compromise from anyGraph 1: Vulnerabilities Report Q1 (Jan - Mar)
2012 account on the system and might lead to information leak,
dataOut of the 19 incidents, six incidents manipulation and many
more. involved misconfigurations, 12 involved Web: User or
complainant report websites and one involved system as
vulnerabilities which are related toshown in Table 2 and Graph 2
below. websites. System: User or complainant report Type of
Vulnerability Total vulnerabilities on any specificMisconfiguration
-6 system.DisclosureWeb12Vulnerabilities Reports are
basicallyreceived from third parties and verySystem1seldom from the
owner of the systems Table 2: Total Incidents on Sub Categories of
Vulnerabilitiesor web themselves. Third partiesinclude those from
CyberSecurityMalaysia on pro-active monitoringand information
received from trustedsources such as from security mailinglists and
other Computer EmergencyResponse Teams.Vulnerabilities Reports
received mustbe validated first by checking if thereported
vulnerability actually exists.Once validated, Incident Handlerswill
inform the respective ownersof the vulnerability and
providerecommendations for rectification. Table 2: Percentage of
Incidents by Sub Categories of Vulnerabilities e-Security | Vol:
30-(Q1/2012) CyberSecurity Malaysia 2012 - All Rights Reserved 15.
12From the graph above we can seethat the majority of
vulnerabilitiesincidents involved web with a totalof 63 percent
compared to othersub categories. This is followed
bymisconfigurations at 32 percent andsystems at 5
percent.Researchers at WhiteHat Security havediscovered that the
duration of anaverage site exposed to vulnerabilitiesis about 270
days before they areremediated. The big time gap actuallyGraph 3:
Percentage of Incidents on Different Types ofgives more opportunity
for attackersVulnerabilitiesto exploit the vulnerable
websites.Vulnerabilities in web are mostlydue to vulnerable web
applicationsBased on analysis, the most populardue to improper
input validation andvulnerability reported is SQL
Injectionsanitisation, improper error checkingand handling.
vulnerability representing 30 percentcompared to other
vulnerabilities.Web Application Developers canThis is followed by
Informationfollow general good practises inDisclosure representing
29 percentsecuring their web applications and Cross Site Scripting
which iswhere inputs are properly validated at 25 percent.
Directory Listing,and sanitised and errors are properlyOpen
Redirection, Logic Error andchecked and handled.Improper Data
Validation each is atVarious types of vulnerabilities were four
percent.discovered based on the incidentsreceived which were SQL
Injection,An open redirect is an applicationDirectory Listing, Info
Disclosure, that takes a parameter and
redirectsImproperDataValidation,Open a user to the parameter value
withoutRedirection, Logic Error and Cross Site any validation. This
vulnerabilityScripting. The number of incidentsis used in phishing
attacks to getreceived on the above vulnerabilities users to visit
malicious sites withoutcan be referred at Table 3 and Graphthem
realising it. Cross-site scripting3 below.(XSS) is a type of
computer securityvulnerability typically found in Web Jan FebMar
TOTALapplications (such as web browsersthrough breaches of browser
security)SQL Injection257that enables attackers to inject
client-Directory Listing1 1side script into web pages viewed byInfo
Disclosure1 247other users. SQL injection is an oftenImproper data1
1used technique to attack databasesvalidationthrough a website.
This is usuallydone by including portions of SQLOpen11statements in
a web form entry fieldRedirectionor GET requests in an attempt to
getLogic Error 11the website to pass a newly formedCross
Site66rogue SQL command to the databaseScripting (e.g. dump the
database contents to Table 3: Figure on Different Types of
Vulnerabilitiesthe attacker).e-Security | Vol: 30-(Q1/2012)
CyberSecurity Malaysia 2012 - All Rights Reserved 16.
13Administrators may refer to the URLlisting on any folders handled
bybelow for recommendation on fixing the web server.SQL Injection
vulnerabilities: 2. Information disclosure or data leak which
enables anyone to viewh t t p : / / w w w. m y c e r t . o r g . m
y / e n / database information
belongingresources/web_security/main/main/to the
website.detail/573/index.html 3. Email accountpasswordsInformation
disclosure enables anbelonging tousers in anattacker to gain
valuable informationorganisations had been leaked/about a system.
The disclosure disclosed and posted on publiccould be due to
unintentionalwebsites such as at pastebin.acts, misconfigurations
or due to4. Misconfigurations that allow anyvulnerabilities. user
to view file configurations of a system or web.Directory listing is
referred to as a web5. Vulnerable websites allows usersserver that
is configured to display to change the value of their totalthe list
of all files contained in thisamount of payment that haddirectory.
This is not recommended been valued/passed by a websitebecause the
directory may contain to payment gateways duringfiles that are
normally not exposedthrough links on the web site. A payment
processes. By right,user can view a list of all files from websites
should not allow usersthis directory possibly exposing to modify
the value or paymentsensitive information. Logic error isparameters
as the value is a fixeda bug in a programme that causes value set
by the website.it to operate incorrectly, but not to6.
Vulnerabilities found in the webterminate abnormally (or crash). A
applications allowingremotelogic error produces an unintended
oruserstoviewphpmyadminundesired output or other behaviour,
settings.although it may not immediately be 7. Information
disclosure byrecognised as such. Improper data government staffs on
public/freevalidation is when software does notvalidate input
properly, an attacker discussion groups the likes ofis able to
craft the input in a form YahooGroup.that is not expected by the
rest 8. Cross site scripting is a webof the application. This will
lead application vulnerability allowingto parts of the system
receiving a remote attacker to trick usersunintended input, which
may result in executing malicious scripts viain an altered control
flow, arbitrarytheir websites.control of a resource, or
arbitrarycode execution.Out of the 19 incidents received on
Vulnerabilities Report, a totalCommon incidents related toof 25
websites and systems werevulnerabilities found in Q1reported.
Thesewebsites and2012:systems belonged to various sectors1.
Directory Listing on web serverranging from government agencies,due
to misconfiguration on the financial institutions and privateweb
server which allows directoryand educational entities as shown in
e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All
Rights Reserved 17. Table 4 and Graph 4. 14Sectors
TOTALGovernment10Banking/Financial Institu- 1tionsPrivate
Sector12Educational2Table 4: Figure on total incidents based on
SectorsGraph 5: Break of Type of Vulnerability Based on
SectorsConclusionIn conclusion,thenumber ofincidents received in
this quarteronVulnerabilities Reportwasconsidered low with a total
of 19incidents. Though the number wasnot alarming, System
Administratorsmust be vigilant on vulnerabilitiesthat may be
present in their systemsGraph 4: Total Incidents on Vulnerability
Reports basedand applications. The repercussionson Sectorsfrom
these vulnerabilities can besevere to the affected organisationsA
total of 12 vulnerable websites wereeven due to a small
misconfigurationfound to belong to private sector firms,in their
systems such as disclosurefollowed by 10 website involvingof
sensitive information to the publicgovernment agencies, two
websites belonging to the organisation. Theinvolving educational
institutions anddisclosed information can be furtherone website
involving a banking firm. manipulated by irresponsible partiesfor
malicious purposes on the net. AsOut of the figures above,
Information such, System Administrators mustDisclosure
vulnerabilities were mainlyalways make sure their systems
anddetected in the government sector applications are regularly
patched/websites which were at four websites, updated and
checked/fixed forfollowed by private sector with two any errors or
misconfigurations.websites. Banking and educational In addition,
they are advised tosector recorded one website eachregularly
monitor their logs tothat were vulnerable to Information detect any
anomalous activities indisclosure, as can be referred to in
Graphtheir systems. 5. SQL Injection and Cross Site
Scriptingvulnerabilities were mainly found inwebsites belong to the
private sector Referenceswith four websites on SQL Injection
andanother four websites on Cross Site 1. h t t p : / / i n f o s e
c i s l a n d . c o m /Scripting, followed by the government
blogview/12417-Report-Websites-sector with three websites
vulnerable toRemain-Vulnerable-to-Attacks.htmlSQL Injection and one
website vulnerable2. http://www.mycert.org.myto Cross Site
Scripting.3. http://www.sans.orge-Security | Vol: 30-(Q1/2012)
CyberSecurity Malaysia 2012 - All Rights Reserved 18. Security
Challenges Emerge with IPv615 BY | George Changorganizations and
Web leaders suchMost systems that areas Google, Facebook and
Yahoo!, not IPv6 enabled haveamong others have made the leap the
ability to handle ato the updated Internet protocol, work-around,
which isIPv6, in an official worldwidelaunch. Yes, this time, IPv6
is hereto wrap an IPv6 packetto stay. with an IPv4 header. They
read the header, but theyA nd the transition has bec om
eincreasinglynecessary.T he cannot read the contentscurrent IPv 4
protocol, w hi c hof the packet itself.can handle around 3. 7 bi l
l i onaddresses, has simply run outof address space, thanks in p
artNo doubt, the global launch of theto the mobile dev ice explo s
i on.Internet Protocol, IPv6 on June 6,Meanwhile IPv 6, for all in
te nts2012 ushers in a new era in the and purposes, has unlim i t e
devolution and widespread adoption address capacity to accommo d
ateof Internet infrastructure around a rapidly growing global Inte
rne tthe globe. As the successor to theand mobile
infrastructure.current Internet Protocol, IPv4,IPv6 is critical to
the InternetsHowever, with the launching ofcontinued growth as a
platformthe IPv6 protocolworldwide,for innovation and economic
researchers and IT professionalsdevelopment.are anticipating some
challenges,especially on the security front.The world already has
had a smalltaste of what is to come in June of For one, the
relative newness andlast year during World IPv6 Day.lack of
knowledge around theSpearheaded by the Internet Society,IPv6
protocol will inevitably pavethe effort galvanized more than the
way for misconfigurations,1000 Web sites, tech
companiescompatibility issues and otherand ISPs to collectively
switch toimplementation gaffes. There isIPv6 for a total of 24
hours in annot the institutional knowledgeeffort to test drive the
protocol around IPv6 the way there is aroundto predetermine and
mitigate anyIPv4, which has been around forpossible glitches that
might occurdecades and enjoys an extensiveduring an actual
launch.knowledge base.On June 6, 2012, top tech But perhaps the
biggest security e-Security | Vol: 30-(Q1/2012) CyberSecurity
Malaysia 2012 - All Rights Reserved 19. 16issue isthat
manysecuritysecurity devices could be overlookingnetworking devices
are equippedcritical pieces of malicious trafficwith capabilities
that allow themthat could potentially compromiseto forward IPv6
traffic, but not their network.inspect it. And, because IPv6is
enabled by default on manySome of the policies in IPv4platforms in
networks today such and technologies you rely uponas Windows 7 IPv6
compliantmay only work in IPv4 andsystems are already installed in
not IPv6, which means gapstheir networks.in your security coverage.
In t h i s c a s e , h o w e v e r, k n o w i n gMost systems that
are not IPv6 is not even half the battle.enabled have the ability
toUpgrading networking securityhandle a work-around,
whichinfrastructure to accommodateis to wrap an IPv6 packet with
IPv6 is no small undertaking anda n I P v 4 h e a d e r. T h e y r
e a d t h e will likely take years to be phasedh e a d e r, b u t t
h e y c a n n o t r e a d t h e in c o m p l e t e l y. S u b s e q
u e n t l y,contents of the packet itself. many
organizations,facingThey cannot do their normalpotentially costly
andtimedeep packet inspection, and they consuming hardware
upgrades,just forward the packet. Onlyare not planning to embrace
IPv6when they have a dual stackany time soon.implementation would
they beallowed to simultaneously allowYet enterprises cannot shy
awaynetwork security functionality tofrom the issue for too long as
aboth process and fully inspect lot more IPv6 traffic will hit
theirpackets from both the IPv4 and networks after the 6 June
launching.IPv6 protocols.When IPv6 is going to be 5 to 10 percent
of your data rather thanSeveral vendorshavethisa fraction of a
percent upgradefunctionality it not all and thatsavoidance becomes
much harderone of the risks facing networkto justify. Enterprises
and CIOssecurity professionalstoday. need to start pondering over
thePeople have to make sure thatproblem soon. their security
product can inspectIPv6 traffic. If it can just forwardIPv6
traffic, it could be forwardingmalicious content. George Chang is
Fortinets Regional Director for Southeast Asia & Hong Kong.
Fortinet is a leading provider of network security appliancesEven
with a dual stack and the worldwide leader in Unified Threat
Man-implementation,however, agement or UTM. Fortinet integrates
multipleorganizations need to determinelevels of security
protection (such as firewall, an-if they have the same feature
settivirus, intrusion prevention, VPN, spyware pre-enabled for the
IPv4 protocol as vention and antispam) to help customers
protectthey do for IPv6. If not, the networkagainst network and
content level threats.e-Security | Vol: 30-(Q1/2012) CyberSecurity
Malaysia 2012 - All Rights Reserved 20. Principles of Security17 BY
| John HopkinsonThe Principles of Security must be be responsible
for ensuring that anykept in mind and should underlay actions
related to the processing and/all security guidelines and
activities.or sanitisation do not serve to degradeThey are
particularly important, and or otherwise compromise the
integrityshould be used for guidance, whenof the information
technology system.the rules (laws, policies, etc.) are The use of
information technologyabsent, not clear, or are in conflict.
systems are intended to augment humanThe following Principles of
Security capabilities, but is not intended todoes not tell you what
to do, but they replace, circumvent, or otherwise renderprovide
guidance in deciding whatobsolete, the basic concept of
individualactions you need to take.accountability.Sensitive
InformationLeast PrivilegeAll organisations have information,
theAny person, or surrogate informationdisclosure or compromise of
which, bytechnology resource or feature, shallwhatever means, may
have undesirable only be granted that privilege
necessaryconsequences. Ithas long beento perform their assigned
task orestablished that structured physical function.protection of
sensitive information is anecessity. With the growing dependence
Need-To-Knowon information technology, it followsthat structured
protection must existAny person shall only be given accesswithin
those resources.to a specific information technology resource if
such access is required inProven Environment the completion of
assigned tasks. Only individuals authorised to access
sensitiveUntil proven secure by a responsible information shall be
allowed access toauthority, no environment shall be information
technology systems:assumed to be secure. The assumptionof security
poses a greater threat than that process sensitive informationthe
absence of security. For example, it have processed sensitive
information incannot be assumed that the complexitiesthe past but
have not been appropriatelyof commercially supplied hardware
orsanitised.software afford any level of protection.Individual
AccountabilitySegregation of ResponsibilityAny person who
possesses, or through the Responsibilities must be segregated souse
of information technology system(s), that, as far as possible, no
one person hasprocesses sensitive information, shall betotal
control over a particular resourceresponsible for the safeguarding
of that or process. To avoid total control, dualinformation and
shall be accountable responsibility should be implementedtherefore.
Any person who uses anso that manipulation of that
resourceinformation technology system whichcannot be accomplished
without theprocesses sensitive information shallknowledge of
another person. e-Security | Vol: 30-(Q1/2012) CyberSecurity
Malaysia 2012 - All Rights Reserved 21. Security
EffectivenessControls18Security is only as good as the knowledge No
control, or a combination thereof,and attitude of the people who
use it.will ever provide total protection.Acceptance of some
measure of risk isWeak Link Syndromeunavoidable. All controls must
satisfythe following:Overall security is only as good as theweakest
link. These weak links can be The risk that is being
addressedexploited by unauthorised parties with must be
describedmalicious intent. The risk should be capable of
beingMutual Acceptancemonitored for change of magnitudeIf a group
of people or an individual The risk should be quantified, so that
the magnitude of risk to bewishes to communicate with others,
accepted is identifiedthe communication must be acceptableby all
parties privy to it. The chain ofcommunication is constantly at
risk Risk Acceptanceeven when information is held in trust. Risk
acceptance is a valid andan appropriate technique for theLevels of
Protectionprovision of cost effective security.The levels of
protection must beRisk acceptance may only be used byimplemented
gradually so as to be a competent authority, generally
thiscommensurate with the sensitivity ofrefers to the Owner.the
information processed.Security FailureContinuity of ProtectionIn
all cases of security failure, or doubtAll security principles,
policies and arising as to the appropriate action thatmechanisms
for their implementation inneeds to be taken, the guiding
principlesan information technology environment are Default to the
Most Secure. Onlymust be invoked at all times unless in exceptional
circumstances shall thespecific dispensation has been
grantedcompetent authority moderate thisby an appropriate
authority. In such aprinciple. A decision to moderate
mustcircumstance, a time period must be be confirmed periodically
in writing.stipulated.Human FallibilityProtection Implementation
Individuals who have been screenedUnless deemedimpossibleor should
be able to be trusted. However,unnecessary byanappropriate people
are fallible and thereforeauthority, protection features must
bemechanisms and services must beimplemented to provide multiple
levelsin place to help prevent people fromor rings of security.
making mistakes. Mr. Hopkinson has extensive experience in the
securityAssurance of Protection field in both the military and
commercial sectors. As a re-searcher in information technology
security, he focused onAutomatic and/or manual protectionassurance,
risk analysis, risk management, and securitytechniques must be
employed regularly metrics. He develops strategies with regard to
standardsand consortia activities, and action plans to fulfil those
strat-to verify that all security mechanismsegies. He assists
organizations in developing their securityare invoked and operating
properly. strategies and plans to implement those strategies.
e-Security | Vol: 30-(Q1/2012) CyberSecurity Malaysia 2012 - All
Rights Reserved 22. Keep your data safe: Top 4 tips on Securing19
iPadJust in case you have neverthe information. The l e s sheard of
an iPad, it is a tablet information y ou grant, thecomputer from
Apple Inc. Its less risky it is.size and weight which
fallbetweensmart phonesand Dont jailbreak y our i P ad ,laptop
computers make it a unless y ou strictly nee d apopular device
nowadays. The jailbroken app or feature . Iflatest model - iPad 3
had been y ou do jailbreak it, be su re t olaunched recently with
excitingchange the root password . features and new
specifications.If you have already bought thelatest Apple iPad or
planningto buy one for yourself soon, Fortinet is a leading
provider of networkh e r e i s s o m e g o o d a d v i c e f ro m
security appliances and the worldwide leader inAxelleApvrille, F o
r t i n e t s Unified Threat Management (UTM). Fortinet
inte-SeniorMobile Anti-Virusgrates multiple levels of security
protection (suchResearcher:as firewall, antivirus, intrusion
prevention, VPN, spyware prevention and antispam) to help cus- I f
c o n n e cte d to 3G : kee p an tomers protect against network and
contente y e o n yo ur su bscr i ptionlevel threats.b i l l , i n
pa r ti cul a r re l atedt o s e n di ng S M S o r I nte rnetu sa g
e . Thi s i s wh a t m o b ilem a l w a re u se th e mo st, so ifs
o m e t h i ng i s wro ng, checky o u r a pps a n d repo r t anyi s
su e t o AV vendo r s a nd/oryouroper a to r.S u spi ci ouss a m p
l e s ca n be se nt foranalysis tosu bm i tvi r us@f o r t i n e
t.co m . D o n t ha ve yo u r pa sswordss t o re d by the bro wse
r. Ra ther,u se a we l l -kno wn/wel l -r atedp a s sw o rd sa f e
a ppl i ca ti o n. D o n o t l et a ppl i ca ti o ns usey o u r c
ur rent l o ca ti o n o r anyo t h e r pr i va te da ta , u nlessy
o u re al l y wa nt the m to use e-Security | Vol: 30-(Q1/2012)
CyberSecurity Malaysia 2012 - All Rights Reserved