Malaysian Organization and the Web Security

Prepared By : Chin Meng Thin

Abstract

The Internet is easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network without regard to national, geographic boundaries or time of day.

However, along with the convenience and easy access to information come new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and that the computer systems will be corrupted. If information is recorded electronically and is available on networked computers, it is more vulnerable. Intruders can steal or tamper with information. They can create new electronic files, run their own programs, and hide evidence of their unauthorized activity.

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop intruders from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system.

Personal information on the Web has become an increasingly important topic to Web users, with privacy and security issues regularly generating media coverage. Securing a Web site from intrusion requires an education in Web security. The potential problems include loss of trust, revenue and lawsuits.

Introduction

The Internet gives you access to a very public space. This mean that your conduct will be visible to others, as well as monitored by various network administrators (and others) who may be invisible to you.

Being online is not so different from being offline. When you visit a large city, you plan your trip, tuck your wallet in a safe pocket, obey the law, and use common sense. Going online is the same, when you log on to the internet, you need to understand and follow the behavioral codes that are specific to the net, and need to minimize your personal risk.

The increasing use and dependence on interconnected local, regional, and wide area networks, while bringing important new capabilities and vulnerabilities. Widely publicized events such as the November 1988, Internet Worm, which affected thousands of systems on the international research network Internet, or the October 1989, WANK worm, which affected hundreds of systems on NASA's Space Physics and Analysis (SPAN) network are unusual, although dramatic, events. There are many more events such as intrusions, exploitation of vulnerabilities, and discovery of new vulnerabilities that occur with much greater frequency and require effective methods of response. 

Malaysians could not afford to turn their backs on modern information, communication and multimedia technology. This will only serve to disempowerment and impoverish our country. The government was committed to ICT development but, at the same time, wanted to ensure it was done in a manner "maximally beneficial and minimally harmful" to the nation's sovereignty and vital interests.

Malaysians must more self-reliant in the core ICT security area and not depend solely on foreign-based technology. There is a vital need to have defensive measures covering management and technical processes which can be undertaken by technically capable Malaysian citizens. This will create a layer of defense that can minimize the risks of information exploitation and enhance the nation's information security.

Theft and espionage of government and corporate information was a growing phenomenon in the developed world. In this direction, the Government is concerned over the invasion of privacy through the Internet and cyber security in government, private sector and individual level.

The Government is reviewing the Communications and Multimedia Act, Malaysian Cyberbill, the national (information and communications technology) ICT security standard, and the forthcoming Personal Data Protection Act to enhance  ICT security.

Malaysian Organization and the Web Security

An organization to functions as a point of reference to expertise on network and security matters, centralizes reporting of security incidents and facilitates communication to resolve security incidents. Disseminate security information including system vulnerabilities, defense strategies and mechanism. Acts as a repository of security related information, acquiring patches, tools and technique. It also plays an educational role in educating the public with regardless computer security in Malaysia.

This organization is Malaysian Computer Emergency Response Team (MyCERT). MyCERT was formed on 13 January 1997 and began operations on 1 March 1997. Deal with security incidents, MyCERT works closely with the CERT Coordinating Centre, AUSCERT, and the Malaysian Police.

MyCERT was recently (2001) absorbed into the National ICT Security and Emergency Response Centre (NISER).

NISER was originated first as the Malaysian Computer Emergency Response Team (MyCERT) in March 1997. NISER was formed by the National Information and Communication Technology Council (NITC) to address ICT security issues covering both proactive and reactive measures. NISER specializes and provides expert opinion on subject matters.

To handle ICT security problems NISER groups must have sufficient in-house technical expertise to handle a reasonable portion of day to day security incidents, leaving the volunteer contacts for situations which require additional expertise. However, because emergency response involves addressing more than just technical issues, NISER membership includes not only technical experts, but site managers, security officers, industry representatives, and government officials .

NISER must be a well publicized central point of contact, which is available on a 24 hour basis and  a "hotline" which is constantly manned, and an electronic mailbox which is monitored during business hours.

It is critical that a NISER group build and maintain a collection of contacts, both within the group's constituency and externally. The contact information should include other CERT groups, system vendors, law enforcement, network operation centers, technical experts, site administrators etc. Building the contact information is an on-going process in which contacts are developed and maintained over time. Each contact must be aware of its responsibilities and expectations in the emergency response process.

In addition to the contact information, a NISER group should maintain an information repository which will be drawn upon in future incidents. This information will include contact information (as above), system vulnerability details, security incident reports, electronic mail archives, and other relevant information. Due to the nature of this information, the security on the system on which it resides must be beyond reproach. CERT maintains its information database on an off-line system, which is not accessible via network connections.

As system vulnerabilities ( their fixes), break-in warning information, and other relevant information becomes available, NISER groups should issue advisories to members of their constituency. Past NISER advisories have included vulnerability notification (with appropriate solutions), warnings of widespread break-ins and symptoms thereof, and secure system administration suggestions. The entire collection of NISER advisories are maintained on-line and are accessible to NISER constituents.

Recent statistics from the MyCert shows a sharp rise in the number of computer abuses in March and April. There were 54 cases in March and 70 in April, as opposed to 40 and 29 in January and February respectively.

Based on Niser statistics, from August 1997 to March this year, Malaysia has experienced an accumulated of 1,713 ICT security cases with an average of 400 cases per year. Security threats in the Government were the highest in 2000 with a total of 27 cases of abuse, followed by the private sector with 19 cases.

"This irresponsible act erodes the trust in Internet security in the country and tarnishes the Malaysian government's reputation." Reuters quoted Malaysian Youth Council vice-president Norizan Sharif was say, when Malaysian Parliament Site been hacked.

Several examples on Malaysian organization been hacked  are listed below :

Incidents can be broadly classified into several kinds: the probe, scan, account compromise, root compromise, packet sniffer, denial of service, exploitation of trust, malicious code, and Internet infrastructure attacks. Although government websites are said to be more susceptible to such security threats, private sector websites have also not been spared. Among the corporate websites attacked recently were that of MidValley Mega mall, Milo, National Sports Complex, Inti International College, Penang and Malaysia Airlines.

Parliament Speaker Tun Zahir Ismail expressed regret over the incident (Parliament website) and deplored such actions as having "not profited or benefited anybody." "There's no reason for anybody to want to hack into our website. The website was put up as part our duty to enlighten the public on what the Malaysian Parliament has achieved. It doesn't harm anybody and nobody should take offence".

Why the intruders can easy access to networked environment? That is because the System Vulnerabilities. A vulnerability is a weakness that a person can exploit to accomplish something that is not authorized or intended as legitimate use of a network or system. When a vulnerability is exploited to compromise the security of systems or information on those systems, the result is a security incident. Vulnerabilities may be caused by engineering, design errors or faulty implementation.

Another situation in which cooperation across multiple organizations becomes essential is in dissemination of system vulnerability alerts. As system intruders successfully gain access to systems which have weak passwords or systems where known security vulnerabilities have not been closed, they often share information on vulnerabilities in these systems with others. Likewise, as intruders discover new vulnerabilities in particular operating system or other software packages, information on the vulnerabilities is quickly communicated through various bulletin boards and other electronic forums. As a result, many large communities of system users quickly become vulnerable. Traditional methods of dealing with vulnerability information, including closely protecting information on the existence of the vulnerability, are not effective once intruders have learned of system weaknesses. In these cases, supplying password guideline and security vulnerability information to system administrators is crucial in raising security levels and deterring attacks. NISER frequently distributes CERT Advisories that, among other things, inform the public of vulnerabilities, fixes, and active methods of attack.

It is helpful to begin a security improvement program by determining the current state of security at the site. A security policy is a documented high-level plan for organization-wide computer and information security. It provides a framework for making specific decisions, such as which defense mechanisms to use and how to configure services, and is the basis for developing secure programming guidelines and procedures for users and system administrators to follow. Because a security policy is a long-term document, the contents avoid technology-specific issues.

A security policy should be covers the following :

A variety of technologies developed to help organizations secure their systems and information against intruders, example operational technology is to maintain and defend the availability of data resources in a secure manner and cryptography is to secure the confidentiality, integrity, and authenticity of data resources

Another part of the problem in failed network security is due to human error and negligence. Organizations and people need to protect themselves with not only the tools of technology but be educated to remain up to date.

It has become common knowledge that all stakeholders in the enterprise should "know a little something" about information security and privacy. Newly formed Niser will begin an accreditation programme to produce qualified information and communications technology (ICT) security consultants in Malaysia. Its director Major Husin Jazri said the centre will be working with US-based ICT security body, System Administration and Network Security (SANS), to provide technical training and security certification courses for local ICT professionals. Under the collaboration, Niser will initially be hosting the courses in Malaysia while SANS will provide training material, instructors and certification examination.


These discuss computer security education in general : 

Conclusions

In the face of the vulnerabilities, incident and education trends discussed above, a robust defense requires a flexible strategy that allows adaptation to the changing environment, well-defined policies, procedures, use of robust tools, and constant vigilance.

It is helpful to begin a security improvement program by determining the current state of security at the site. Methods for making this determination in a reliable way are becoming available. Integral to a security program are documented policies, procedures, and technology that supports their implementation.

Effective computer security incident response requires communication and coordination across multiple communities. While many incidents occur because software design or implementation deficiencies are exploited, resolution of the incidents requires more than a technical solution. Communication of threat and vulnerability information across computing communities is essential to resolving specific incidents and improving the security of operational systems. A well formed CERT-System will raise security awareness and knowledge among site administrators as well as give the administrators sources of assistance in times of computer emergencies.

Federal government should spend money  in grants, loans and spending programs on IT security. Without that infusion of cash, the job won't get done.

"The computer is a valuable tool, not just for modern-day criminals, but also for terrorists and hostile nations that would do our country harm for political ends," National Infrastructure Protection Center (NIPC) director Vatis warned.

References