Malaysia's National Cyber Security Policy

Copyright © 2013 CyberSecurity Malaysia
MALAYSIA’S NATIONAL CYBER
SECURITY POLICY
An Integrated Approach For Cyber Security And
Critical Information Infrastructure Protection

10 September 2013
Bandung, Indonesia
MOHD SHAMIR B HASHIM
Vice President
Government and Multilateral Engagement

§  Critical infrastructures are increasingly dependent on information and communication.
§  The potential natural disasters or terrorist attacks, which threaten the critical infrastructure and critical
information infrastructure as well, are dramatically increasing today.
§  Risks to the CIIs include man-made attacks, natural disasters and technical failures.
§  The high dependence on CNIIs, their cross-border interconnectedness and interdependencies with
other infrastructures, as well as the vulnerabilities and threats they face raise the need to address their
security and resilience in a systematic perspective as the frontline of defense against failures and
attacks.
Cyber Threats
CRITICAL INFORMATION INFRASTRUCTURES
POWER GENERATION
SERVICES
DISTRIBUTION
Interdependencies
The high degree of
interdependency between the
critical infrastructure sectors
means failures in one sector
can propagate into others.
2

Cyber
Content
Related
Threats
Technology

Related
Threats

Hack Threat
Fraud
Denial of Service Attack
Intrusion
Malicious Code
Harassment
Threats to National
Security
Sedition / Defamation
Online Porn
Hate Speech
3

Cyber Threats
CLASIFICATIONS

Copyright © 2013 CyberSecurity Malaysia 4

2005

National Cyber
Security Policy
formulated by MOSTI
NCSP
Adoption
and Implementation
2006
CyberSecurity Malaysia
launched by
Prime Minister of Malaysia
on 20 Aug 2007
2007
The policy recognises the critical and highly interdependent nature of the CNII and aims to
develop and establish a comprehensive programme and a series of frameworks that will ensure
the effectiveness of cyber security controls over vital assets
NCSP
Objectives
Address The Risks To
The Critical National
Information
Infrastructure
Ensure That Critical
Infrastructure Are
Protected To A Level
That Is
Commensurate With
The Risks
Develop And
Establish A
Comprehensive
Program And A
Series Of
Frameworks
Cyber Security Governance
NATIONAL CYBER SECURITY POLICY
4

VISION
Malaysia's Critical National Information Infrastructure shall be secure, resilient and
self-reliant. Infused with a culture of security, it will promote stability, social well being
and wealth creation
5

DEFENCE & SECURITY
• Ministry of Defense, Military
• Ministry of Home Affairs, Police
TRANSPORTATION
• Ministry of Transport
BANKING & FINANCE
• Ministry of Finance
• Central Bank
• Securities Commission
HEALTH SERVICES
• Ministry of Health
EMERGENCY SERVICES
Ministry of Housing & Local Municipality
CRITICAL NATIONAL
INFORMATION
INFRASTRUCTURE
Assets (real & virtual),
systems and functions
that are vital to the nation
that their incapacity or
destruction would have a
devastating impact on
• National Defense &
Security
• National Economic
Strength
• National Image
• Government capability
to function
• Public Health & Safety
ENERGY
• Energy Commission
INFORMATION &
COMMUNICATIONS
• Ministry of Communications &
Multimedia
GOVERNMENT
• Malaysia Administrative, Modernisation
and Management Planning Unit
FOOD & AGRICULTURE
• Ministry of Agriculture
WATER
• National Water Service Commission
National Cyber Security Policy
CNII SECTORS

•  Effective GovernanceNational Security
Council
•  Legislation & Regulatory FrameworkAttorney General’s
Office
•  Cyber Security Technology Framework
Ministry of Science,
Technology and
Innovation
•  Culture of Security and Capacity
Building
Technology and
Innovation
•  Research & Development Towards Self
Reliance
Technology and
Innovation
•  Compliance & Enforcement
Ministry of Information,
Communications &
Culture
•  Cyber Security Emergency ReadinessNational Security
Council
•  International Collaboration
Communications &
Culture
1
2
3
4
5
6
7
8
6

POLICY THRUST

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
7

POLICY THRUST

CyberSecurity Malaysia (www.cybersecurity.my)
A NATIONAL CYBER SECURITY SPECIALIST AGENCY UNDER
THE MINISTRY OF SCIENCE, TECHNOLOGY AND
INNOVATION (www.mosti.gov.my).
Pt 1: Effective Governance
CYBERSECURITY MALAYSIA
Ministerial Function
Act1969, Amendment 2009
Provides specialised ICT
security services and
continuously identifies
possible areas that may be
detrimental to national security
Cabinet Notes 2005
Ministry of Finance and Ministry of
Science, Technology & Innovation
CyberSecurity Malaysia as a
National Body to monitor
aspects of the National e-
Security
VISION
To be a globally recognised National
Cyber Security Reference and Specialist
Centre by 2020
MISSION
Creating and Sustaining a Safer
Cyberspace to Promote National
Sustainability, Social Well-Being and
Wealth Creation
8
Establishment of a national
info security coordination
centre

STRATEGY
ENGAGEMENT &
RESEARCH
INFO SECURITY
PROFESSIONAL
DEVELOPMENT &
OUTREACH
SECURITY QUALITY
MANAGEMENT
SERVICES
CYBER SECURITY
EMERGENCY
SERVICES
Digital Forensics
Security
Management & Best
Practices
Info Security
Professional
Development
Outreach
Strategy
Engagement
Research
Information Security
Certification Body
CyberSecurity Malaysia
CORE FUNCTIONS / SERVICES
Security Assurance
Security Incident
Handling
9

National Security Council
Chair : Y.A.B. Prime Minister
Secretariat: NSC
E-Sovereignty Working Group
Chair : Under Secretary of NSC
National
Cyber
Security
Coordination
Committee
Chair : NSC
Secretariat : NSC
Government
Communication
Strategy
Enhancement
Committee
Chair : PMO
Secreatriat :
BHEUU
National
Cyber Crisis
Coordination
Committee
Chair : PMO
Secretariat : NSC
Cyber Law
Committee
Chair : AGC
Secretariat : AGC
National
Acculturation
& Capacity
Building
Committee
Chair : MOSTI
Secretariat :
MOSTI
MICC
compliance &
Enforcement
Committee
Chair : MICC
Secretariat :
MICC
E-Sovereignty Committee
Chair : Y.A.B. Deputy Prime Minister
Secretariat: NSC
National IT Council (NITC)
Chair : Y.A.B. Prime Minister
Secretariat: MOSTI
POLICY
CONTENT
CRISIS

MANAGEMENT

LEGISLATION

ACCULTURATION
&

CAPACITY
BUILDING

COMPLIANCE
&

ENFORCEMENT

ORGANIZATION STRUCTURE
10


•  MAMPU
•  National Security Council
•  Attorney General’s Chambers
•  Chief Government Security Office
•  Ministry of Science, Technology & Innovation
•  Ministry of Defense
•  Ministry of Foreign Affairs
•  Ministry of Energy, Green Technology & Water
•  Ministry of Information, Communication & Culture
•  Ministry of Transportation
•  Ministry of Home Affairs
•  Royal Malaysian Police
•  Southeast Asia Regional Center for Counter-Terrorism
•  Bank Negara Malaysia
•  National Water Services Commission
•  Malaysian Communication & Multimedia Commission
•  Energy Commission
•  Securities Commission Malaysia
•  Khazanah Nasional Berhad
•  CyberSecurity Malaysia
•  MIMOS Berhad
•  Standards Malaysia
NATIONAL COORDINATION COMMITTEE

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
12

POLICY THRUST


Cyber Specific Laws
Specific legislation governing
online matters
•  Communications and Multimedia Act 1998
•  Optical Disk Act 2000
•  Computer Crimes Act 1997
•  Digital Signature Act 1997
•  Telemedicine Act 1997
•  Electronic Commerce Act 2006
•  Electronic Government’s Activities Act 2007
•  Personal Data Protection Act 2010
Non Cyber Specific Laws
Legislation that may be used to
regulate online matters whenever
applicable
•  Copyright Act 1987
•  Sedition Act 1948
•  Penal Code
•  Defamation Act 1957
Pt 2: Legislative & Regulatory Framework
CYBER LAWS OF MALAYSIA
Reduction of & increased in
success in, the prosecution in
cyber crime.


A study on the laws of Malaysia to accommodate legal challenges
in the Cyber Environment
14

CYBER LAW REVIEW STUDY


CYBER LAW REVIEW STUDY


AMENDMENTS – EVIDENCE ACT


DIGITAL FORENSICS LAB
ANALYZE & INVESTIGATE
DIGITAL EVIDENCE
DATA RECOVERY LAB
RECOVER CORRUPTED &
DELETED DATA
EXPERT DEVELOPMENT
LAB
PLATFORM FOR RESEARCH &
JOB ATTACHMENT
EVIDENCE PRESERVATION
FACILITY
A SECURE ENVIRONMENT FOR
DIGITAL EVIDENCE
CyberCSI™
DIGITAL FORENSICS


Notification of Declaration under Subsection 399(2) - Digital Forensics Analyst
EXPERT WITNESS

MODULES LEVEL
1 Information Security Essentials Fundamental
2 ISMS Essentials Fundamental
3 Digital Forensics Essentials Fundamental
4 Forensics on Internet Application Fundamental
5 Digital Forensics for First
Responder
Intermediate
DIGITAL FORENSICS MODULES
Duration: 11 days

19
DIGITAL FORENSICS TRAINING

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
20

POLICY THRUST

§  Guidelines: Computer Security Handbook, ICT
Outsourcing Information Security
§  Best practices: Social Networking, Protecting Your
Mobile Device
§  3rd Party Information Security Assessment Guideline
§  Wireless Local Area Network (LAN) Security Guideline
§  Joint development of the National Cyber Crisis
Management Plan (NCCMP) with National Security
Council.
§  Business Continuity Management (BCM)
implementation for organization.
§  Development of Information Security Standards at the
national level.
§  Information Security Management System (ISMS)
certification programme for Critical National
Information Infrastructure (CNII) agencies.
§  Develop Information Security Guidelines and Best
Practices.
21
Pt 3: Cyber Security Technology Framework
SECURITY MANAGEMENT BEST PRACTICES
Expansion of national certification
scheme for infosec mgmt &
assurance

Phase 2 – Building the Infrastructure
SECURITY STANDARDS
MODULES LEVEL
3 ISMS Implementation Intermediate
4 ISMS Internal Auditor Advance
ISO 27001 Information Security Management System
Duration: 9 days

ISO/IEC 27001
Information Security
Management –
Confidential
Information Remain
Confidential
22

SECURITY ASSURANCE OFFERS 2 TYPES OF SERVICE FOR THE ENHANCEMENT OF
NATIONAL INFORMATION SECURITY ASSURANCE :
MyVAC
(National Vulnerability
Assessment Center)
MySEF
(Malaysian ICT Security
Evaluation Facilities)
•  Vulnerability Assessment And
Penetration Testing Services for
CNII sectors
•  Common Criteria (CC)
evaluation service
•  Security Assessment for control
system (SCADA/DCS)
•  ICT Product Security
Assessment (IPSA) service
•  Common Criteria (CC)
Protection Profile (PP)
evaluation service
23
ASSESSMENT & ASSUARANCE

CERTIFICATE AUTHORISING PARTICIPANTS
CERTIFICATE CONSUMING PARTICIPANTS
•  Participants that represent a compliant Certification
Body
•  Mutually recognizes certified products/systems
produced by the Certificate Authorising Participants
based on ISO/IEC 15408
Participants that have a national
interest in recognising CC certificates
produced by the Certificate Authorising
Participants based on ISO/IEC 15408
CCRA is an international recognition arrangement for
Common Criteria Standard (ISO/IEC 15408)
CyberSecurity Malaysia is the National Certification
Body - Malaysian Common Criteria Certification Body
(MyCB) ITALY
JAPAN
NETHERLANDS

SWEDEN
TURKEY

NEW

ZEALAND

AUSTRALIA

UNITED
KINGDOM

CANADA
FRANCE

UNITED
STATES

GERMANY

SPAIN
REP.
OF
KOREA
NORWAY

AUSTRIA
GREECE
FINLAND
DENMARK
CZECH
REP

HUNGARY
SINGAPORE
PAKISTAN
ISRAEL
INDIA

24
COMMON CRITERIA RECOGNITION ARRANGEMENT

1.  International collaboration in the area of CERT in the Asia
Pacific region and OIC countries.
2.  Coordinate the implementation of the NCSP.
3.  Secretariat for the Operational Task Force under National
Security Council.
4.  Secretariat for the NC3 chaired by National Security Council
1.  Cyber media research
2.  Cyber War Research
3.  Development of National Cryptography Policy
4.  Cyber Laws Study
5.  Co-Chair for CSCAP Study Group on Cyber Security that includes the
Issues of Transnational Cyber Crime
6.  Co-Leading Nation for ASEAN Regional Forum in Counter
Radicalization Work Plan for Counter-Terrorism & Transnational
Crime in collaboration with Ministry of Foreign Affairs
25

STRATEGIC RESEARCH & ENGAGEMENT

CYBER CONFLICTS
Tactics
• Cyber espionage
• Web vandalism
• Propaganda
• Gathering data
• Distributed Denial-of-Service Attacks
• Equipment disruption
• Attacking critical infrastructure
• Compromised Counterfeit Hardware
(source: http://en.wikipedia.org/wiki/Cyberwarfare)
26

Emerging Threats
STRATEGIC RESEARCH & ENGAGEMENT

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
27

POLICY THRUST


Pt 4: Culture Of Cyber Security & Capacity Bldg
IT’S ABOUT PEOPLE


An area where today’s youth are at greatest risk is social networking
http://www.jdpower.com/autos/car-photos/ Identity-Theft/Identity-Theft/2009
PEOPLE – WEAKEST LINK


National
Strategy for
Cyber Security
Acculturation
and Capacity
Building
Program
CYBER SECURITY ACCULTURATION & CAPACITY BLDG
Reduced no. of InfoSec incidents
through improved awareness & skill
level

§  Man behind the machine is the critical factor
Current Ratio of
Professionals : Internet User
1 : 8,924
Target 1:1,500
(Conduct Study to determine number of Info Pro)
"   Help nurture the information security workforce with the
required knowledge and skills by providing information
security competency and capability courses and
certifications.
"   Through strategic collaborations with reputable
organizations in Malaysia and international accreditation
institutions this program is accomplished.
"   Malaysia requires sufficient skilled people to deal with
sophisticated cyber threats & uncertainty of cyber space.
31
CAPACITY BLDG – INFOSEC PRO DEVELOPMENT

PROFESSIONAL COURSES
• Business Continuity Management Professional
Certification (BCLE2000)
• Certified Information System Security Professional
(CISSP) CBK Review Seminar
• Certified Secure System Lifecycle Professional
(CSSLP)
• ISO 27001 Lead Auditor
• Professional in Critical Information Infrastructure
Protection (PCIP)
• System Security Certified Practitioner (SSCP) CBK
Review Seminar
SPECIALIZED COURSES
• Digital Forensics for Law Practitioner
• Forensics on Internet Applications
• ISO 27001 Internal Auditor
INTERMEDIATE COURSES
• Cryptography for Information Security Professional
• Digital Forensic for First Responder
• Incident Response & Handling for Computer Security
& Incident Response Team (CSIRTS)
• Incident Handling and Network Security Training
(IHNS)
• ISO 27001 Implementation
• MyCC 2.0 - Foundation Evaluator Training
FUNDAMENTAL COURSES
• Business Continuity Management For Beginners
• Cryptography for Beginners
• CSM Security Essential Training
• Data Encryption for Beginners
• Digital Forensics Essential
• Google-Fu Power Search Technique
32
TRAINING COURSES


CyberSecurity
Malaysia’s

CyberSAFE

Cyber
Security
Awareness
For
Everyone

PROGRAM

• 
It
is
everyone’s
responsibility

• 
To
explore
smart
partnership

CyberSecurity
Malaysia
and
YOU

AWARENESS

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
34

POLICY THRUST

Development of the National R&D Roadmap for Self Reliance in
Cyber Security Technologies is facilitated by MIMOS Berhad, a
Government R&D institution
35

To Identify Technologies
That Are Relevant and
Desirable by the CNII
To Promote Collaboration
with International Centres
of Excellence
To Provide Domain
Competency Development
To Nurture the Growth of
Local Cyber Security
Industry
To Update the National R&D
Roadmap
Pt 5: Research & Development Towards Self Reliance
R & D ROADMAP
Acceptance & utilization of
local developed info security
products

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
36

POLICY THRUST


•  To study the need to introduce a Cyber
Security Safety Standards Act to ensure
mandatory compliance by CNII to ISMS
Standards (ISO27001) and other
selected standards.
•  Audit and certification of ISMS
compliance of CNIIs within 3 years
from the date of Cabinet mandate 24
Feb 2010
Ensure
Mandatory

Compliance
to

Informa;on

Security
Standards

by
CNII

• Government Agencies dialogue session
to implement ISMS compliance for CNIIs
• ISMS (ISO/IEC-27001) training and
workshops for CNIIs and regulatory
bodies
• CNII Information Security Standards
Adoption Program
Capability
and

Awareness

Programmes
for

CNIIs
• Local Developers to obtain products
certification under ISO 15408 (Common
Criteria EAL2)
• Develop Cyber Security Industry
Directory to list Malaysian IT security
companies, products and IT security
professionals
• Cyber Security Trade Event to promote
locally developed products under
Common Criteria (Nov2012)
Facilitate
Industry

Development

In
progress
Case
for
change:

n Cabinet
mandate
for
CNII
organizaTons

to
obtain
ISMS
cerTﬁcaTon
within
3

years
24
Feb
2010

n CriTcal
NaTonal
InformaTon

Infrastructure
(CNII)
exposed
to
cyber

threats

n Lack
of
compliance
to
informaTon

security
standards
(eg
ISMS
27001)

amongst
CNII

n Weak
ecosystem
of
local
industry
to

support
the
requirements
of
CNII
e.g.

Products
cerTﬁed
under
Common

Criteria

RecommendaTon:

n Ensure
mandatory
compliance
of

ISMS

Standards
for
CNII

n Capability
and
Awareness
for
CNIIs

n Facilitate
Industry
Development

*
CollaboraTon
with
PEMANDU

(Performance
Management
and

Delivery
Unit)
SRI
(Strategic
Reform

IniTaTve)

In
progress
In
progress
Pt 6: Compliance & Enforcement
STANDARDS & GUIDELINES
Strengthen or include infosec
enforcement role in all CNII
regulatorsI

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Communications &
Culture
1
2
3
4
5
6
7
8
38

POLICY THRUST


Number
of
cyber
security
incidents
referred
to
CyberSecurity
Malaysia
31
Aug

2012
(excluding
spams)

INCIDENTS
§  Intrusion
§  Intrusion Attempt
§  Spam
§  DOS
§  Cyber Harassment
§  Fraud
§  Content Related
§  Malicious Code
§  Vulnerabilities Report
39

As of 30th
April 2013
CNII resilience against cyber
crime, terrorism, info warfare
Pt 7: Cybersecurity Emergency Readiness
CYBER INCIDENTS 1997 - 2012

0

100

200

300

400

500

600

2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012

30

58
49
48

91
105

137

190
172

131

59
13

5
20

45

41

116

160

212

428

442

349

Forensic
Analysis

Data
recovery

•  75% cases - from law enforcement agencies (PDRM, BNM, AG, SKMM etc).
•  Types of cases – Financial Fraud, Sexual Assault, National threats, etc.
[
As
of
31st
August
2012
]

43

63
93
69
132
221
297
600
402
573
408
40

DIGITAL FORENSICS CASES (2002 – 2012)


Cyber999™
Cyber Early Warning Services
1. Incident Handling
2. Cyber Early Warning
3. Technical Coordination Centre
4. Malware Research Center
§  Email
o  cyber999@cybersecurity.my
o  mycert@mycert.org.my
§  Phone
o  +603 8992 6969
o  1 300 88 2999
§  Fax
o  +603 8945 3442
§  SMS
o  15888 Cyber999 Report
§  Mobile (24x7)
o  +6019 266 5850
§  Online – http://www.mycert.org.my
§  Office Hours – MYT 0830 - 1730
COMPUTER EMERGENCY RESPONSE TEAM


Emerging

Threats

LebahNet

Project

Malware

Research

Threats

VisualizaTon

Advisory
&

Alerts

EXPLOIT
ADVISORIES & ALERTS
§  Software vulnerabilities (advisories)
§  0 day vulnerabilities
§  Patch & upgrades
OUTBREAKS ALERTS
§  H1N1 flu
§  Trojan-Michael Jackson Death
§  Conficker
§  IE/Acrobat/Office/Flash 0 day
MA-321.072012 : MyCERT Alert - Microsoft Security Bulletin Summary For July 2012
21/06/2012
MA-320.062012 : MyCERT Alert - Critical Vulnerability in Microsoft XML Core Services
19/06/2012
MA-319.062012 : MyCERT Alert - Increase in Web Defacement Incidents
13/06/2012
MA-318.062012 : MyCERT Alert - Microsoft Security Bulletin Summary For June 2012
13/06/2012
MA-317.062012 : MyCERT Alert - Oracle Java SE Critical Patch Update Advisory - June 2012
11/06/2012
MA-316.062012 : MyCERT Alert - Critical Vulnerability in MySQL and MariaDB
11/06/2012
MA-315.062012 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player
07/06/2012
MALWARE RESEARCH CENTER

Incident
Handling
Technical
Coordination
Centre
MODULES LEVEL
3 Incident Handling & Network
Security (IHNS)
Intermediate
4 Ethical Hacking and Penetration
Testing
Intermediate
5 Security Audit and Assessment Intermediate
INCIDENT HANDLING MODULES
Duration: 13 days

43
COMPUTER EMERGENCY RESPONSE TEAM

Council
Office
Technology and
Innovation
Building
Technology and
Innovation
Reliance
Technology and
Innovation
Communications &
Culture
Council
Ministry of
Communications &
Multimedia
1
2
3
4
5
6
7
8
44

POLICY THRUST


APCERT
OIC-CERT
ENGAGE
Participate in
relevant cyber
security meetings
and events to
promote
Malaysia’s
positions and
interests in the
said meetings and
events
PRIORITIZE
Evaluate
Malaysia’s
interests at
international cyber
security platforms
and act on
elements where
Malaysia can get
tangible benefits
and voice third
world interests
LEADERSHIP
Explore opportunities at
international cyber
security platforms
where Malaysia can vie
for positions to play a
leadership role to
project Malaysia’s
image and promote
Malaysia’s interests
Pt 8: International Collaboration
MISSIONS International branding on CNII
protection with improved
awareness & skill level

q  The National Cyber Security Policy is a holistic
approach for cyber defence of the CNIIs and the
nation.
q  Encouraging Public Private Cooperation as essential
element in mitigating cyber threats
q  Commitment from stakeholders is critical in ensuring
the success of the policy’s implementation.
46

NATIONAL CYBER SECURITY POLICY
In Conclusion

Malaysia's National Cyber Security Policy

More Related Content

What's hot

Similar to Malaysia's National Cyber Security Policy

More from Directorate of Information Security | Ditjen Aptika

Recently uploaded

Malaysia's National Cyber Security Policy