scope - asean regional forumaseanregionalforum.asean.org/files/archive/21st/arf workshop on... ·...
TRANSCRIPT
01/15/2014
1
Copyright © 2013 CyberSecurity MalaysiaCopyright © 2013 CyberSecurity Malaysia
CAPACITY BUILDING TO STRENGTHEN CYBERSECURITY
CAPACITY BUILDING TO STRENGTHEN CYBERSECURITY
by
Sazali SukardiVice President Research CyberSecurity Malaysia
Copyright © 2013 CyberSecurity Malaysia
SCOPE
• INTRODUCTION• CYBER SECURITY INCIDENTS IN MALAYSIA• CAPACITY BUILDING
The Council For Security Cooperationin Asia Pacific’s Initiatives
Malaysia’s Initiatives • CONCLUSION
2
01/15/2014
2
Copyright © 2013 CyberSecurity Malaysia
INTRODUCTION
3
Copyright © 2013 CyberSecurity Malaysia
4
STRATEGIC LEVELAct of aggression / hostile
actions by state, organization and state-
sponsored actors.- Well planned,
sophisticated and complex
War of Perception
-Cyber Propaganda
Cyber Terrorism Cyber War Hacktivism
Political Cyber Espionage
Economic Cyber Espionage
Military Cyber Espionage
MIDDLE LEVEL- sophisticated and may
serve initial steps for strategic attacks
Botnet Distributed Denial of Service (DDoS)
Advance Persistence
Threats (APTs)Malware
OPERATIONAL LEVEL
Targeting individuals and groups
- Low level skills
Cyber Bullying Online Gambling Phishing –ID Theft
Denial of Service
Defamation Malware/Virus Infection Pornography Identity Theft
IPR Infringement Money Laundering Sedition Cyber Fraud
Internet Mule Cyber Stalking Love Scam Cyber Stalking
CYBER THREATS TARGETING AT VARIOUS LEVELS
01/15/2014
3
Copyright © 2013 CyberSecurity Malaysia
81 196 527 347
860 625 912 915 754 1,372
1,038
2,123
3,566
8,090
15,218
9,986
5592
-
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
CYBER SECURITY INCIDENTS IN MALAYSIA
5
Type of incidents:
1. Intrusion2. Intrusion Attempt3. Denial of Service Attack (DOS)4. Fraud5. Cyber Harassment6. Spam7. Content Related8. Vulnerabilities Report9. Malicious Codes
Number of cyber security incidents referred to CyberSecurity Malaysia (excluding spams)
Cyber Incidents Referred to CyberSecurity Malaysia from 1997 - 31 Aug 2013
As of 31 Aug 2013
7753
Copyright © 2013 CyberSecurity Malaysia
6
Technology Related Threats Technology Related Threats
Hacking
Fraud
Denial of Service Attack
Cross-Border Investigation & Evidential Matters
Malicious Software
Espionage
Chat, Forum & Electronic Bulletin
Sedition
Slide 6
Cyber Content Related ThreatsCyber Content Related ThreatsIssuesIssues
International Collaboration
International Laws
CATEGORIES OF CYBER THREATS - Malaysia’s perspectives
Defamation
Pornography
6
Online Gambling
01/15/2014
4
Copyright © 2013 CyberSecurity Malaysia 7
HUMAN IS THE WEAKEST LINK
Copyright © 2013 CyberSecurity Malaysia
CAPACITY BUILDING TO STRENGTHEN CYBER SECURITY
8
01/15/2014
5
Copyright © 2013 CyberSecurity Malaysia 9
CSCAP Memorandum No.20 tabled at ARF in May 2012 recommends that at the level of regional cooperation, the ASEAN Regional Forum should:
Implement capacity building and technical assistance measures.Priority should be given on developing a program of advice, training and technical assistance that strengthens the cyber security capacity, including capability of crisis management of all states.
THE COUNCIL FOR SECURITY COOPERATION IN ASIA PACIFIC (CSCAP) MEMORANDUM NO.20
Copyright © 2013 CyberSecurity Malaysia
POLICY THRUST EXPECTED OUTCOME
Ministry of Science,
Technology & Innovation
PT 1EFFECTIVE
GOVERNANCE
Establishment of a national info security coordination
centre
Attorney General’s
Office
PT 2LEGISLATIVE
®ULATORY FRAMEWORK
Reduction of & increased in
success in, the prosecution in
cyber crime
Expansion of national
certification scheme for
infosec mgmt & assurance
PT 4CULTURE OF SECURITY &
CAPACITY BUILDING
Reduced no. of InfoSec
incidents through improved
awareness & skill level
PT 5RESEARCH &
DEVELOPMENT TOWARDS SELF
RELIANCE
Acceptance & utilization of
local developed
info security products
Ministry of Information,
Communication& Culture
PT 6COMPLIANCE & ENFORCEMENT
Strengthen or include infosec enforcement
role in all CNII regulatorsI
National Security Council
PT 7CYBER SECURITY
EMERGENCY READINESS
CNII resilience against cyber
crime, terrorism, info
warfare
PT 8INTERNATIONAL COOPERATION
International branding on
CNII protection with improved awareness &
skill level
PT – Policy Thrust
Ministry of Science,
Technology & Innovation
Ministry of Science,
Technology & Innovation
Ministry of Science,
Technology & Innovation
Ministry of Enery, Water
& Communications
CAPACITY BUILDING - Malaysia’s Initiatives
Ministry of Information,
Communication & Culture
PT 3CYBER SECURITY TECHNOLOGY FRAMEWORK
National Cyber Security Policy – Policy Thrusts
10
01/15/2014
6
Copyright © 2013 CyberSecurity Malaysia
Collaboration between CyberSecurity Malaysia and
Institute of Higher Learning (IHL) in various comprehensive cyber
security modules
Develops curriculum in cyber security for colleges, polytechnics and universities to build expertise
in cyber security with MOE
Provides competency and professional
Training programs
•as of Dec 2012 – 3045 professionals.•targeted ratio of 1:2000 in 2020 with- required number of 17,026 professionals
(based on estimated population population incrementrate 1.8% per year)
•to nurture about 1748 information security professionals yearly
Malaysia emphasizes on the importance of capacity building
CAPACITY BUILDING - Malaysia’s Initiatives
11
Copyright © 2013 CyberSecurity Malaysia 12
The study was completed in November 2010
• The capacity building programs are targeted towards Critical National Information Infrastructure (CNII) and the Malaysian society at all levels
• Focusing on efforts to increase the knowledge and skill sets on the information security workforce
• Aimed at creating a quality and well-equipped information security workforce and promoting recognition of the Information Security profession.
NATIONAL STRATEGY FOR CYBER SECURITY ACCULTURATION & CAPACITY BUILDING PROGRAM
01/15/2014
7
Copyright © 2013 CyberSecurity Malaysia 13
NATIONAL STRATEGY FOR CYBER SECURITY ACCULTURATION & CAPACITY BUILDING PROGRAM – Skills and Competency Framework (SaCF)
Non-technical skills such as teamwork, leadership, communication skills, analysis and decision making will also be emphasized to develop a well-balanced professional
* Based on 11 domains of ISO 27001
13
Copyright © 2013 CyberSecurity Malaysia 14
THE GUIDELINE TO DETERMINE INFORMATION SECURITY PROFESSIONALS REQUIREMENTS FOR THE CNII AGENCIES / ORGANIZATIONS
• Developed in May 2013• To provide a guideline when:
CNII agency / organization wishes to set up a team of Information Security Professionals
CNII agency / organization wishes to assess the adequacy of its current Information Security Professionals
•Three areas of the Information Security Professional requirements that a CNII agency/organization should address:
Roles & Responsibilities of Information SecurityProfessionals
Competency of Information Security Professionals Minimum number of Information Security Professionals
01/15/2014
8
Copyright © 2013 CyberSecurity Malaysia
THE GUIDELINE TO DETERMINE INFORMATION SECURITY PROFESSIONALS REQUIREMENTS FOR THE CNII AGENCIES / ORGANIZATIONS- Information Security Professional Requirements
15
Copyright © 2013 CyberSecurity Malaysia 16
LIST OF CERTIFICATIONs
16
01/15/2014
9
Copyright © 2013 CyberSecurity Malaysia 17https://www.cyberguru.my/cybersec/
PORTAL FOR INFORMATION SECURITY PROFESSIONALS
Copyright © 2013 CyberSecurity Malaysia
OIC-CERT WAY FORWARD Public Private Partnership through
an alliance Platform to raise capability & readiness of nations and achieve common grounds
GCSA(Global Cyber
Security Alliance)
EDUCATION & OUTREACH
PROFESSIONAL TRAINING
WEALTH CREATION SOLUTIONS
56 OIC MembersMALAYSIA is the CHAIR
OIC-CERT
18
TO BE AT PAR WITH INTERNATIONAL STANDARDS
& BEST PRACTICES
Collaborate with Islamic Development Bank in
providing training to OIC-CERT members in cyber security
MALAYSIA’S INITIATIVES- OIC CERT
01/15/2014
10
Copyright © 2013 CyberSecurity Malaysia
• Regional Cyber Drill- using our experiences in coordinating the annual Asia PacificComputer Emergency Response Team Cyber Exercise (APCERT)
• Domestic Cyber Drill (X-Maya)- exercising high-level of national preparedness for cyber crisis involving Government & critical sectors under the coordination of National Security Council
MALAYSIA’S INITIATIVES- Cyber Crisis Handling Exercises
19
Copyright © 2013 CyberSecurity Malaysia 20
CONCLUSION
• Malaysia gives emphasis on human factor – the key asset to strengthen domestic cyber security
• Malaysia continues to adopt evolutionary and innovative approach in capacity building program
• As part of regional community, Malaysia’s efforts in capacity building is also to strengthen regional cyber security
• Regional states to collaborate and combine ideas to stay ahead of rapidly changing cyber threats
01/15/2014
11
Copyright © 2013 CyberSecurity MalaysiaCopyright © 2013 CyberSecurity Malaysia 2121