Malaysian Vulnerability Assessment Centre (MyVAC)

 

 

Malaysia Vulnerability Assessment Centre (MyVAC)

 

Malaysia Vulnerability Assessment Centre or MyVAC is a department within CyberSecurity Malaysia. The centre was initially set up and funded by the government under the Ninth Malaysian Plan (RMK-9) as part of the "Vulnerability Assessment for Information Systems and Technology" project.

 

The establishment of MyVAC's programme is also aligned with the National Cyber Security Policy (NCSP) implementation, under Thrust 3: Technology Framework. MyVAC is formed to enhance the national information security assurance and has the following objectives:

  • To improve the security level of the Critical National Information Infrastructure (CNII) through security domain assessment.
  •  

  • To improve the nation's ability in decreasing cyber threats and exploitation due to technology and implementation vulnerabilities.
  •  

 

MyVAC aims to improve the security posture of the Critical National Information Infrastructure (CNII) sectors through actual assessment and the nation's ability in defending against cyber threats and exploitation due to information systems and technology vulnerabilities.

 

The implementation of this centre will also emphasize on the development of critical technology laboratories as well as infrastructure; and security expertise in the area of control systems, Internet of Things (IoT), mobile, web-applications and networks.

 

MyVAC recognizes the importance of having vulnerability assessment laboratories for critical information systems and technologies. In the laboratory (test bed), MyVAC analysts conduct assessments, identify common and potential vulnerabilities and investigate mitigation approaches. The laboratories are:

  • IoT Security laboratory where vulnerabilities are simulated and hardening steps tested.
  •  

  • Supervisory Control and Data Acquisition (SCADA) laboratory where research on control systems vulnerabilities are conducted.
  •  

  • Secure Software Development Lifecycle (S-SDLC) laboratory where study to identify security requirement and mechanism in software engineering practices are performed.
  •  

 

 

 

Strategic Objectives

The strategic objectives are:

  • To develop a comprehensive cyber security programme as a national priority that provides mitigation strategies to prevent the exploitation of critical information systems and technology vulnerabilities.
  •  

  • To reduce vulnerabilities and security risks by providing vulnerability assessment and countermeasures.
  •  

  • To develop the cyber security capacity and capability required primarily to ensure that the information systems and technologies could be used safely or implemented securely within the Critical National Information Infrastructure (CNII).
  •  

  • To promote the awareness and educate CNII owners and stakeholders about the vulnerabilities and possible attacks to their critical infrastructures.
  •  

  • To build partnerships among critical industries, CNII owners and stakeholders, governments and researchers to plan, develop and share security solutions.
  •  

 

 

Our Services

MyVAC provides the following services to ensure complete national protection, including:

  • SECURITY POSTURE ASSESSMENT (SPA) SERVICES

    MyVAC provides security posture assessment services for CNII sectors. This service aims at discovering and highlighting security issues that may affect the resiliency of our national cyber security. Scope of SPA services include mobile application, web application, databases, network architecture, perimeter devices, servers, hosts, physical security and technical policies.

     

  • ICS/ SCADA SECURITY ASSESSMENT (SSA) SERVICES

    A study on National Cyber Security Policy (NCSP), which was conducted by the Ministry of Science, Technology and Innovation under the Ninth Malaysian Plan (RMK-9), has determined that Control Systems such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) are among the critical information systems that require national protection. It was identified that these critical systems are used by our critical infrastructure sectors such as Electricity, Oil and Gas, Water and Waste Treatment, Manufacturing, Chemical and Transportation to operate their daily services and production operations for the nation.

     

    MyVAC provides ICS/SCADA security assessment services for CNII sectors. This is a specialized security assessment targeted at specific CNII sectors as described above.

     

  • PHP SECURE CODE ASSESSMENT (PSCA) SERVICES

    MyVAC provides Secure Code Assessment for the code that is written in PHP language. Secure code assessment involves manual and/ or automated review of application source code in an attempt to identify security related flaws in the code. The goal is to arm developers with information in order to make the application’s source code more secure.

     

  • TECHNICAL TRUSTMARK SECURITY ASSESSMENT (TTSA) SERVICES

    The Malaysia Trustmark is initiated by the Malaysian Government as a means of validating the legality of an organization that is involved in e-business. Validated organizations are then awarded with Malaysia Trustmark as a certification that the particular organization is recognized as a trustworthy e-business operator. Therefore, the Malaysia Trustmark will help the consumers to identify which website belongs to a trustworthy e-business operator. This way, consumers may proceed with a purchase / transaction with confidence.

     

    MyVAC provides technical security assessment services as part of Malaysia Trustmark for Private Sector (MTPS) programme.

Click here to request service

 

 

 

 

 

 

 

 

1. ICS Guideline


Document Name:

Cyber Security Guideline for Industrial Control System (ICS)


 

Purpose:

This guideline is developed as a reference for holistic implementation of security controls in ICS development.

Target Audience:

This guideline provides practical security guide intended to benefit ICS key players and security.

The following audience are identified but not limited to:
  • Engineers or individuals authorized to design, implement, administer, patch, assess or secure ICS
  • Researchers of ICS security practical implementation
  • Vendors in charge of ICS business
ICS Security Guideline email to ics@cybersecurity.my

 

 

2. SSDLC Guideline


Document Name:

Cyber Security Guideline for Secure Software Development Life Cycle (SSDLC)


 

Purpose:

This guideline is developed as a reference for holistic implementation of security controls in SSDLC development.

Target Audience:

This guideline provides practical security guide intended to benefit the key players of SSDLC.

The following audience are identified but not limited to:
  • Engineers or individuals authorized to design, implement, administer, patch, assess or SSDLC
  • Managers responsible for SSDLC
  • Researchers of SSDLC practical implementation
  • Vendors in charge of SSDLC
ICS Security Guideline email to ssdlc@cybersecurity.my

 

 

 

The guideline is open for public comments until 31 March 2020