Safeguarding critical data
5th February 2004 (Computimes)

GOVERNMENT agencies need to carry out closer scrutiny on their operational functions and processes with regard to the utilisation of ICT (information and communications technology) systems to safeguard critical data and information against security breaches by both external and internal parties.

Given that more data and information is stored in electronic media, and the move by the Government to interconnect one agency and Ministry with others, greater measures are required to monitor and enforce ICT policies and security controls that have been set up, experts said.

According to Malaysian Administrative Modernisation and Management Planning Unit (Mampu)'s ICT security division director Mohd Adzman Musa, while existing measures taken by the Government have strived to maintain data and information confidentiality, integrity, availability and authenticity, the initiatives only act as a guide to be implemented by Government agencies. All agencies are responsible for protecting their own assets.

"ICT security is not a product. It is a continuous process that needs to be reviewed from time to time. Some of the immediate steps that the Government agencies can consider to ensure there is adequate information security include performing security posture assessment, risk assessment and the usage of digital certificate for online transactions," he told Computimes last week.

The current measures provided by Mampu for information security falls under the categories of proactive, recovery and continuous.

The initiative under the proactive category is to provide ICT security

documents such as ICT security policy framework for the public sector, Malaysian public sector management of ICT security handbook (MyMIS), ICT incident reporting mechanism and Internet/e-mail best practices in the public sector.

Under the recovery category, the initiative is to ensure continuous function of critical business in the event of disruption. Mohd Adzman said the Government continuously provides advisory on how to upgrade patches and warning of virus attacks.

The third category focuses on monitoring, enforcement, policy review and value-add to improve ICT security management.

Meanwhile, National ICT Security and Emergency Response Centre (Niser)'s director Lt Col Husin Jazri recommended that more organised quality assurance, security assurance and validation processes may need to be introduced, especially pertaining to ICT systems that are related to critical infrastructures and public convenience.

"Technology exploitation or intrusions that cause security breaches in certain cases could be attributed to weak project design, management and implementation. Best practice stipulates that migration from manual system to computerised system requires careful implementation, adequate trial and validation period," he explained.

Husin said there are many measures already taken by the Government to ensure minimal security breaches within their domain. These measures include stringent project approvals and procurement processes to ensure that the scope of works are valid and the best contractor will be awarded the job (for ICT projects).

"In addition, each Ministry is expected to do its own 'due diligence' to ensure only sound recommendations are brought forward for approval," he said. "If this is done properly, I do not see how any form of data or information corruption can take place."

According to e-Cop.net Surveillance Sdn Bhd's chief executive officer Alan See, taking a vigilant, adaptive and responsive attitude towards system/application/network monitoring is essential in tracing and taking action against threats to reduce vulnerabilities.

"Malaysia still lacks the appreciation of info-security management best practices. Many organisations (not only Government agencies but the private sector as well) tend to overlook the importance of people and processes that make up the 3Ps approach (product, people and processes) when it comes to info-security measures.

"Sheer dependence on products is no longer sufficient to protect against these attacks. A stringent security measure actually translates more than products and solutions," he said.

As such, an ideal enterprise security management (ESM) requires not only protection, but also detection and response by adopting the 3Ps approach, See elaborated.

"While most agencies would have the best security products (reactive measures) in place, more emphasis should be put on 'people and processes - (proactive measures)' for complete enterprise security," he said.

"Instead of just reacting to threats, security processes ensure proactive detection and response to such threats which include monitoring of the application, system and security products, implementing suitable counter-measures to stop further attacks, staying vigilant at all times and conducting regular audit and awareness on current processes," he added.

Some basic steps to insulate attacks from within an organisation include ensuring access to all systems via unique IDs and passwords that are not shared among staff, said KPMG's business advisory services director Woon Tai Hai.

"Passwords must be changed on a regular basis, audit trail of records amended must be checked on an ad hoc basis, ensuring only the right level of personnel can access certain level of information, and IDs and passwords are restricted to certain people.

"Discourage the use of 'thumbnail' drive and if possible, disable all removable drives from computers," he said, adding that replication of any crucial information should be centralised.

"Another form of deterrence is to ensure that access to offices are secured electronically and movements can be monitored. While this will not prevent 'die-hard' perpetrators, it can offer an effective deterrence," he said.

Woon, who is also a councillor with the Association of the Computer and Multimedia Industry Malaysia, said organisations need to review their current network connecting the system to the outside world and see if there are any weaknesses inherent in the system to insulate from external attacks.

"Firewalls are commonly used to insulate from such attacks. The best form of protection is to disconnect your computers from the network when they are not in use, and if possible not to connect any of the systems containing critical information to any networks," Woon said.

"Outside intrusion is far more deadly and is potentially more widespread, thus resulting in devastating consequences. The use of wireless local area network should be reviewed and utilised carefully," he added.