Computer and Network Security, Mamak Style

http://www.intanbk.intan.my/psimr/editorial.htm

From the link above -

In 1997, the Malaysian Government launched the Electronic Government initiative to reinvent itself to lead the country into the Information Age. The implementation of e-Government in Malaysia heralds the beginning of a journey of reinventing the government by transforming the way it operates, modernizing and enhancing its service delivery.

I have also taken a study of the link below especially about Information Policy -

http://www.american.edu/initeb/ym6974a/egovernment.htm

I'm not into law, however I have actually studied Malaysia Cyber Law myself. And it seems there are not much changes of Cyber Law in Malaysia comparing last time. I would like to point out the following sentences that are mentioned in the link above -

With the implementation of the Multimedia Super Corridor, the Government makes a commitment to MSC-Status companies in one of the 10-Point Bill of Guarantees to provide a comprehensive regulatory framework of intellectual property protection and cyberlaws to facilitate and assist the development of a truly ICT and multimedia environment

The Computer Crimes Act 1997, effective as of the 1st of June 2000, created several offences relating to the misuse of computers. Among others, it deals with unauthorised access to computer material, unauthorised access with intent to commit other offences and unauthorised modification of computer contents. It also makes provisions to facilitate investigations for the enforcement of the Act.

Then I came across two links below -

http://ecommerze.blogspot.com/2007/11/e-government-malaysia-is-now-ranked.html


http://www.bespacific.com/mt/archives/014309.html

Hey, don't feel proud when you see we are in good position. In fact the E-Government Ranking is putting me into worry state. The highest rank Malaysia is, that means we have most of our data available online and that can be serious issue if the information leaking happens. And the information leaking is already happened but the gov seems not to take much actions to prevent them over the years, whether they are informed or not.

Besides, we are pretty much proud of ourself with the slogan "Malaysia Boleh(Malaysia Can)", but according to the trusted research from Google -

http://research.google.com/archive/provos-2008a.pdf

What we are proud of?
Malaysia is in the top 5 of the world's malware distribution site, below Russia, United States and China, and above Korea. More than happy, government website is serving malwares as well.

Life can become very convenience when we can use gov services online, but the concern raises -

How can we use the E-Government services is really a big question, do you expect that you will be infected by malwares such as virus, trojan or rootkit if you are surfing around gov sites instead of pr0n site?

For now, I think The Computer Crimes Act is neither effective nor it is enforced. We are impossible to become role model in implementing E-Government, plus we are not supposed to take the lead in cyber security initiative because we are not ready.

Conclusion:

This is straightforward summary of all the information security issues that need to be solved by the gov -

1. Poor Implementation Of Network Infrastructure
2. Poor Implementation Of Web Application
3. Poor Implementation Of Network Security Monitoring Operation
4. Poor Implementation Of Incident Response Operation

We have taken closer look that almost 99% of successful compromise at gov site is using known vulnerabilities in the web application itself. If gov can fix num 2, and apply security monitoring continuously and having incident response team ready, there won't be much issues. I do know that saying is easy than done as there are too many vendors involve in the process, but to me since gov is paying big money to them, if the vendors can't do their part, they are not competent enough to be the trusted vendors and should be deleted.

Advice:

You don't fly while you can't even walk properly.

C.S.Lee(geek00L) which is me and Meling Mudin(spoonfork) will conduct a training with the title of -

Understanding Network Conversations:
Practical Network Flow Analysis

The hands on training session will be conducted on 28th & 29th of July 2008. Bear in mind this is technical centric training and we only expect 15 students.

Who should attend?

Network Security Analyst
Network Administrator
ISP Network Architect
System Administrator

Bonus

+ First 10 registrants get free seat for HITB Conference Kuala Lumpur in October 2008

+ Human Resources Development Fund(HRDF) Claimable

For more information, check it out at -

http://training.hitb.org/flowanalysis/