The four steps to safe computing
23rd September 2003 (The Star)

PUTRAJAYA: The National ICT Security Emergency Response Centre's (Niser) panel of experts has identified four critical measures that need to be taken to combat cyber threats.

These are: Formalising threat levels to reflect urgency; creating policies to address security issues; effective coordination amongst Internet service providers (ISPs); and quick public information, Niser (www.niser.org.my) said in a statement.

The recent spate of cyber attacks that brought down the computer systems of several organisations in Malaysia had "seriously affected Malaysians nationwide and cost the country a high price just to remove them," said Dr Mohamed Awang-Lah, chairman of Niser's Panel of Experts (PoE), which recently had a meeting to discuss the attacks.

"These incidents have taught us a valuable and expensive lesson," he said.

Mohamed, also the chief executive of Internet service provider Jaring, recommended that "threat levels" be formalised to indicate the level of urgency of attacks.

This was a good way to inform users and organisations of the current situation, how dangerous it is, and the level of urgency that is required from everyone.

"Threat 'criticality' can also be conveyed by providing alerts or advisories to the public using a simple, non-technical approach. Such alerts should not only be put in newspapers but also the broadcast media for wider coverage.

"Relevant agencies such as the Malaysian Communication and Multimedia Commission (MCMC) and Niser, together with the mass media, must play a major role in getting this message across," he said.

The PoE concluded that effective policies and mechanisms should be created to address security issues in a proactive manner.

"Management should realise the importance of these issues and to allocate adequate resources such as finances and skilled personnel to ensure that these intentions turn into reality.

"It is also imperative for all organisations to have effective coordination among service providers such as vendors and ISPs, coordinating agencies such as CERTs (Computer Emergency Response Teams) and users.

"No single entity should be made responsible for all risks and attacks on the Net. The government and corporations must take ownership of their security systems and ensure that adequate measures are in place," said Mohamed.

There are also several missing factors that could help minimise the impact of cyber attacks.

The first is that most organisations do not have a reliable assessment system to detect and assess the intensity of cyber attacks.

The second factor is the absence of a dedicated incident response team in many organisations, and this subsequently prolongs the spread of worms in infected organisations, Niser said in its statement.

The fear of losing reputation is another factor, which ultimately prohibits most organisations from sharing and reporting security incidents they suffered to trusted local agencies such as the Malaysian Computer Emergency Response Team (MyCERT).

"Many organisations are very scared that their corporate image would be tarnished if they were to report to the local agencies of their predicament. With the lack of a dedicated team to detect and remove the worms in their establishments, it is even more important to inform the right agencies of their problem so that it can be solved immediately," Mohamed said.