THE NATIONAL CYBER SECURITY POLICY (NCSP)
Transcription
THE NATIONAL CYBER SECURITY POLICY (NCSP)
A Holistic Approach For Cyber Security And Critical Information Infrastructure Protection MALAYSIA’S NATIONAL CYBER SECURITY POLICY & CYBERSECURITY MALAYSIA ROLE Copyright © 2015 CyberSecurity Malaysia CyberSecurity Malaysia OBJECTIVES & MANDATE A NATIONAL CYBER SECURITY SPECIALIST AGENCY UNDER THE MINISTRY OF SCIENCE, TECHNOLOGY AND INNOVATION MANDATE Vision To be a globally recognized National Cyber Security Reference and Specialist Centre by 2020 Mission Creating and Sustaining a Safer Cyberspace to Promote National Sustainability, Social Well-Being and Wealth Creation Cabinet Notes 2005 Ministry of Finance and Ministry of Science, Technology & Innovation CyberSecurity Malaysia as a National Body to monitor aspects of the National e-Security Akta Fungsi‐fungsi Menteri 1969, Perintah Menteri‐menteri Kerajaan Persekutuan (No.2) 2013 CyberSecurity Malaysia sebagai organisasi yang membekalkan perkhidmatan kepakaran keselamatan ICT serta mengenal pasti secara berterusan bidang-bidang yang membahayakan keselamatan negara. Copyright © 2015 CyberSecurity Malaysia Arahan No. 24 Dasar dan Mekanisme Pengurusan Krisis Siber Negara Majlis Keselamatan Negara 2011 Peranan agensi pakar klausa 16 mukasurat 21 16.1 CyberSecurity Malaysia sebagai agensi pakar hendaklah memberi sokongan dan bantuan teknikal serta menyediakan perkhidmatan latihan dalam pengurusan krisis siber negara CyberSecurity Malaysia - Services Cyber999 Help Centre Digital Forensics Security Management Best Practices & Info Security Professional Development Strategic Engagement Outreach Research Security Assurance Cyber Security Certification Copyright © 2015 CyberSecurity Malaysia MALAYSIANS TODAY ARE HIGHLY CONNECTED 2,405,518,376 Digital citizens worldwide (as of June 2012) Digital citizens in Malaysia Source: The Star Newspaper 17 November 2012 44% 17,723,000 Copyright © 2015 CyberSecurity Malaysia 1,076,681,059 Digital citizens in Asia 4 CYBER THREATS - Malaysia Technology Related Threats Hack Threat Intrusion Fraud Harassment Cyber Content Related Threats Threats to National Security Sedition / Defamation Malicious Code Denial of Service Attack Online Porn Hate Speech Copyright © 2015 CyberSecurity Malaysia Cyber Threat to Critical National Information Infrastructures (CNII) An attack on CNII can effect the nation and citizens who are dependent on CNIIs. …It exposes vulnerability that can lead to Major disruptions. “Pervasive and sustained cyber threats can pose a potentially devastating impact” Dependencies Copyright © 2015 CyberSecurity Malaysia CYBER SECURITY THREATS Critical National Information Infrastructure The Trend Of Cyber Attacks On Critical Sectors The largest known DDoS attack in the history of the internet is currently being waged against a company attempting to stop the spread of spam emails, and is causing widespread congestion to critical infrastructure around the world. Copyright © 2015 CyberSecurity Malaysia CYBER SECURITY THREATS The Rise of Hactivism “... Anonymous is highly sophisticated, high‐profiled and politically motivated..” NATO, May 2011 • Cyber attacks on established organizations - CIA and Congress of USA, MasterCard, Visa, Sony PlayStation network, Turkey websites and North Atlantic Treaty Organisation Copyright © 2015 CyberSecurity Malaysia (NATO) 8 Copyright © 2013 CyberSecurity Malaysia CYBER THREATS ATTACK ON FINANCIAL SECTOR Computer security firm Kaspersky Lab estimates $1bn (£648m) has been stolen in the attacks, which it says started in 2013 and are still ongoing. Once Careto has compromised a system, it begins collecting sensitive information from it. The software can "intercept network traffic, keystrokes, Skype conversations, analyse WiFi traffic, PGP keys, fetch all information from Nokia devices, screen captures and monitor all file operations." Copyright © 2015 CyberSecurity Malaysia 9 CURRENT ISSUES CYBER WEAPON: STUXNET • • • Stuxnet was found on June 2010 Targeted Siemens SCADA, the worm changes PLC settings Very sophisticated and well-funded • Disrupted operation of IRAN’s Nuclear Project (Natanz) • Source code maybe reengineered for other SCADA attacks and platforms Copyright © 2015 CyberSecurity Malaysia STUXNET “children” • Flame : an espionage type of worm • Spreads from the Local Area Network or USB thumb drive • Able record network traffic, audio, keyboard activity, and screenshots • Duqu virus: able to delete files and hard drives CURRENT ISSUES CYBER ESPIONAGE Copyright © 2015 CyberSecurity Malaysia CURRENT ISSUES ADVANCED PERSISTENT THREAT (APT) APT: a group of sophisticated, determined and coordinated attackers that have been systematically compromising Government and Commercial networks for years. Step 1 • Reconnaissance Step 2 • Initial Intrusion into the Network Step 3 • Establish a Backdoor into the Network Step 4 • Obtain User Credentials Step 5 • Install Various Utilities Step 6 • Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 • Maintain Persistence APT OBJECTIVES • Political –societal disruption • Economic -competitive advantage • Technical -for further exploit • Military -Identifying weaknesses to defeat superior military forces Copyright © 2015 CyberSecurity Malaysia CYBER SECURITY THREATS Cyber Warfare CYBER WAR Using Internet and related technological means against political, economic, technological and information sovereignty and independence of a state. Examples: • Nation/government vs. terrorist/subversive groups • Law Enforcement vs. Organized crime • Organizations vs. economic/industrial espionage TACTICS Cyber Espionage Web Vandalism Propaganda Data Gathering Attacking Critical Infrastructures Distribute Denial of Service Attacks Equipment Disruption Compromised Counterfeit Hardware source: http://en.wikipedia.org/wiki/Cyberwarfare Copyright © 2015 CyberSecurity Malaysia “…Countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities…” Source: McAfee Key Elements of Cyber Security • Enhance capacity building to address the weakest link – human • Public Awareness • High Competent People Certified / Qualified Staffs (internal & external resources) Policies, SOP and Guidelines properly packaged and protected (ie Intellectual Property such as copyright) Latest equipment, tools, softwares, certified laboratories Copyright © 2015 CyberSecurity Malaysia 14 National Cyber Security Policy formulated by MOSTI 2006 2005 2007 THE NATIONAL CYBER SECURITY POLICY (NCSP) - Objective CyberSecurity Malaysia launched by Prime Minister of Malaysia on 20 Aug 2007 NCSP Adoption and Implementation • Malaysia’s Ministry of Science, Technology & Innovation (MOSTI) carried out the study on the National Cyber Security Policy (NCSP) in 2005 NCSP Objectives Address The Risks To The Critical National Information Infrastructure (CNII) Ensure CNIIs are Protected • National IT Council (NITC) Meeting on 7 Apr 2006 agreed to implement NCSP and establishment of the Malaysia Cyber Security Centre to administer NCSP. • NCSP was endorsed by the Cabinet in May 2006. • NCSP stewardship transferred to MKN in Aug 2010 The policy recognises the critical and highly interdependent nature of the CNII and aims to develop and establish a comprehensive programme and a series of frameworks that will ensure the © 2015 CyberSecurity Malaysia effectiveness of cyber security Copyright controls over vital assets Develop And Establish Comprehensive Program And Frameworks THE NATIONAL CYBER SECURITY POLICY - NCSP Framework & Policy Thrusts (PT) PT 1 PT 2 EFFECTIVE GOVERNANCE LEGISLATIVE & REGULATORY FRAMEWORK Establishment of a national info security coordination center, effective institutional arrangements & Public-Private Cooperation Reduction of cybercrime & increased success in the prosecution in cyber crime PT 3 CYBER SECURITY TECHNOLOGY FRAMEWORK Expansion of national certification scheme for infosec mgmt & assurance PT 4 PT 5 PT 6 CULTURE OF SECURITY & CAPACITY BUILDING RESEARCH & DEVELOPMENT TOWARDS SELF RELIANCE COMPLIANCE & ENFORCEMENT Reduced no. of InfoSec incidents through improved awareness & skill level Acceptance & utilization of locally developed info security products Copyright © 2015 CyberSecurity Malaysia Strengthen or include infosec enforcement role in all CNII regulators PT 7 CYBER SECURITY EMERGENCY READINESS PT 8 INTERNATIONAL COOPERATION International cooperation CNII & branding resilience on CNII against protection cyber crime, with terrorism, improved info warfare awareness & PT – Policy Thrust skill level CRITICAL INFRASTRUCTURE NCSP - Sectors VISION ‘Malaysia's Critical National Information Infrastructure shall be secure, resilient and self‐reliant. Infused with a culture of security, it will promote stability, social well being and wealth creation’ DEFENCE & SECURITY •Ministry of Defense, Military •Ministry of Home Affairs, Police TRANSPORTATION •Ministry of Transport •SPAD BANKING & FINANCE •Ministry of Finance •Central Bank •Securities Commission HEALTH SERVICES •Ministry of Health EMERGENCY SERVICES Ministry of Housing & Local Municipality CRITICAL NATIONAL INFORMATION INFRASTRUCTURE Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on • National Defense & Security • National Economic Strength • National Image • Government capability to function • Public Health & Safety Copyright © 2015 CyberSecurity Malaysia ENERGY •Energy Commission •Electricity Co., Petroleum Company INFORMATION & COMMUNICATIONS •Ministry of Information, Communications & Culture •Malaysia Communication & Multimedia Commission GOVERNMENT •Malaysia Administrative, Modernisation and Management Planning Unit FOOD & AGRICULTURE •Ministry of Agriculture WATER •National Water Service Commission THE NATIONAL CYBER SECURITY POLICY - Implementation Approach (0 – 1 YEAR) ADDRESSING IMMEDIATE CONCERNS • Stop‐gap measures to address fundamental vulnerabilities to the information security of the CNII. • Creating a centralised security platform. • Raising awareness of information security and its implications. (0 – 3 YEARS) BUILDING INFRASTRUCTURE & HUMAN CAPACITY • Setting-up the necessary systems, processes, standards and institutional arrangements (mechanisms) . • Building capacity amongst researchers and info security professionals. (0 – 5 YEARS & BEYOND) DEVELOPING SELFRELIANCE • Developing self-reliance in terms of technology as well as professionals. • Monitoring the mechanisms for compliance. • Evaluating and improving the mechanisms . • Creating the culture of Info Security. Copyright © 2015 CyberSecurity Malaysia PT 1: EFFECTIVE GOVERNANCE ‐ Cyber Security Governance in Malaysia NATIONAL SECURITY COUNCIL Chairman : Prime Minister Secretariat : National Security Council (NSC) Establishment of a national info security coordination center, effective institutional arrangements & Public‐ Private Cooperation e‐SOVEREIGNTY COMMITTEE Chairman : Deputy Prime Minister Secretariat : NSC NATIONAL IT COUNCIL Chairman : Prime Minister Secretariat : MOSTI e‐SOVEREIGNTY WORKING GROUP Chairman : Secretary of NSC NATIONAL CYBER SECURITY COORDINATION COMMITTEE (NC3) POLICY STRENGTHENIN G GOVERNMENT COMMUNICATIO N STRATEGY COMMITTEE CONTENT CYBER LAW COMMITTEE ACCULTURATION & CAPACITY BUILDING COMMITTEE COMPLIANCE & ENFORCEMENT COMMITTEE CRISIS MANAGEMENT LEGISLATION ACCULTURATION & CAPACITY BUILDING COMPLIANCE & ENFORCEMENT Working Group Working Group Working Group Working Group AGC MKN MCM Main Driver NATIONAL CYBER CRISIS MANAGEMENT COMMITTEE Working Group Copyright © 2015 CyberSecurity Malaysia PT 1: EFFECTIVE GOVERNANCE PUBLIC & PRIVATE COOPERATION: INVOLVEMENT OF VARIOUS AGENCIES & MINISRIES Copyright © 2015 CyberSecurity Malaysia PT2: Regulatory Framework Attorney General’s Chambers Study and Amend laws to address new offences A Study on the laws of Malaysia to accommodate legal challenges in the Cyber Environment (2009) Capacity Building Programmes For National Law Enforcement Agencies Intensifying digital forensic investigation capability PERSONAL DATA PROTECTION ACT (PDPA) 2010 (ACT 709) Establishment of digital forensic investigation labs Copyright © 2015 CyberSecurity Malaysia Intensifying digital forensic investigation training courses. Conducted by PDRM, ILKAP, AGC, CyberSecurity Malaysia etc PT 3: CYBER SECURITY TECHNOLOGY FRAMEWORK ‐ Standards Establish Evaluation / certification programme for cyber security products & systems Specify Cyber security baseline for CNIIs Malaysian Common Criteria Evaluation & Certification (MyCC) Scheme Copyright © 2015 CyberSecurity Malaysia PT4: Culture of Security & Capacity Building Ministry of Science, Technology & Innovation / CyberSecurity Malaysia EVALUATE CNII AWARENESS & EDUCATION PROGRAMMES CAPACITY BUILDING PROGRAM FOR INFOSECURITY PROFESSIONALS ROLLOUT NATIONAL AWARENESS CAMPAIGNS TO THE PUBLIC More than 170,000 students, parents and teachers have participated in CyberSAFE outreach programs Guideline to Determine Information Security Professionals Requirements for the CNII Agencies / Organisations More than 4,600 Information Security Professionals in the Country certified in various cyber security fields Copyright © 2015 CyberSecurity Malaysia PT5: Research & Development Towards Self Reliance Ministry of Science, Technology & Innovation / MIMOS Develop roadmap of Information Security Technology Coordinate R&D of Information Security Technology based on the Roadmap Promote the use of locally developed, certified and accredited information security products and professionals Development of the National R&D Roadmap for Self Reliance in Cyber Security Technologies is facilitated by MIMOS Berhad, a Government R&D institution (2008) Kajian Semula National Strategic ICT Roadmap Dan Technology Roadmaps (2012) Identify Technologies That Are Relevant and Desirable by the CNII Promote Collaboration with International Centres of Excellence Provide Domain Competency Development Nurture the Growth of Local Cyber Security Industry Copyright © 2015 CyberSecurity Malaysia PT6: Compliance & Enforcement Ministry of Communication & Multimedia Malaysia Enforcement and information security compliancy Create assurance through compliance audit Continuous Improvement of compliancy and enforcement activities MS ISO/IEC 27001:2007 selected for compliance and enforcement. More than 138 CNIIs ISMS certified since 2010 Copyright © 2015 CyberSecurity Malaysia PT7: Cyber Security Emergency Readiness National Security Council Establish the National Cyber Crisis Management Plan Develop Cyber Emergency Exercises To Test Procedures Establish Plan For Monitoring & Early Warning Notification. NATIONAL CYBER CRISIS MANAGEMENT PLAN National Security Council (NSC) Chairman : Y.A.B. Prime Minister Increase the level of preparedness of the country against cyber attacks Secretariat : National Security Council (NSC) E‐Sovereignty Committee Chairman : Y.A.B. Deputy Prime Minister Secretariat : National Security Council (NSC) National Cyber Crisis Management Committee (NCCMC) National Cyber Coordination and Control Centre Enhance the capability to handle cyber related issues Chairman : Y.B. Minister in Prime Minister’s Department Secretariat : National Security Council (NSC) National Cyber Crisis Management Working Group (NCCMWG) Chairman : Secretary of NSC NC4 Provide coordinated response in handling cyber attacks Secretariat : National Security Council (NSC) Cyber & Minimize the impact to society and economic activities Aerospace division Copyright © 2015 CyberSecurity Malaysia PT 7: CYBER SECURITY EMERGENCY READINESS - Annual Cyber Drill Details NATIONAL CYBER CRISIS DRILL (X‐MAYA) Copyright © 2015 CyberSecurity Malaysia PT8: INTERNATIONAL COOPERATION Coordinate participation in international initiatives ASEAN Regional Forum Council for Security Cooperation in the Asia Pacific (CSCAP) Copyright © 2015 CyberSecurity Malaysia INTERNATIONAL TELECOMMUNICATIONS UNION (ITU) 2014 GLOBAL CYBERSECURITY INDEX Rank worldwide PRIVATE SECTOR COOPERATIVE PARTNERSHIP INTERNATIONAL ORGANIZATION *Among 193 countries NATIONAL OF STRUCTURE IMPLEMENT & PROMOTE CYBERSECURITY LEVEL OF NATIONAL 5 COMMITMENT DRIVE THE ISSUES CYBERSECURITY TO THE FOREFRONT AGENDAS EXISTENCE INSIGHT INTO THE CYBERSECURITY ENGAGEMENT OF SOVEREIGN NATION STATE Copyright © 2015 CyberSecurity Malaysia LEGAL MEASUREMENT TECHNICAL MEASURES ORGANIZATIONAL MEASURES CAPACITY BUILDING COOPERATION www.cybersafe.my fazlan@cybersecurity.my 012 249 7014 Copyright © 2015 CyberSecurity Malaysia 30 Copyright 2015 CyberSecurity CyberSecurity Malaysia Malaysia Copyright © © 2015
Similar documents
Malaysia
- Is about Strengthening the Nation’s Cyber Defence VISION ‘Malaysia's Critical National Information Infrastructure shall be secure, resilient and self-reliant. Infused with a culture of security, ...
More information