NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE - TT · • Comprehensive law and policies • Effective monitoring tools • Awareness and Education • Capacity Building ... Cyber Security

© 2007 Malaysian Communications and Multimedia Commission

NATIONAL STRATEGY:-MALAYSIAN EXPERIENCE

Devi AnnamalaiSecurity, Trust and Governance

MCMC28th August 2007Hanoi. Vietnam


BACKGROUND

• MCMC is a statutory body established under the Malaysian Communications and Multimedia Commission Act 1998 to regulate and nurture the communications and multimedia industry in Malaysia.

• The 10th National Policy Objective requires the Commission to ensure information security and the integrity and reliability of the network for the country.


NATIONAL STRATEGY

• Comprehensive law and policies• Effective monitoring tools• Awareness and Education• Capacity Building• International collaboration


LAWS AND POLICIES


Public Private

Presently, matters relating toinformation and networksecurity in the public sector is under the administration of the Malaysian Administrative Modernization and Management Planning Unit(MAMPU) Within MAMPU, there is the ICT Security Division. They recently launched the Malaysian Public SectorManagement of Information &Communications Technology Security Handbook (MyMIS) They also operate The G-CERT. However, MAMPU does nothave any enforcement powers.

The National IT Council gavebirth to NISER (now known asCyber Security Malaysiato addresse-security issues of the nation and as to act as Malaysia’s CERT. NISER offers research invulnerability detection, intrusion detection andcomputer forensic technologyThey offer their services toprivate and public entities.Like MAMPU’s ICT SecurityDivision, they do not have any enforcement powers

MCMCCMA

The PoliceCCACMA


MALAYSIAN CYBERLAWS

The Computer Crimes Act 1997

The Communication and Multimedia

Act (1998)

The Copyright (Amendment) Act

1997

The Telemedicine

Act 1997

The Digital Signature Act 1997

Personal Data Protection

The Electronic Government/Transaction

Activities (EGA)

The MalaysianCommunications and

Multimedia Commission Act(1998)

Acts Under MCMC


Cyber Crime Related Sections Under CMA 1998

• makes, creates, solicits, initiates transmission of comment, request, other communication•With intent to annoy, abuse, threaten or harass another person•Includes any obscene communication

Improper use of network facilities or network service

233

• Dishonestly transmit or receive• Any communication or obtains service• With intent to avoid payment• Fraudulent use of service or facility

Fraudulent use of network facilities, network service etc

232

• Uses any apparatus or device• With intent to obtain information, content, sender or addressee• Without an approval from SIRIM

Offence if use apparatus or device without authority

231


• Knowingly or with intent to defraud• Produces, sells, imports, uses etc• Any equipment, devices that has been modified• Any hardware, software used for altering or modifying any equipment etc• To obtain unauthorized use of any network service etc

Fraud and related activity in connection with access devices

236

• By any willful, dishonest, negligent act or omission• tampers with, adjusts, alters, destroys or damages • Any network facility or any part of them

Damage to network facilities etc

235

• without lawful authority• intercepts, discloses, uses (or attempts to)• knowing that such is in contravention of sec 234• such interception is done in connection of a case

Interception & disclosure of communications prohibited

234


OTHER RELEVANT PROVISIONS IN CMA

• Section 263 - General duty of licensees• Section 265 - Network interception capability• Section 266 - Special powers in emergency• Section 267 - Disaster Plan

• Section 264 - Persons not liable for act done in good faith (saving provision for operators)


OTHER INSTRUMENTS

• Mandatory Standards to ensure that all communications service provider maintain an acceptable level of network integrity

• Individual license applicants under the CMA is required to provide a disaster recovery plan and details of measures undertaken to ensure network and data security when submitting application for license.


MAMPU

• All matters relating to information network security in the public sector is under the administration of MAMPU

• Within MAMPU, there is the ICT Security Division

• Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMis)

• Operates G-Cert


CYBER SECURITY MALAYSIA

• Offers research in vulnerability detection, intrusion detection and computer forensic technology

• Offer service to private and public sector

• Operates MyCert


POLICE

• Provide assistance in enforcement activities (CMA)

• Have jurisdiction over Computer Crimes Act – acts such as unauthorized access to computer material and with intent to commit or facilitate commission of further offence, unauthorized modifications of contents of any computer and wrongful communications.


INS POLICY

• The security policy will address the role and responsibilities of licensees under the CMA to ensure information security and the integrity and reliability of the network. It will also act as a guide for other parties relevant to the communications and multimedia industry

• Audits in the future will be based on the policies.


REGULATING SPAM

• The MCMC have developed an action plan in 2003 to address the problem that Spam poses.

• The action plans are multi-prong, which includes raising awareness, management by the ISPs, promoting technological solutions and would require the cooperation of all major stakeholders namely, the industry, consumers, service providers, the regulators and the international community.


REGULATING SPAM

• On 25th June 2007, MCMC issued a Tender for the Provision of Consultancy Service for Strategic Study and Drafting of Anti-Spam Legislation for Malaysia.

• The study will review the current state of regulatory framework on Spam in Malaysia and recommend forward looking policy and strategy and propose necessary regulatory changes including drafting of relevant legislation.


MONITORING TOOLS


NETWORK SECURITY CENTRE


Security, Trust and Governance

Security

Warning,Response &

Forensic

NetworkMonitoring

VulnerabilityManagement

Network Security Centre

Information and Network Security Portal


MAIN FOCUS OF THE NSC

The NSC will coordinate 3 main activities:

a) Network Threat Monitoring and Management;

b) Vulnerability Management; and

c) Incident Management, Network Forensic, Recovery and Advisory

To be operational by end of 2007 – hopefully ☺


Periodic testing helps in identifying vulnerabilitiesat the earliest so that remedial measures can be undertaken. This in fact aids in ensuring continued security and reliability of ICT infrastructure.

Enable the IASPs to takemeasures against attacksbefore they do the actualdamage

Benefits

• Quarterly internal and external automated and remote penetration testing of each IASP location

• Report listing vulnerabilities, risk level and recommended mitigation steps after each test

Periodicidentification andmitigation ofvulnerabilities incost effectivemanner

Vulnerability Management

• Early warning on new attacks

• Response action for new attacks

• Monthly Statistics• Monthly Advisories• Annual status and

benchmarking report to be shared with IASP and MCMC

Generating earlywarning ofmassive attacksor maliciouspropagationthrough threatmonitoring

Threat Monitoring& EarlyWarning

DeliverablesObjective

Objectives, Benefits & Deliverables


• Investigation of reported incidents, timely remediation

• Advisory services on recent events how to take action on recommendations

• Monthly reports on how to secure against latest threats/ vulnerabilities, international trends

The ‘rapid response’team with tools andprocesses toinvestigate reportedincidents, takeremedial actionenables to manageincidents effectively tocontain the damage

Provide timelyand efficientinformation andrecommendatiosto manage securityincidents tocontain thedamage andconduct forensicsactivities

IncidentManagement andForensics

DeliverablesBenefitsObjective

Objectives, Benefits & Deliverables


INFORMATION NETWORK SECURITY PORTAL


It is a website that host multiple portal which will serve as a focal point and a one stop information centre on information and network security for the communications and multimedia industry.

What is INS Portal?


Information sharing, cooperation and coordination with IASPs and government agencies

Information Sharing Forum (group)

A portal that specifically designed for the industry in concert with the NRC

Network Reporting Portal

To function as centralized repository

Network Abuse Reporting Portal

To house information concerning Information & Network security on various issues

General Information and Network Security Portal

ObjectivesName of Portal

What are the portal available in the enterprise?


INS Portal Design


SECURITY AUDITS


AUDITS

• The MCMC also undertakes to conduct Information and Network Security Audits on CMA licensees.

• The audits are based on internationally accepted information and network security standards and best practices.


INFORMATION SHARING FORUM


ISF

• On June 22, 2004, the MCMC formed the ISF

• Total of 60 individual members in the ISF

• Share information on security incidents, vulnerabilities, best practices etc


AWARENESS AND EDUCATION


Awareness and Education

Products, tools,and automation

Consistent andConsistent andRepeatable Repeatable

Skills, roles, and responsibilities

Processes

PeopleTechnologyTechnology


AWARENESS PROGRAMS

• Organize industry talks• Collaborate with other agencies • Issue related publications, brochures

and pamphlets


TARGET AUDIENCE

Businesses/Organizations

Government

Students

Consumers


CAPACITY BUILDING


CAPACITY BUILDING

• Focus on licensees

• In partnership with information and network security industry

• Workshops and training for targeted groups

• Industry Talks


INTERNATIONAL COLLABORATION


International Collaborative Work

• Lead ATRC’s action-plan against Spam;

• Signatory of Seoul-Melbourne MOU and endorsed the London Action Plan against Spam

• APEC TEL’s E-Security and Prosperity Steering Group


THANK YOU

Devi AnnamalaiDeputy Director

Security Trust and GovernanceMalaysian Communications and Multimedia Commission

[email protected]

Documents

NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE - TT · • Comprehensive law and policies • Effective monitoring tools • Awareness and Education • Capacity Building ... Cyber Security