Malaysia Vulnerability Assessment Centre (MyVAC)
Malaysia Vulnerability Assessment Centre or MyVAC is a department within CyberSecurity Malaysia. The centre was initially set up and funded by the government under the Ninth Malaysian Plan (RMK-9) as part of the "Vulnerability Assessment for Information Systems and Technology" project.
The establishment of MyVAC's programme is also aligned with the National Cyber Security Policy (NCSP) implementation, under Thrust 3: Technology Framework. MyVAC is formed to enhance the national information security assurance and has the following objectives:
- To improve the security level of the Critical National Information Infrastructure (CNII) through security domain assessment.
- To improve the nation's ability in decreasing cyber threats and exploitation due to technology and implementation vulnerabilities.
MyVAC aims to improve the security posture of the Critical National Information Infrastructure (CNII) sectors through actual assessment and the nation's ability in defending against cyber threats and exploitation due to information systems and technology vulnerabilities.
The implementation of this centre will also emphasize on the development of critical technology laboratories as well as infrastructure; and security expertise in the area of control systems, Internet of Things (IoT), mobile, web-applications and networks.
MyVAC recognizes the importance of having vulnerability assessment laboratories for critical information systems and technologies. In the laboratory (test bed), MyVAC analysts conduct assessments, identify common and potential vulnerabilities and investigate mitigation approaches. The laboratories are:
- IoT Security laboratory where vulnerabilities are simulated and hardening steps tested.
- Supervisory Control and Data Acquisition (SCADA) laboratory where research on control systems vulnerabilities are conducted.
- Secure Software Development Lifecycle (S-SDLC) laboratory where study to identify security requirement and mechanism in software engineering practices are performed.
The strategic objectives are:
- To develop a comprehensive cyber security programme as a national priority that provides mitigation strategies to prevent the exploitation of critical information systems and technology vulnerabilities.
- To reduce vulnerabilities and security risks by providing vulnerability assessment and countermeasures.
- To develop the cyber security capacity and capability required primarily to ensure that the information systems and technologies could be used safely or implemented securely within the Critical National Information Infrastructure (CNII).
- To promote the awareness and educate CNII owners and stakeholders about the vulnerabilities and possible attacks to their critical infrastructures.
- To build partnerships among critical industries, CNII owners and stakeholders, governments and researchers to plan, develop and share security solutions.
MyVAC provides the following services to ensure complete national protection, including:
SECURITY POSTURE ASSESSMENT (SPA) SERVICES
MyVAC provides security posture assessment services for CNII sectors. This service aims at discovering and highlighting security issues that may affect the resiliency of our national cyber security. Scope of SPA services include mobile application, web application, databases, network architecture, perimeter devices, servers, hosts, physical security and technical policies.
ICS/ SCADA SECURITY ASSESSMENT (SSA) SERVICES
A study on National Cyber Security Policy (NCSP), which was conducted by the Ministry of Science, Technology and Innovation under the Ninth Malaysian Plan (RMK-9), has determined that Control Systems such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) are among the critical information systems that require national protection. It was identified that these critical systems are used by our critical infrastructure sectors such as Electricity, Oil and Gas, Water and Waste Treatment, Manufacturing, Chemical and Transportation to operate their daily services and production operations for the nation.
MyVAC provides ICS/SCADA security assessment services for CNII sectors. This is a specialized security assessment targeted at specific CNII sectors as described above.
PHP SECURE CODE ASSESSMENT (PSCA) SERVICES
MyVAC provides Secure Code Assessment for the code that is written in PHP language. Secure code assessment involves manual and/ or automated review of application source code in an attempt to identify security related flaws in the code. The goal is to arm developers with information in order to make the application’s source code more secure.
TECHNICAL TRUSTMARK SECURITY ASSESSMENT (TTSA) SERVICES
The Malaysia Trustmark is initiated by the Malaysian Government as a means of validating the legality of an organization that is involved in e-business. Validated organizations are then awarded with Malaysia Trustmark as a certification that the particular organization is recognized as a trustworthy e-business operator. Therefore, the Malaysia Trustmark will help the consumers to identify which website belongs to a trustworthy e-business operator. This way, consumers may proceed with a purchase / transaction with confidence.
MyVAC provides technical security assessment services as part of Malaysia Trustmark for Private Sector (MTPS) programme.