THE NATIONAL CYBER SECURITY POLICY (NCSP)

Transcription

THE NATIONAL CYBER SECURITY POLICY (NCSP)
A Holistic Approach For Cyber Security And
Critical Information Infrastructure Protection
MALAYSIA’S NATIONAL CYBER SECURITY
POLICY & CYBERSECURITY MALAYSIA ROLE
Copyright © 2015 CyberSecurity Malaysia
CyberSecurity Malaysia
OBJECTIVES & MANDATE
A NATIONAL CYBER SECURITY SPECIALIST AGENCY
UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND
INNOVATION
MANDATE
Vision
To be a globally
recognized
National Cyber
Security
Reference and
Specialist Centre
by 2020
Mission
Creating and
Sustaining a
Safer Cyberspace
to Promote
National
Sustainability,
Social Well-Being
and Wealth
Creation
Cabinet Notes 2005
Ministry of Finance
and Ministry of
Science, Technology
& Innovation
CyberSecurity
Malaysia as a National
Body to monitor
aspects of the
National e-Security
Akta Fungsi‐fungsi
Menteri 1969, Perintah
Menteri‐menteri
Kerajaan Persekutuan (No.2) 2013
CyberSecurity Malaysia
sebagai organisasi
yang membekalkan
perkhidmatan
kepakaran keselamatan
ICT serta mengenal
pasti secara berterusan
bidang-bidang yang
membahayakan
keselamatan negara.
Copyright © 2015 CyberSecurity Malaysia
Arahan No. 24
Dasar dan Mekanisme
Pengurusan Krisis
Siber Negara
Majlis Keselamatan
Negara 2011
Peranan agensi pakar
klausa 16 mukasurat
21
16.1 CyberSecurity Malaysia
sebagai agensi pakar
hendaklah memberi
sokongan dan bantuan
teknikal serta menyediakan
perkhidmatan latihan dalam
pengurusan krisis siber
negara
CyberSecurity Malaysia - Services
Cyber999
Help Centre
Digital Forensics
Security
Management
Best Practices
&
Info Security
Professional
Development
Strategic
Engagement
Outreach
Research
Security
Assurance
Cyber
Security
Certification
Copyright © 2015 CyberSecurity Malaysia
MALAYSIANS TODAY ARE HIGHLY CONNECTED
2,405,518,376
Digital citizens worldwide
(as of June 2012)
Digital citizens in Malaysia
Source: The Star Newspaper 17 November 2012
44%
17,723,000
Copyright © 2015 CyberSecurity Malaysia
1,076,681,059
Digital citizens in Asia
4
CYBER THREATS
- Malaysia
Technology Related Threats
Hack Threat
Intrusion
Fraud
Harassment
Cyber Content Related
Threats
Threats to National
Security
Sedition / Defamation
Malicious Code
Denial of Service Attack
Online Porn
Hate Speech
Copyright © 2015 CyberSecurity Malaysia
Cyber Threat to
Critical National Information Infrastructures (CNII)
An attack on CNII can effect the nation and citizens who are dependent on CNIIs. …It
exposes vulnerability that can lead to Major disruptions.
“Pervasive and sustained
cyber threats can pose a potentially
devastating impact”
Dependencies
Copyright © 2015 CyberSecurity Malaysia
CYBER SECURITY THREATS
Critical National Information Infrastructure
The Trend Of Cyber Attacks On Critical Sectors
The largest known DDoS
attack in the history of the internet is currently being waged against a company attempting to stop the spread of spam emails, and is causing widespread congestion to critical infrastructure around the world.
Copyright © 2015 CyberSecurity Malaysia
CYBER SECURITY THREATS
The Rise of Hactivism
“... Anonymous is highly sophisticated, high‐profiled and politically motivated..” NATO, May 2011
•
Cyber attacks on established organizations - CIA and Congress of USA, MasterCard,
Visa, Sony PlayStation network, Turkey websites and North Atlantic Treaty Organisation
Copyright © 2015 CyberSecurity Malaysia
(NATO)
8
Copyright © 2013 CyberSecurity Malaysia
CYBER THREATS
ATTACK ON FINANCIAL SECTOR
Computer security firm Kaspersky Lab estimates $1bn (£648m) has been stolen in the attacks, which it says started in 2013 and are still ongoing.
Once Careto has compromised a system,
it begins collecting sensitive information
from it. The software can "intercept
network traffic, keystrokes, Skype
conversations, analyse WiFi traffic, PGP
keys, fetch all information from Nokia
devices, screen captures and monitor all
file operations."
Copyright © 2015 CyberSecurity Malaysia
9
CURRENT ISSUES
CYBER WEAPON: STUXNET
•
•
•
Stuxnet was found on June 2010
Targeted Siemens SCADA, the worm changes PLC settings
Very sophisticated and well-funded
•
Disrupted operation of IRAN’s Nuclear Project (Natanz)
•
Source code maybe reengineered for other SCADA attacks and platforms
Copyright © 2015 CyberSecurity Malaysia
STUXNET “children”
• Flame : an espionage
type of worm
• Spreads from the
Local Area
Network or USB
thumb drive
• Able record
network traffic,
audio, keyboard
activity, and
screenshots
• Duqu virus: able to
delete files and hard
drives
CURRENT ISSUES
CYBER ESPIONAGE
Copyright © 2015 CyberSecurity Malaysia
CURRENT ISSUES
ADVANCED PERSISTENT THREAT (APT)
APT: a group of sophisticated, determined and coordinated attackers
that have been systematically compromising Government and
Commercial networks for years.
Step 1
• Reconnaissance
Step 2
• Initial Intrusion into the Network
Step 3
• Establish a Backdoor into the Network
Step 4
• Obtain User Credentials
Step 5
• Install Various Utilities
Step 6
• Privilege Escalation / Lateral Movement / Data Exfiltration
Step 7
• Maintain Persistence
APT OBJECTIVES
• Political –societal disruption
• Economic -competitive advantage
• Technical -for further exploit
• Military -Identifying weaknesses
to defeat superior military forces
Copyright © 2015 CyberSecurity Malaysia
CYBER SECURITY THREATS
Cyber Warfare
CYBER WAR
Using Internet and related technological
means against political, economic,
technological and information
sovereignty and independence of a
state.
Examples:
• Nation/government vs.
terrorist/subversive groups
• Law Enforcement vs. Organized crime
• Organizations vs. economic/industrial
espionage
TACTICS
Cyber Espionage
Web Vandalism
Propaganda
Data Gathering
Attacking Critical Infrastructures
Distribute Denial of Service Attacks
Equipment Disruption
Compromised Counterfeit Hardware
source: http://en.wikipedia.org/wiki/Cyberwarfare
Copyright © 2015 CyberSecurity Malaysia
“…Countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities…”
Source: McAfee Key Elements of Cyber Security
• Enhance capacity building to
address the weakest link –
human
• Public Awareness
• High Competent People Certified / Qualified Staffs
(internal & external resources)
Policies, SOP and
Guidelines properly
packaged and protected
(ie Intellectual Property
such as copyright)
Latest equipment,
tools, softwares,
certified
laboratories
Copyright © 2015 CyberSecurity Malaysia
14
National Cyber
Security Policy
formulated by
MOSTI
2006
2005
2007
THE NATIONAL CYBER SECURITY POLICY (NCSP)
- Objective
CyberSecurity Malaysia launched by
Prime Minister of Malaysia on 20 Aug 2007
NCSP
Adoption
and
Implementation
• Malaysia’s Ministry of Science, Technology & Innovation (MOSTI) carried out the study on the National Cyber Security Policy (NCSP) in 2005
NCSP
Objectives
Address The Risks
To The Critical
National
Information
Infrastructure
(CNII)
Ensure CNIIs are
Protected
• National IT Council (NITC) Meeting on 7 Apr 2006 agreed to implement NCSP and establishment of the Malaysia Cyber Security Centre to administer NCSP.
• NCSP was endorsed by the Cabinet in May 2006.
• NCSP stewardship transferred to MKN in Aug 2010
The policy recognises the critical and highly interdependent nature of
the CNII and aims to develop and establish a comprehensive
programme and a series of frameworks that will ensure the
© 2015
CyberSecurity
Malaysia
effectiveness of cyber security Copyright
controls
over
vital assets
Develop And
Establish
Comprehensive
Program And
Frameworks
THE NATIONAL CYBER SECURITY POLICY
- NCSP Framework & Policy Thrusts (PT)
PT 1
PT 2
EFFECTIVE
GOVERNANCE
LEGISLATIVE
&
REGULATORY
FRAMEWORK
Establishment
of a national
info security
coordination
center, effective
institutional
arrangements &
Public-Private
Cooperation
Reduction of
cybercrime &
increased
success in
the
prosecution
in cyber
crime
PT 3
CYBER
SECURITY
TECHNOLOGY
FRAMEWORK
Expansion of
national
certification
scheme for
infosec
mgmt &
assurance
PT 4
PT 5
PT 6
CULTURE OF
SECURITY &
CAPACITY
BUILDING
RESEARCH &
DEVELOPMENT
TOWARDS SELF
RELIANCE
COMPLIANCE &
ENFORCEMENT
Reduced no.
of InfoSec
incidents
through
improved
awareness &
skill level
Acceptance
& utilization
of locally
developed
info security
products
Copyright © 2015 CyberSecurity Malaysia
Strengthen
or include
infosec
enforcement
role in all
CNII
regulators
PT 7
CYBER
SECURITY
EMERGENCY
READINESS
PT 8
INTERNATIONAL
COOPERATION
International
cooperation
CNII
& branding
resilience
on CNII
against
protection
cyber crime,
with
terrorism,
improved
info warfare
awareness &
PT – Policy
Thrust
skill level
CRITICAL INFRASTRUCTURE
NCSP - Sectors
VISION
‘Malaysia's Critical National Information Infrastructure shall be secure, resilient and self‐reliant. Infused with a culture of security, it will promote stability, social well being and wealth creation’
DEFENCE & SECURITY
•Ministry of Defense, Military
•Ministry of Home Affairs, Police
TRANSPORTATION
•Ministry of Transport
•SPAD
BANKING & FINANCE
•Ministry of Finance
•Central Bank
•Securities Commission
HEALTH SERVICES
•Ministry of Health
EMERGENCY SERVICES
Ministry of Housing & Local Municipality
CRITICAL NATIONAL INFORMATION INFRASTRUCTURE
Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on • National Defense & Security
• National Economic Strength
• National Image
• Government capability to function
• Public Health & Safety
Copyright © 2015 CyberSecurity Malaysia
ENERGY
•Energy Commission
•Electricity Co., Petroleum Company
INFORMATION &
COMMUNICATIONS
•Ministry of Information, Communications
& Culture
•Malaysia Communication & Multimedia
Commission
GOVERNMENT
•Malaysia Administrative, Modernisation
and Management Planning Unit
FOOD & AGRICULTURE
•Ministry of Agriculture
WATER
•National Water Service Commission
THE NATIONAL CYBER SECURITY POLICY
- Implementation Approach
(0 – 1 YEAR) ADDRESSING IMMEDIATE CONCERNS
• Stop‐gap measures to address fundamental vulnerabilities to the information security of the CNII.
• Creating a centralised security platform.
• Raising awareness of information security and its implications.
(0 – 3 YEARS) BUILDING INFRASTRUCTURE &
HUMAN CAPACITY
• Setting-up the necessary systems, processes, standards and
institutional arrangements (mechanisms) .
• Building capacity amongst researchers and info security professionals.
(0 – 5 YEARS & BEYOND) DEVELOPING SELFRELIANCE
• Developing self-reliance in terms of technology as well as
professionals.
• Monitoring the mechanisms for compliance.
• Evaluating and improving the mechanisms .
• Creating the culture of Info Security.
Copyright © 2015 CyberSecurity Malaysia
PT 1: EFFECTIVE GOVERNANCE
‐ Cyber Security Governance in Malaysia
NATIONAL SECURITY COUNCIL
Chairman : Prime Minister Secretariat : National Security Council (NSC)
Establishment of a national info security coordination center, effective institutional arrangements & Public‐
Private Cooperation
e‐SOVEREIGNTY COMMITTEE
Chairman : Deputy Prime Minister
Secretariat : NSC
NATIONAL IT COUNCIL
Chairman : Prime Minister Secretariat : MOSTI
e‐SOVEREIGNTY WORKING GROUP
Chairman : Secretary of NSC
NATIONAL CYBER SECURITY COORDINATION
COMMITTEE (NC3)
POLICY
STRENGTHENIN
G GOVERNMENT COMMUNICATIO
N STRATEGY COMMITTEE
CONTENT
CYBER LAW COMMITTEE
ACCULTURATION & CAPACITY BUILDING COMMITTEE
COMPLIANCE & ENFORCEMENT COMMITTEE
CRISIS MANAGEMENT
LEGISLATION
ACCULTURATION & CAPACITY BUILDING COMPLIANCE & ENFORCEMENT Working Group
Working Group
Working Group
Working Group
AGC
MKN
MCM
Main Driver
NATIONAL CYBER CRISIS MANAGEMENT COMMITTEE
Working Group
Copyright © 2015 CyberSecurity Malaysia
PT 1: EFFECTIVE GOVERNANCE
PUBLIC & PRIVATE COOPERATION: INVOLVEMENT OF
VARIOUS AGENCIES & MINISRIES
Copyright © 2015 CyberSecurity Malaysia
PT2: Regulatory Framework
Attorney General’s Chambers
Study and Amend laws to address new offences
A Study on the laws of Malaysia to accommodate legal challenges in the Cyber Environment
(2009)
Capacity Building Programmes For National Law Enforcement Agencies
Intensifying digital forensic investigation capability
PERSONAL DATA
PROTECTION ACT
(PDPA) 2010 (ACT 709)
Establishment of
digital forensic
investigation labs
Copyright © 2015 CyberSecurity Malaysia
Intensifying digital
forensic investigation
training courses.
Conducted by PDRM, ILKAP, AGC,
CyberSecurity Malaysia etc
PT 3: CYBER SECURITY TECHNOLOGY FRAMEWORK
‐ Standards
Establish Evaluation / certification programme for cyber security products & systems
Specify Cyber security baseline for CNIIs
Malaysian Common Criteria
Evaluation & Certification
(MyCC) Scheme
Copyright © 2015 CyberSecurity Malaysia
PT4: Culture of Security & Capacity Building
Ministry of Science, Technology & Innovation / CyberSecurity Malaysia
EVALUATE CNII AWARENESS & EDUCATION PROGRAMMES
CAPACITY BUILDING PROGRAM FOR INFOSECURITY PROFESSIONALS
ROLLOUT NATIONAL AWARENESS CAMPAIGNS TO THE PUBLIC
More than 170,000 students, parents and teachers have participated in CyberSAFE outreach programs
Guideline to Determine
Information Security
Professionals
Requirements for the
CNII Agencies /
Organisations
More than 4,600 Information Security Professionals in the Country certified in various cyber security fields
Copyright © 2015 CyberSecurity Malaysia
PT5: Research & Development Towards Self Reliance
Ministry of Science, Technology & Innovation / MIMOS
Develop roadmap of Information
Security Technology
Coordinate R&D of Information
Security Technology based on the
Roadmap
Promote the use of locally
developed, certified and accredited
information security products and
professionals
Development of the National R&D Roadmap for Self Reliance in Cyber Security Technologies
is facilitated by MIMOS Berhad, a Government R&D institution (2008)
Kajian Semula National Strategic ICT Roadmap Dan Technology Roadmaps (2012)
Identify Technologies That
Are Relevant and
Desirable by the CNII
Promote Collaboration
with International Centres
of Excellence
Provide Domain
Competency Development
Nurture the Growth of
Local Cyber Security
Industry
Copyright © 2015 CyberSecurity Malaysia
PT6: Compliance & Enforcement
Ministry of Communication & Multimedia Malaysia
Enforcement and information
security compliancy
Create assurance through
compliance audit
Continuous Improvement of
compliancy and enforcement
activities
MS ISO/IEC 27001:2007 selected for compliance and enforcement. More than 138 CNIIs ISMS certified since 2010
Copyright © 2015 CyberSecurity Malaysia
PT7: Cyber Security Emergency Readiness
National Security Council
Establish the National Cyber Crisis Management Plan
Develop Cyber Emergency Exercises To Test Procedures
Establish Plan For Monitoring & Early Warning Notification. NATIONAL CYBER CRISIS
MANAGEMENT PLAN
National Security Council (NSC)
Chairman : Y.A.B. Prime Minister
Increase the level of preparedness of the country against cyber attacks
Secretariat : National Security Council (NSC)
E‐Sovereignty Committee
Chairman : Y.A.B. Deputy Prime Minister
Secretariat : National Security Council (NSC)
National Cyber Crisis Management Committee (NCCMC)
National Cyber
Coordination and
Control Centre
Enhance the capability to handle cyber related issues
Chairman : Y.B. Minister in Prime Minister’s Department
Secretariat : National Security Council (NSC)
National Cyber Crisis Management Working Group (NCCMWG)
Chairman : Secretary of NSC
NC4
Provide coordinated response in handling cyber attacks
Secretariat : National Security Council (NSC) Cyber & Minimize the impact to society and economic activities
Aerospace division
Copyright © 2015 CyberSecurity Malaysia
PT 7: CYBER SECURITY EMERGENCY READINESS
- Annual Cyber Drill Details
NATIONAL CYBER CRISIS DRILL
(X‐MAYA)
Copyright © 2015 CyberSecurity Malaysia
PT8: INTERNATIONAL COOPERATION
Coordinate participation in
international initiatives
ASEAN Regional Forum
Council for Security Cooperation in the Asia Pacific (CSCAP)
Copyright © 2015 CyberSecurity Malaysia
INTERNATIONAL TELECOMMUNICATIONS UNION (ITU)
2014 GLOBAL CYBERSECURITY INDEX
”
†
Rank worldwide
PRIVATE
SECTOR
COOPERATIVE
PARTNERSHIP
INTERNATIONAL
ORGANIZATION
*Among 193 countries
NATIONAL
OF STRUCTURE
IMPLEMENT
& PROMOTE
CYBERSECURITY
LEVEL OF NATIONAL
5
COMMITMENT
DRIVE THE ISSUES
CYBERSECURITY
TO THE FOREFRONT
AGENDAS
EXISTENCE
INSIGHT
INTO THE
CYBERSECURITY
ENGAGEMENT
OF SOVEREIGN
NATION STATE
Copyright © 2015 CyberSecurity Malaysia
LEGAL MEASUREMENT
TECHNICAL MEASURES
ORGANIZATIONAL MEASURES
CAPACITY BUILDING
COOPERATION
www.cybersafe.my
fazlan@cybersecurity.my
012 249 7014
Copyright © 2015 CyberSecurity Malaysia
30
Copyright
2015 CyberSecurity
CyberSecurity Malaysia
Malaysia
Copyright ©
© 2015