Niser/ MyCERT: We're doing our job
By ZAM KARIM
29th August 2003 (The Star)

KUALA LUMPUR: The National ICT Security and Emergency Response Centre (Niser), under fire for allegedly responding slowly to the recent virus threats, said its response rate was on par with similar organisations worldwide.

At a press conference yesterday, the director of Niser's MyCERT (Malaysian Computer Emergency Response Team) unit Lt Col Husin Jazri said that its response to the three worms that had recently attacked computers systems worldwide -- Sobig.F, Nachi and Blaster -- was on par with the CERTs based in the United States, Korea and Australia.

The Blaster worm first emerged on Aug 12, and a MyCERT advisory was released that same date. On Aug 18, the Nachi worm emerged, and the organisation released an advisory the next day.

The e-mail worm Sobig.F was detected in the "wild" on Aug 20. To combat this worm threat, Husin said MyCERT provided links to antivirus companies' websites that day itself.

The press release issued on Aug 21 was merely to stress the importance of users patching their operating systems, and to create more awareness of the consequences if they didn't, he said.

Critics had noted that Niser had issued a release six days after Blaster had peaked, and three days after the worm had mutated, and urged the agency to take a more proactive role in protecting computer systems in the country.

MyCERT, or its parent Niser, issues three kinds of notices -- alerts, advisories and press releases.

According to Husin, an "alert" is an early warning where countermeasures have not been confirmed pending further investigation or analysis.

An "advisory" is a detailed description of the problem, with information on how to detect and eradicate it, and finally recover from such a malicious attack.

Press releases are only issued when the threat is severe enough to affect the public at large, requiring collaborative efforts to mitigate the problem.

"We do not want to issue press releases for every worm or virus out there because too many press releases would overwhelm the public and reduce the effectiveness of the releases.

"If we did, press releases would become so common that intended recipients would not take notice anymore," Husin said.

All alerts, advisories and press releases are subject to analyses and discussions among the CERT communities before MyCERT releases any to the public, he added.

Niser's Aug 21 press release also came under fire for quoting officials from Mimos Bhd, which was hit by the BlasterD worm, leading critics to question Niser's role as an independent and autonomous body -- Niser operates out of Mimos' office.

"Niser was not acting as a spokesman for Mimos," Husin told In.Tech later. "We were merely quoting Mimos chief executive officer (Tengku Datuk Dr Mohd Azzman Shariffadeen) to illustrate to readers an example of a publicly-known company being hit by the worm."

"We had permission to quote him -- we could have quoted or highlighted other organisations which had also been hit, but we could not release such information without their permission because of our confidentiality policy," he claimed.

Malaysian victims

As of last week, 79 cases of attacks by the Sobig.F, Nachi and Blaster worms had been reported by local and multinational companies to MyCERT, Husin said -- 41 on Sobig.F infestations, 21 on Nachi and 17 on Blaster.

However, the real figure was probably much higher than the 79 reported cases, he noted.

Many organisations failed or refused to report because they were afraid that by doing so, they would publicly expose themselves as being vulnerable to worm attacks.

This could have affected their reputation in the eye of the public and their business partners, he said.

Husin however said they needn't worry as MyCERT (www.mycert.org.my) would not expose their network vulnerabilities. Any information given would be treated as confidential, and this would allow it to take proactive responses against any worm attacks, he added.

MyCERT would also provide infected companies with free advice and technical support on how to tackle the problem and secure their networks.

The agency would also deploy its personnel to these companies, provide support through e-mail, phone and fax, as well as distribute advisories and CDs containing patches and fixes should these companies need them, Husin said.

Similar to the Code Red and Nimda worms that attacked computers worldwide from June to November 2001, the Sobig.F, Nachi and Blaster worms also targeted IT infrastructure, causing networks to come to a standstill.

MyCERT had called up a number of companies during the attacks to ask them for updates on their situation. "So far, none of the companies we called said their companies had been affected by these worms," Husin said, declining to say how many calls the organisation made.

MyCERT estimates that the cost to eradicate the three worms locally was a whopping RM31mil.

"Take note that this is only a pessimistic estimation," he said.

The figure does not include opportunity cost and productivity loss, thus the damage could be higher, he added.

Home users take note

Husin also raised concern about the importance of protecting home users. As the number of local broadband Internet users increases, it allows a more rapid propagation of worms among PC users.

He advised people to protect their PCs by installing antivirus systems, and downloading these programs' latest pattern files. Users should also consider installing personal firewall such as ZoneAlarm (www.zonealarm.com).

MyCERT is doing everything it can to educate government and private organisations, as well as the general public, on the importance of protecting their networks, Husin said, but the organisation needs helps and support from all in order to achieve this.

Currently, in Malaysia there are no standards for categorising virus threat levels, and there was also a lack of urgency on the parts of many.

MyCERT plans to change this by cooperating and sharing information with ICT security companies and bodies.

The organisation also advised companies to take proactive action such as adopting best practices and solid information security standards.

Companies also need to understand that ICT security is not really a technology issue, and shouldn't be handled only by IT managers or specialists -- it was a business issue, said Husin.

"As an example, during system downtime, if your customers cannot communicate or conduct online transactions with your company, they may shift their business elsewhere," he said.

MyCERT also warned that new variants of these worms with far destructive consequences may be making their way to Malaysian cyber shores in the near future.

"The worst has yet to come. Be prepared," Husin said.