138112CINcover04.final9-12b6 [Converted].ai 63.25 lpi 71.57° 1/5/2006 11:18:23 AM138112CINcover04.final9-12b6 [Converted].ai 63.25 lpi 18.43° 1/5/2006 11:18:23 AM138112CINcover04.final9-12b6 [Converted].ai 66.67 lpi 0.00° 1/5/2006 11:18:23 AM138112CINcover04.final9-12b6 [Converted].ai 70.71 lpi 45.00° 1/5/2006 11:18:23 AMProcess Cyan Process Magenta Process Yellow Process Black

138112 mcmc B+cover13-12b6.indd 1138112 mcmc B+cover13-12b6.indd 1 1/5/2006 11:21:19 AM1/5/2006 11:21:19 AMProcess CyanProcess Cyan Process MagentaProcess Magenta Process YellowProcess Yellow Process BlackProcess Black

© Malaysian Communications and Multimedia Commission 2005The information or material in this publication is protected under copyright and, save where otherwise stated,may be reproduced for non-commercial use provided it is reproduced accurately and not used in a misleadingcontext. Where any material is reproduced, MCMC as the source of the material must be identified and thecopyright status acknowledged.

The permission to reproduce does not extend to any information or material the copyright of which belongs toany other person, organisation or third party. Authorisation or permission to reproduce such information ormaterial must be obtained from the copyright holders concerned.

Malaysian Communications and Multimedia Commission63000 Cyberjaya, Selangor Darul Ehsan, Malaysia. Tel: 6 03 - 8688 8000 Fax: 6 03 - 8688 1000Toll Free Numbers: 1-800-888030 http://www.mcmc.gov.my

TABLE OFCONTENTS

ACKNOWLEDGEMENT

1 INTRODUCTION

2 GENERAL INFORMATION FOR CONSUMERS 1

2.1 Positive Use of the Internet – MCMC 3

2.2 General Information on Spam: Strategies and initiatives to curb it in Malaysia – MCMC 9

2.3 Home and Business User Computer Security – Ronald Yap, Ixaris Sdn Bhd 172.4 Online/Cyber Threats to Home Users and Business Entities –

Dhillon Andrew Kannabhiran 27

2.5 Home Computer Security – How to safeguard your privacy and security when utilizing the Internet – PIKOM Info-Security SIG 37

2.6 What you should know about Cyber Crime and the Malaysian Cyber Laws – Deepak Pillai of Rajes, Hisham Pillai and Gopal, Advocates & Solicitors 43

2.7 What you should know about Digital Signature and the Digital Signature Act 1997 – MCMC, MSC Trustgate Sdn Bhd and Digicert Sdn Bhd 53

E-SECURITY AWARENESS SURVEY 2003 & 2004 81

3 MORE SPECIFIC INFORMATION FOR BUSINESSES 117

3.1 Incidence Response and Handling for Everyone – NISER 117

3.2 Viruses, Worms, Trojan Horses 101 – NISER 127

3.3 The Importance of an Information Communication and Technology (ICT) Security Audit for Business Organizations – Murari Kalyanaramani and James Tseng, PricewaterhouseCoopers 153

3.4 The portrayal of applicable information technology (IT) Security Standards in Malaysia – Basri Zainol, SIRIM Berhad 165

3.5 Open Source and Security – Dr. Nah Soo Hoe, Independent Consultant 191

3.6 Advancing Security – Building Trust in Computing – Meng-Chow Kang, Regional Chief Security & Privacy Advisor for Microsoft Asia Pacific 215

LIST OF PARTICIPANTS 227

FURTHER ENQUIRIES 228

ACKNOWLEDGEMENT

MCMC would like to express its gratitude to all those

who have contributed to the completion of this

Compendium. They have selflessly shared their

time, expertise and knowledge in the interest

of the general public in Malaysia.

c

Over the last decade, the public and private sectors have been increasingly reliant on the

computer network systems to support critical operations and infrastructure. The benefits have

been enormous in terms of facilitating communications, transactions and the way businesses

and government function. Info-communications has been increasingly a factor for the global

economy.

Most people and organizations believe that technology is the answer to securing the network’s

infrastructure. However the answer for ensuring cyber security does not only lie with technology

alone but more on processes and policies and for people to realize that they are an important

and crucial element in ensuring e-security.

However the pace of growth of the ICT industry that is dependant upon the network system

appears to outstrip the pace of ICT users educating and preparing themselves, in the maintenance

and tackling of issues pertaining to these systems. By empasising the education and

awareness on core skill set in information and network security, users will be able to tackle the

challenges therein.

ICT users whether ordinary consumers or from organizations such as the government or the

industry must be provided with the knowledge, tools and expertise to maintain a secure

information system and data communications. For businesses and government sector, the

education and awareness is paramount without exposing the government or the local industry

to expenditures in relation with incident recovery.

The Malaysian Communications and Multimedia Commission realising this need is very

committed to the development of education and awareness programmes on information and

network security in the face of rampant occurrences of defacement of websites, DOS attacks,

spamming, phishing, viruses and hacking.

As part of this initiative, the Commission, with the cooperation of local experts, has compiled a

compendium comprising a variety of subject matter concerning information and network security.

The main objective of the compendium is to contribute to the learning and educational experience

of ICT users and consumers. It is intended to complement other sources of information on the

subject of information and network security.

INTRODUCTION

POSITIVE USE

OF THEINTERNET

GENERAL INFORMATION FOR CONSUMERS

2

The Malaysian Communications and Multimedia Commission (MCMC) was established on

1 November 1998 and is charged with regulating the converging industries of broadcasting,

telecommunications and online services in accordance with the national policy objectives set

out in the Communications and Multimedia Act 1998.

The specific role of the Information and Network Security (INS) department is to ensure

information security and network reliability and integrity within the communications and

multimedia industry in particular the critical communications and multimedia infrastructure. Part

of the general scope of work of the department is the promotion of education and awareness

of best information and network security practices.

INFORMATION NETWORK SECURITY DEPARTMENTMALAYSIAN COMMUNICATIONS AND MULTIMEDIA COMMISSION

3

POSITIVE USE OF THE INTERNET

MALAYSIAN COMMUNICATIONS & MULTIMEDIA COMMISSION

The Internet has revolutionized the computer and communications world like nothing before.

The Internet has a worldwide broadcasting capability, a mechanism for information dissemination

and a medium for collaboration and interaction between individuals and their computers

without regard for geographic location.

However, the Internet being an open media is susceptible to misuse. There has been rapid rise

in the number of unsuitable websites dedicated to harmful and undesirable content. There is

an urgent need therefore, to mitigate the misuse of Internet in the early stages and promote its

ethical use through awareness and educational programmes.

The Internet is a place where worldwide information and communication is constantly

expanding and evolving. Just as with any culture, there are customs that provide guidelines

and cohesiveness to the people involved.

In this article, some guidelines are provided that would assist “newbies” in their approach

towards working with electronic communication. These guidelines are meant to provide helpful

hints on some common and frequently asked questions or global “standards”, for the following:

Chat Room Ethics

E-Mails

How to Choose a Password

Internet Tips for Parents

Internet Abbrievations

The guidelines are to assist Internet users on what is considered abuse of available resources

and to help users to be responsible in accessing or transmitting information through the

Internet.

REFERENCES:

(1) Internet Society (ISOC) – A brief history of Internet(2) Internet Guidelines and Culture – Arlene H. Rinaldi(3) The APT Seminar on Network Security Management and the Positive Use of Internet:

Kuala Lumpur 18–20 August 2003

4

CHAT ROOM ETHICSThe Internet has opened up a whole new world for us to meet online and converse in real time

about our hobbies, thoughts, and beliefs. However, as in face-to-face communication, there

are some common courtesies and protocols that must be observed while addressing others

online.

Use proper judgment when choosing a nickname that you will use in the chatroom. Avoid

using any rude or inappropriate names. Use a name that best describes yourself to others

i.e. using your first name, initials, or even a hobby or interest.

The best way to initiate a conversation is to use a simple and pleasant greeting, such as

“Hi Everyone” or “Good Morning”. If this fails to catch anyone’s attention, you could attempt

to address a particular member with a question.

When chatting, do not type in capital or boldface letters, as this is considered yelling in the

online world.

Many people in chat rooms tend to let their guard down and may insult or verbally abuse you.

You should either ignore the person, or use your chat software to block their messages. If

the verbal sparring is a result of a disagreement with another member, try to remedy the

situation by politely talking it over together. At the same time, if you find you are in the wrong,

be sure to promptly correct yourself and apologize to those you have offended.

Avoid asking personal questions such as their age, sex, and marital status, unless you know

the person very well, and you are both comfortable with sharing personal information.

Welcome and respect any newcomers that are entering for the first time. Offer advice when

asked. However try not to overload the room with constant advice or opinions, do give others

their chance to speak.

If your messages are long, try to type and send it in sections to avoid constant scrolling on

other members’ screens. If possible, send the lengthy message privately or to a couple of

members at a time.

Depending on the chat rooms that you frequent, watch your language and subject of

discussion. Parents should be aware of the type of discussion their child is engaged in.

Abusive chatters should be avoided. This includes attacks on chatter, constant and

unnecessary profanity and member stalking.

Finally, remember to treat others online in the same way you would want to be treated.

By observing these basic rules of etiquette, everyone can have a better online chat experience.

5

E-MAILSome do’s and don’ts in sending and replying e-mails:

When forwarding an e-mail, don’t include your entire address list in the “TO” field. Learn

to use Distribution Lists or send Blind Carbon Copies.

Don’t respond to any of the “Make Money Fast” postings as most are illegal.

Respect other people’s privacy. If someone sends you a personal e-mail, please don’t

forward it to a newsgroup or anywhere else.

E-mail is not private. It is highly unlikely that anyone but the recipient will ever read it but

it’s possible.

Use the subject field: Inappropriate subjects make it difficult to file, forward or provide

meaningful responses.

When responding to e-mail, don’t quote the entire original message in your reply. Only

quote the relevant parts.

DON’T TYPE IN ALL UPPER CASE, it’s considered SHOUTING.

If you want to unsubscribe from a public mailing list, please ensure that the

UNSUBSCRIBE command gets sent to the LIST SERVER and NOT the Mailing List Itself.

If you do this, you irritate every member of the list who gets your message, and you will

still be subscribed to the list.

Effective use of the Internet is not difficult; it merely requires practice, a bit of common sense,

and the ability to learn from other people’s mistakes.

HOW TO CHOOSE A PASSWORDAccess to an online computer service or Internet Applications Service Provider (IASP) requires

both a user name and password. As names are easy to guess, one must be very careful with

the password.

Tips on how to select a good password:

The minimum length of your password should be at least five (5) characters. Automatic

programmes can easily try all combinations of characters in a password of less than five

(5) characters.

In short passwords, use at least one upper-case letter, at least one lower-case letter, and

at least one digit, i.e. d4surF

To create a long password, use two words, each with at least five (5) characters,

perhaps separated by one digit (flower4daisy)

6

Avoid obvious passwords– your name– anyone’s first name especially the name of family members or pets– your nickname– your home telephone– your date of birth– your astrological sign– licence plate number of your car– any other publicly available information

Once a password is chosen, do not write it down and do not tell anyone what it is. If you

have written it down, keep it in a safe place i.e. bank deposit box (for your personal

account) or in a safe in the corporate office (for the company’s computer).

When you get a new computer account, it will come with an initial password. Follow the

instructions from the system administrator for choosing your own password, and change

the password. The initial password may have been seen by someone who gave or

mailed it to you.

Use a different password at each website, service provider, or computer account.

Changing your password every few weeks is standard advice from computer security

experts. However this also makes it easier for you to forget your password. If you do

forget your password, you will need to contact a system administrator, prove that you

really are the official user and get a new initial password assigned.

INTERNET TIPS FOR PARENTS1. Keep the computer in a common area within your home

Do not keep the computer in your child’s bedroom: it is not an inanimate tool like a deskor an atlas. Keep the computer in the living room, family area or study or accompany yourchild when they use computers at the public libraries or Internet cafes.

This way you, as a parent and any other adults in the house, can check in on your childas he or she explores the Internet. If it is not possible to keep the computer in a commonarea of the home, then it is even more important to check in on your child while they areonline and to spend time with your child while they are online.

2. Spend time with your child, online

Just as you teach your child about the real world by exploring it with them, guide themthrough the online world. Learn about the services your child uses by taking the time to seewhat they are doing online and where their interests lie. If you run into content that isoffensive to you, talk to your child about it. Explain why you believe the material is harmfuland what you intend to do.

USEFUL SITES:

Cyberpatrol : http://www.cyberpatrol.comNet Nanny : http://www.netnanny.com

7

3. Report suspicious activity

Encourage your child to tell you when they run into content that they are unsure about, andnot to respond to it. Upon reviewing the questionable material, if you believe that someoneonline is doing or about to do something illegal, then you should report it to the appropriateauthorities. Reports can be made to you Internet Access Service Providers, The ContentForum of Malaysia, Malaysian Communications and Multimedia Commission or the police.Make sure that you keep copies of all the email messages including the header information.The authorities will need them.

4. Set reasonable rules and guidelines for your child, and decide whether or not touse blocking or filtering software

Discuss your rules and guidelines with your child, post them near the computer andmonitor your child’s compliance. The rules should set reasonable limits on the amount oftime spent online.

If you decide to use a blocking software, then find one that is consistent with the set rulesand guidelines. Additionally, you should take the time to learn the strengths and limitationsof the package that you choose.

5. Monitor your credit card bills and your phone bills

A credit card number is required to gain access to many adult Internet sites, and a modemcan be used to dial phone numbers other than the phone number of your Internet ServiceProvider

6. Tell your child not to give out personal information online

This is the Internet version of “never talk to strangers”. Teach your child to never give outtheir name, address, phone number, school name or any personal information especiallyin public places like chat rooms and bulletin boards.

Using a nickname or a pseudonym is common practice on the Internet and it is a way inwhich your child can protect their personal information to a certain extent.

7. Know your children’s online friends

It is possible to form beneficial and lasting relationship online, but there are people whomisrepresent themselves and may take advantage of your child. Make sure that your childknows not to arrange to meet their online friends without your permission. If you permit ameeting with an online friend, then make sure of the following:(i) you accompany your child; and(ii) they meet in a public spot.

8. Learn more about the Internet

Take the time to learn more about the Internet. Ask your child to teach you what they know.Look for courses being offered in your community.

USEFUL SITES:

http://www.safekids.comhttp://www.safeteens.comhttp://www.safekids.com/computers.htmwww.pagi.org.sg

8

INTERNET ABBREVIATIONSThe Internet is full of cryptic shorthand that makes a point, without having to spell out every

word. This can be very useful in a chat channel that is fast moving; other chatters can see your

message in an instant. Some of the more common abbreviations are:

(a) LOL – Laughing Out Loud

Mild amusement at a remark by another user. You could also key in LOL at the end of a

remark to show that your remarks are in humor and not to be taken seriously.

(b) ROFL – Rolling On Floor Laughing

Strong amusement at a remark.

(c) BRB – Be right back

Indicates the user is away from the keyboard for a short period.

(d) BBL – Be back later

No set time period.

(e) AFK – Away from Keyboard

User is still online and in channel but is taking an extended break, maybe attending to a

phone call.

(f) CLICK – Used in Yahoo Chat and elsewhere

This means the user is ignoring someone who is offensive.

Some other abbreviations are as follows:

AFAICS – As Far As I Can See

AFAIK – As Far As I Know

BTW – By The Way

FWIW – For What It’s Worth

HTH – Hope That Helps

IIRC – If I Remember Correctly

IME – In My Experience

IMO – In My Opinion

IRL – In Real Life

IYKWIM – If You Know What I Mean

USEFUL SITE:

www.stateofmindgames.co.uk

GENERALINFORMATION

ON SPAM:STRATEGIES

ANDINITIATIVES TO

CURB IT INMALAYSIA

10

Introduction

Spam, which has increased rapidly with the development of the Internet and IT technology,

causes great harm to Internet users; interrupting work, spreading viruses and infringing upon

privacy, as well as wasting resources due to increased traffic.

In a worrying trend, Spam is flooding the Internet in an attempt to force messages on people

who would not otherwise choose to receive it. Most Spam is commercial advertising often for

dubious products, get-rich-quick schemes etc.

In order to prevent increased proliferation of Spam, the government as well as public

institutions, general users and providers must play their roles effectively to curb the increase of

spamming activities.

Definition of Spam

All around the world various definitions has been adopted by different stakeholders to define

Spam. Although all these definitions share some common points, there is still no standard

universal definition of spam.

A simple definition of Spam would be “all unsolicited bulk e-mails”. Whatever definition is

adopted, they all share the following common elements and they can be characterized as:1

Non consensual

Spam is transmitted to recipients without their explicit consent.

Indiscriminant

Spam is transmitted indiscriminately without any knowledge about the recipients apart from

their e-mail addresses.

Repetitious

The Spam messages are repetitious.

Illegal or unsound content

It is very common for Spam messages to contain fraudulent, unpleasant or offensive content

including obscene images.

Being forged and/or altered

In most cases, Spam contains false information of the sender. Spammers also forge/alter the

mail headers to hide or disguise their identities.

GENERAL INFORMATION ON SPAM: STRATEGIES ANDINITIATIVES TO CURB IT IN MALAYSIA

MALAYSIAN COMMUNICATIONS & MULTIMEDIA COMMISSION

REFERENCES:

1. Guide to Best Practices for Blocking Spam, version 1.0. by Korean Information Security Agency.

11

Why is Spam such a problem?

Spam has increased to such an extent that it is having a significantly negative effect on users’

confidence in using e-mail. Receiving Spam is a nuisance to the recipients as they would have

to spend time shifting through and deleting unwanted e-mails.

Apart from the end users, the Internet and e-mail service providers would also incur additional

cost as Spam imposes storage, transmission and computing costs.

How does the Spammer get my e-mail address?

Spammers use various means to obtain e-mail addresses. Among the ways used are:

(i) Using automatic programmes or “harvesters” to scan Newsgroups, Webpages and

Forwarded e-mails.

(ii) Purchasing lists of e-mail addresses from third parties who compile such information.

(iii) Using “dictionary attacks” to try out all possible combinations of letters, common names

and words in e-mail addresses.

Distinguishing Spam from legitimate mail

The main distinguishing factor between a legitimate message and Spam is consent. Simply

put, if you asked for it, it’s not Spam. As an example, mass mailings of e-mails of a commercial

nature are legitimate if you invited the communication by signing up for “news” on certain topics

or for offers of a particular kind.

E-mail from friends is not Spam. Receiving forwarded mails from friends although annoying, is

not Spam. If the sender is known to you, the best way to put a stop to it is to politely ask them

to stop sending you such mails.

What should businesses sending commercial e-mails do?

The first rule is for the marketer to obtain permission/consent of the recipient before sending

out the marketing messages. The target audience should only be those who have expressed

an interest in a particular product or service being marketed by that sender.

The sender is also obligated to provide accurate sender information and functional unsubscribe

facility in the mail sent out.

Is sending Spam illegal in Malaysia?

The act of sending unsolicited bulk electronic messages is not illegal in Malaysia. However a

person who initiates a communication using any applications service, whether continuously,

repeatedly or otherwise, during which communication may or may not ensue, with or without

disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any

number or electronic address commits an offence.

12

MCMC’s approach in tackling Spam

MCMC undertook a study in 2003 on Regulating Unsolicited Commercial Messages. A

discussion paper, which provided the salient findings from the study and the action plan to be

put in place by MCMC in dealing with the issues in a proactive manner, was issued for public

comments and feedback.

Among the salient issues discussed in the PC paper are:

• Suggesting a possible definition of Spam to be utilized by all service providers

• Identifying the scope of Spam and its use as a marketing tool

• The impact of Spam

• Identifying the need to regulate and monitor Spam via Internet e-mail and mobile short

messaging (sms)

• Identifying legal provisions in the Communications and Multimedia Act 1998 that deal with

this issue; and

• Developing and coordinating an action plan amongst the service providers, Content Forum,

Consumer Forum and the Commission in managing this issue.

Based on the feedback and comments received, MCMC had adopted a multi-pronged

approach in dealing with Spam:

(i) Self regulation by users through education and awareness initiatives;

(ii) Management by Service Providers; and

(iii) International cooperation

Further information on the implementation of the above measures are contained in the “Report

on a Public Consultation Exercise on Regulating Unsolicited Commercial Messages” dated

17 February 2004 which can be downloaded from www.mcmc.gov.my.

Management of Spam

MCMC is adopting a four-tiered approach in managing Spam.

First tier : Self management by users

Second tier : Forward complaint to Service providers

Third tier : If complaints remain unresolved, next recourse is to complain to the

Consumer Forum of Malaysia (CfM)

Fourth tier : Still unresolved, matter is escalated to MCMC

13

Complaint procedures

Consumers who are plagued by Spams have the recourse of reporting it to their service

providers. In the event the complaints remain unresolved at the service provider end, the

complaint can be escalated to the Consumer Forum of Malaysia and thereafter can be further

escalated to MCMC.

• Guidelines for Complaints Handling

MCMC released a Guideline on Complaints Handling which provides information on

making, receipt and handling of complaints from consumers.

• Online Complaints Form

This form is created to facilitate complaints from consumers on issues relating to Spam.

This form is to be read in conjunction with the Guidelines for Complaints Handling.

Both the Guidelines and the online complaints form are available at www.mcmc.gov.my.

To be addressed by User Resolved

FLOW CHART

To be addressed by Service Provider Resolved

To be addressed by Forum Resolved

To be addressed by MCMC Resolved

Escalated

Escalated

Escalated

14

Spam Laws

• Overview of Section 233(1)(b) of the CMA 1998

Section 233(1) (b) states:

“A person who initiates a communication using any applications service, whether continuously,

repeatedly or otherwise, during which communication may or may not ensue, with or

without disclosing his identity and with intent to annoy, abuse, threaten or harass any

person at any number or electronic address, commits an offence.”

The intent underlying Section 233(1)(b) may be utilized to deal with unsolicited

communications and would be an appropriate section to deal with the problems faced by

spamming activities.

• Other relevant legislations from around the world

The MCMC continues to monitor the development of Spam laws and legislations in various

jurisdictions around the world i.e., United States of America, Australia, South Korea,

Singapore, etc.

Tips for reducing Spam

There are numerous tips to reduce or curb Spam; some of these common tips are shared

here:

• Never buy anything advertised in Spam

Spam is all about selling. Spammers would only require a small number of people to buy

something for every thousands of Spam that they send out. The Spammers exist because

there are people who purchase what they peddle. If people stop purchasing the products,

it would be pointless for them to send Spam.

• Don’t reply to Spam

Many Spammers ask for a reply as to whether you want to be taken off their list. By

responding, you are actually verifying that your e-mail account is active and as such

opening yourself for a deluge or Spam mails.

• Don’t open Spam

Some Spam messages are programmed to contain Web bugs, which notifies the senders

when an e-mail he or she has sent has been opened. The notification is a positive sign to

Spammers that your e-mail address is valid.

• Don’t publicly divulge your e-mail address

Only give out your e-mail address when there is a justifiable need. When someone asks you

for your e-mail address, ask them to explain why they require it. If they are unable to provide

a satisfactory explanation, decline to supply your address.

15

• Never use “remove” options in a Spam

Using the “remove” option is same as replying to a Spam.

• Use Spam filters

One of the most effective ways to control Spam is by using protective software known as

filters. Filters allow you to block any e-mail messages carrying specified address, domain,

subject or text from being deposited in your inbox.

A number of these filtering tools are available on the market and can be divided as follows:

– Server side Spam filtering

Prevents the Spam from reaching your mailbox.

– Client side Spam filtering

Removes the Spam from your mailbox before you have read it.

– DNS Black hole List

DNSBLs is a way to filter Spam by using Domain Name Service (DNS) records as a

database of policies relating to either an IP address or domain name, which can be used

to decide whether or not to accept (or label) e-mail.

– Blacklist

Blacklist or blocklists are lists of IP addresses, domain names, addresses or content of

the headers or the body or some combination of these different types that can be used

to identify Spam.

However the available blacklists can be unverified and their criteria for listing may not be

clear.

• Have two e-mail accounts

One should be your primary account that you give to family friends and colleagues. The

second one can be used for activities that have a higher likelihood of getting you into a

spam database i.e. shopping online and posting to newsgroups.

• Check privacy policies and consent forms when signing up for anything online

Check to see whether you are giving permission to use your details for other purposes.

• Ask your Internet Access Service Provider (IASP) what they are doing against Spam

Almost all the IASPs based in Malaysia are members of the Consumer Forum of Malaysia

(CfM) and are subject to the Internet Access Service Code of Practice.

• Improve your computer’s security

Your computer may be used by Spammers to send out Spam without your knowing it if it

is infiltrated by a virus. Download security patches from your service providers as a security

measure.

16

USEFUL LINKS

Coalition Against Unsolicited Commercial E-mail (CAUCE)http://www.cauce.orgPursuing legislative solutions

SpamCon Foundationhttp://www.spamcon.org/General information and anti-spam tools

Mail Abuse Protection System (MAPS)http://mail-abuse.orgSpam blacklist service

MAPS Transport Security Initiativehttp://www.mail-abuse.org/tsi/How to secure your SMTP servers

Fight Spam on the Internethttp://spam.abuse.net

Anti-Spam Research Group (ASRG)http://asrg.sp.amhttp://spamlinks.port5.com/

ENQUIRIES AND ASSISTANCE

For questions on ways to handle Spam, you may contact the helpdesk or postmaster of your IASP.

For general enquiries about Spam, you may contact:

Malaysian Communications and Multimedia Commission63000 CyberjayaSelangor Darul Ehsan

Telephone : 8688 8000Fascimile : 8688 1000E-mail : spam-ins@cmc.gov.my

HOME ANDBUSINESS

USERCOMPUTER

SECURITY

18

Mr. Ronald Yap, BSc (Hons) Computerised Accountancy, Certified Information Systems Auditor

(CISA United States of America), Certified Information Systems Security Practitioner (CISSP –

ISC2 United States of America) member of the Project Management Institute (PMI) USA and

Local Chapter. Ronald has over 12 years of experience in Europe and Asia in the review,

design and implementation of trusted security systems with specialisation in trusted systems,

networking and telecommunications. He was involved in numerous IT security reviews and

systems implementations for banking, telecommunications, utilities, manufacturing and

government organisations. He is also a regular technical trainer for Institut Bank-Bank Malaysia

and has spoken at other conferences for the Information Systems Audit and Control Association

and the Asia Business Forum. Ronald was formerly a Managing Consultant and Manager in

the Technology Risk Services team, PricewaterhouseCoopers, Malaysia and London respectively.

Ronald is now an independent systems security advisor and Founder Director of IXARIS Sdn Bhd,

a technology services company that focuses on providing technical advisory services,

systems solutions, systems implementation and support, training and technology risk

management services for banking, telecoms, technology and manufacturing companies. He

can be reached at:

IXARIS SDN BHD

38-4 Jalan Bangsar Utama 1

Bangsar Utama

59000 Kuala Lumpur

Tel No. : +60 (0)3 22826010

Fax No. : +60 (0)3 22826086

Mobile : +60 (0)12 2107030

E-mail : ronald.yap@myixaris.net

Homepage : www.myixaris.net

RONALD YAPIXARIS SDN BHD

COMPUTER SECURITY, WHY THE CONCERN?There are many reasons for an increased awareness of IT security-related issues. Home and

recreational PC use has increased dramatically. Home PC owners are opting for higher speed

Internet access, such as ADSL broadband, which allows them easier access to resources

such as the World Wide Web, newsgroups, multimedia content, Internet messaging and e-mail.

As computer processing throughput doubles every 18 months, newer PCs perform

increasingly complex computations that enhance the user’s experience interacting with the

computer systems. This widespread availability and acceptance of computers has dramatically

increased the number of people with the ability to compromise data.

As computer prices continue to drop, and people become more comfortable with technology,

the reliance on computer-based resources will continue to increase. As this dependence

develops, security exposures may lead to disastrous results with possible financial and legal

ramifications. At a minimum, a security breach will result in lost time and decreased productivity

while a “clean-up” effort occurs. More than likely however, the results will be much worse.

Financial losses as well as non-monetary effects will occur. For example, if an insurance

company had confidentiality breached and client information was stolen, they would lose

credibility and no longer be able to attract clients. They might also suffer legal liability such as

fines and/or penalties imposed by the regulator.

SECURITY PRINCIPLESThere are three main aspects of effective IT security: Confidentiality, Integrity, and Availability.

These principles are further discussed throughout this paper.

Confidentiality

Maintaining confidentiality is the prevention of unauthorized disclosure of information. Strict

controls must be implemented to ensure that only those persons who need access to certain

information have that access. In some situations, such as those with confidential and secret

information, people should only have access to that data which is necessary to perform their

job functions. Many computer crimes involve compromising confidentiality and stealing

information. The concept of allowing access to information or resources only to those who

need it is called access control.

The most common form of access control is the use of passwords; and the most common

form of security breach is the compromising of these passwords. Requiring strong passwords,

smart cards or single-use-password devices (tokens) is the first step in preventing unauthorized

individuals from accessing sensitive information and is the first layer of defense in access

control. Protecting these passwords is one of the most fundamental principles of IT security.

HOME AND BUSINESS USER COMPUTER SECURITY

RONALD YAP

19

20

Imagine your business as a house. A system password can be likened to a front door key. No

one can enter the house without the key, but it can easily be lost, misplaced, or stolen.

Implementing a strong password policy is inexpensive, does not require technical skills and

should be taken extremely seriously. Businesses should create and implement an IT security

policy that educates employees on good password selection, use duration, and confidentiality.

Another aspect of access control is the limitation of resources available to an employee once

they have been authenticated in the corporate network. For example, the entire human

resources department might need access to employee information such as addresses and staff

ID numbers, but only certain individuals within the department need access to payroll information.

Perhaps you want to allow specific individuals to view, but not modify certain information.

This very specific, or granular, access control is another layer protecting computer-based

resources. Access control can be paralleled in our model house as well. The maid has a front

door key so she can come in and clean, but that key does not unlock the door to your home

office. Furthermore, the maid does not know the combination to the safe in the bedroom that

contains your personal and important documents.

Integrity

Integrity ensures that system information exists in the same state as that in the source

documents and has not been exposed to accidental or malicious alteration or destruction. The

consequences of using inaccurate information can be disastrous. If improperly modified, data

can become useless, or worse, dangerous. Efforts must be made to ensure the accuracy and

soundness of data at all times.

When the validity of information is critical, it is often helpful to design application controls and

checks to ensure accuracy. It may be important to ensure that information is useless if it is

stolen. This may be employed through the use of encryption software. Encryption is the

process that transforms information into some secret form to prevent unauthorized individuals

from using the data should they acquire it. This prevents interlopers from reading or modifying

the information. Encrypting hard disks is a good measure to prevent loss of confidential data

held on mobile laptop computers.

A good IT security policy will have complementary preventive and detective control processes.

The preventive controls involve the use of strong security controls, while the detective

approach includes auditing and monitoring those controls. In this approach, the preventive

control may be a properly configured system that prevents users not listed on a security

access list from entering the system and records all system access in a log. The network

administrator performs the detective component by reviewing those logs for suspicious activity

and investigating any deviations from the norm.

It is necessary to take both approaches in order to maintain effective security control. Suppose

that every time a door in our house opened, the time of the entrance and the name of the

person entering the room was recorded in a log book. Then, anytime something was missing

from a room, you could consult the book and see who was in that specific room and question them.

21

Availability

Availability is the property of being accessible and useable upon demand by an authorized

entity. This applies not only to information, but also to networked machines and other aspects

of the technology infrastructure. The inability to access those required resources is called a

“denial of service.” Intentional attacks against computer systems often aim to disable access

to data, occasionally the aim appears to be the theft of data. These attacks are launched for

a variety of reasons including both political and economic motivations. In some cases,

electronic mail accounts are flooded with unsolicited messages, known as Spam mail, to

protest or further a cause.

Additionally, these attacks could be an integral part of a coordinated effort such as bringing

down a home banking system. Ensuring the physical security of a network or system is one

way to cover availability. By limiting physical access to critical machines or data sources, the

incidence of inaccessibility will be reduced. If contact with these resources is restricted,

accidents as well as occurrences of internal mischief will also fall. Similarly, protecting the

network electronically is important if many entry points exist, especially from a public domain

like the Internet.

For example, a firewall is a computer that resides between an internal network, or intranet, and

an external network, such as the Internet. The firewall regulates and restricts what types of data

can flow between the two networks.

Imagine that at the front of your house there is a gate with a security guard. This guard acts as

a firewall, limiting those who can enter the grounds. So, if your child lost his or her key, the

intruder who finds it could not then unlock your front door because the guard would stop them

from approaching.

Another aspect of availability ensures that needed resources are usable when and where they

are needed. Providing system redundancy, in the form of backup data, machines, and power

sources will often ensure availability. Offsite storage of critical data will allow recovery if location

security is breached. Additionally, backup servers will allow normal workflow to continue if

primary network security is breached. While these forms of security will ensure availability, it is

important to protect them from intruders and maintain confidentiality of their data.

Referring to our example, suppose that we keep copies of our important documents (i.e. birth

certificate, family heirlooms, stock certificates, deed to your house, etc.) in a vault at the bank.

In the event of flood, hurricane, or other disaster, we still have access to these papers.

Depending on your business needs, various levels of emphasis should be placed on each

security principle. There is no “one answer that fits all” in determining it.

Application of Security Principles in Electronic Transactions

Although electronic commerce is like any other existing commercial activity, there lies a difference

in that existing legal theories may no longer be applicable or may be unsuitable to resolve

e-commerce disputes. You would therefore be prudent in reviewing the potential downside of

using electronic systems and revising your strategy to address the electronic risks posed.

22

In all commercial transactions, communication is a key element for concluding a business

transaction (e.g. communication of offer and acceptance). Whereas, in the past, these

communications were verbally agreed, or written on paper, the state of current technology has

enabled faster and more efficient communications over larger distances in a paperless manner.

The evolution of communications from paper to faxes, telex, telephone and now the Internet

has evolved the way we communicate and do business.

The electronic systems and infrastructures that support electronic commerce are susceptible to

abuse, misuse and failure in many ways. Despite the change in the physical medium of

communication the underlying principles that enable trust in commercial transactions remains the

same. To address these risks, and ensure your protection as well as provide security assurance

to your customers, we must first understand the electronic commerce risks as outlined below:

a) Direct financial loss resulting from fraud: A fraudulent insider or external attacker may

illegally transfer funds from one account to another or add, delete, modify or destroy

financial records;

b) Theft of valuable confidential information: An intrusion may disclose sensitive, proprietary

information (e.g. credit card numbers held on behalf of customers) to unauthorized parties

resulting in significant damage to one or more victims;

c) Loss of business opportunity through disruption of service: Deliberate attacks or

accidental events may disrupt your Internet services for long or unacceptable periods;

d) Unauthorized use of system resources: Unauthorized users may use your system or

network as a staging point for attacks on other systems or networks;

e) Loss of customer confidence or respect: The business may suffer reputational

damage as a result of actual or perceived customer inconvenience or adverse publicity

resulting from an intrusion or failure, or by intruders who masquerade as a legitimate

member of the business;

f) Costs resulting from uncertainties: Interruptions to the transaction process caused by

electronic systems failure, external or internal intrusions or improper e-business practices

result in transactions being in stasis for long periods of time. The loss of business,

reputational damage and costs of dispute resolution brought about by such uncertainties

may be substantial.

To protect yourself and provide security assurances to your customers, the risks inherent in

offering commercial services over the Internet must be mitigated. This can only be done

through the use of appropriate security countermeasures in tandem with the establishment of

essential business and legal processes. The business, technical and legal considerations are

outlined in the general headings of Business and Information Privacy Risk Management,

Transaction Risk Management, and Technology Risk Management detailed on the next page.

23

Business and Information Privacy Risk Management

Disclose your business and information privacy practices for e-commerce transactions and

execute transactions in accordance with disclosed practices.

E-commerce often involves transactions between strangers. Appearances can be deceiving.

How can a consumer know whether a well-constructed Web page is a front to a reliable

business that will really fill its orders for goods and services as it claims? How can a consumer

know whether the business will allow the return of goods, or whether there are product

warranties? How are customer complaints regarding the accuracy, completeness and

distribution of private customer information resolved? The anonymity of e-commerce and the

ease with which the unscrupulous can establish – and abandon – electronic identities make it

crucial that people know that those entities with which they are doing business disclose and

follow certain business practices. Without such useful information and the assurance that the

entity has a history of following such practices, consumers could face an increased risk of

loss, fraud, inconvenience, or unsatisfied expectations.

There is a fine line to be tread in dealing with information privacy. On the one hand, you will

need certain information in order to process a customer order. On the other hand, the

customer does not want this information provided to others without customer permission. In

addition, errors can occur in your Internet customer database that the consumer should be

able rectify as needed. Without such a process in place, decisions can be made that could

negatively impact the consumer.

To enable customer trust in conducting e-commerce through your website, it is important that

the customer is informed of your business practices for e-commerce transactions. You should

properly disclose, and adhere to, your business practices for dealing with such matters as

orders, returns, and warranty claims. You should also disclose your practices for the protection

and maintenance of private customer information along with the site’s provisions for customer

complaints.

Transaction Risk Management

Your business should maintain effective controls to provide reasonable assurance that

customers’ transactions using e-commerce are completed and billed as agreed.

Without proper controls, electronic transactions and documents can be easily changed, lost,

duplicated, and incorrectly processed. These attributes may cause the integrity of electronic

transactions and documents to be questioned, causing disputes regarding the terms of a

transaction and the related billing. Potential participants in e-commerce may seek assurance

that the entity has effective transaction integrity controls and a history of processing its

transactions accurately, completely, and promptly, and billing its customers in accordance with

agreed-upon terms.

24

The controls should address matters such as:

1. Transaction validation;

2. The accuracy, completeness, and timeliness of transaction processing and related billings;

3. The disclosure of terms and billing elements and, if applicable, electronic settlement; and

4. Appropriate transaction identification. Such controls are essential in helping to establish

consumer confidence in doing business electronically over the Internet.

Technology Risk Management

Your business should maintain effective controls to provide reasonable assurance that private

customer information obtained as a result of e-commerce is protected from uses not related

to your business.

Consumers need assurance that they are dealing with a genuine website offering bona-fide

products and services and one that will take appropriate actions to protect their private

information. Although it is relatively easy to establish a website on the Internet, the underlying

technology can be complex and can entail a multitude of operational resilience, information

protection and related security issues. To rationalize the security measures we find in the

real ‘physical world’ against the virtual ‘Internet view’ the following table may help draw

some analogies:

Physical Security View Internet View

Defense in Depth – Detection

Movement/Motion Detectors Network Intrusion Sensors

Infra red beams File Monitoring

Door switches System Logs

Defense in Depth – Providing Delay

Fences Firewalls

Locks Encryption

Defense in Depth – Responding to threats

Security Guard Automated alarming tool with quick dial to security administrator or enforcement agent

The confidentiality of sensitive information transmitted over the Internet can be compromised.

For example, without the use of basic encryption techniques (e.g. Secure Socket Layer

Encryption-SSL, Transport Layer Security Encryption-TLS, Public Key Encryption-PKI etc.),

consumer credit card numbers can be intercepted and stolen during transmission. Without

appropriate firewalls and other security practices, confidential customer information residing on

an entity’s e-commerce computer system can be intentionally or unintentionally provided to

third parties not related to your business. Having a reliable security patch management system

is also important to ensure that your systems are up to date and secured against recently

discovered security vulnerabilities.

25

The type of tool used to update your system of missing patches will vary from system to

system and you should refer to your system documentation to find out where to get your

security patches (e.g. Microsoft Baseline Security Analyzer or Security Center in SP2,

PatchPro or Patch Manager Base for Solaris OS, Support Plus or Extension Software from

HPUX, AS400 Patch PTF files etc.). Be forewarned some of these patches may be larger than

2 MB in size and should not be downloaded over the Internet unless your Internet line capacity

is sufficiently large to match your reserves of patience.

Security breaches may also include unauthorized access to corporate networks, Internet/Web

servers, and even access to the consumer’s Internet connection (for example, his or her home

computer). Consequently you should consider investing in an intrusion detection system that

will enable you to prevent, detect, monitor and recover from any potential intrusions.

There remains many websites that have not implemented intrusion detection functionality and

therefore remain in the dark when their site has been compromised. Their first indication of a

problem is only when their site has been defaced or a customer in-the-know informs them of

the security breach.

Furthermore, as the Internet never sleeps, you are likely to have customers coming to your site

on a 24-hour basis throughout the year. It becomes increasingly critical that the operational

resilience of your systems and processes has been sized and dimensioned to cope with the

level of demand for services with recourse to backup and recovery measures in the event of

data loss through error or malicious attacks on the systems.

Potential participants in e-commerce may seek assurance that your business has effective

information protection controls, reliability from disruption and a history of protecting private

customer information. This may be provided through independent attestations of your websites

generally termed as web assurance. As a consumer of e-services, you would also want to look

out for independent security and privacy attestations of the websites you are transacting with.

The controls required in this area are those that address operational resilience, privacy and

security matters such as encryption or other protection of private customer information (such

as credit card numbers and personal and financial information). The information would have

been transmitted to your website over the Internet and measures to protect of such information

once it reach you and requesting permission of customers to use their information for purposes

other than those related to your business business. You should also obtain the customer’s

permission before storing, altering, or copying information on the customer’s computer (e.g.

Internet cookie or applet information stored on the customer PC).

Further to safeguarding this private information, consumers are concerned about being able to

correct or update information provided to a site. The process by which a site allows this

process to occur can greatly enhance its e-commerce activity. Consumer concern about the

safeguarding of private information traditionally has been one of the most significant deterrents

to undertaking e-commerce transactions.

26

Note:All material from the above article is copyrighted by IXARIS SDN BHD. All rights reserved. Except for personal use, nopart of the article may be reproduced by any mechanical, photographic or electronic process, or in the form of an audiorecording, nor may it be stored in a retrieval system, transmitted or otherwise copied for public or private use withoutwritten permission of the publisher and author. For information regarding permissions, send e-mail to infosec@myixaris.net

We can grant permission for any original article (not a reprint) to be photocopied for training or educational purposes. Thispermission is granted with the understanding that no more than 1000 copies will be made, the material is distributed freeof charge, and that the following credit line appears on each manufactured copy.

“Used by permission of IXARIS SDN BHD, 38-4 Bangsar Utama 1, 59000 Kuala Lumpur, Malaysia.”

For any other use, advance permission must be obtained from the author at ronald.yap@myixaris.net

CONCLUSIONVery much like Heisenberg’s theory of the atom, security is an ever changing dynamic. Every

time a new security vulnerability is exposed, or when a new business process or even a new

product is introduced, the system of security and control measures must adapt and evolve to

deal with new security threats. The law of diminishing returns also dictates that the return on

security investment (ROSI) diminishes, the greater the investment. In such a situation, the user

or enterprise needs to carefully balance their security and cost requirements and find the

balance that is right for them.

Once that is achieved, the focus on the security management processes is to quickly return

the system security and control back to its preferred protection profile to ensure a sense of

equilibrium. Only through a continuous iterative quality process can systems security be

improved and enhanced further. I would like to leave you with four thoughts that will help you

on the way to better systems security and control:

a) Have you determined what information you wish to protect, its value and who you want to

protect it from?

b) Have you determined the form in which the protection will take?

c) Is the cost of security less than the return on security investment?

d) Can your security measures be easily monitored, reported and maintained?

REFERENCES:

How much is enough? A Risk Management Approach to Computer Security, Kevin J Soo Hoo, CRISP,Stanford University June 2000

Computer Security, Dieter Gollmann, John Wiley & Sons 1999

ONLINE/CYBERTHREATS TO

HOME USERSAND BUSINESS

ENTITIES

28

Dhillon Andrew Kannabhiran is Founder and Chief Executive Officer for Hack in the Box

(http://www.hackinthebox.org) a Malaysian-based network security consultancy firm.

Dhillon is also responsible for HITB’s mainsite portal and forum, collectively holding a

membership base of over 60,000 members and consuming over 35GB a month of traffic.

In 2003, Dhillon was responsible for kick-starting the Hack in the Box Security Conference

series, an International level event that sees the gathering of the best and brightest researchers

and network security specialists from around the world. Held in Kuala Lumpur, Malaysia, the

event comprises two days of deep-knowledge security discussions and presentations and

two days of hands on technical training sessions. In 2005, HITB will for the first time ever, be

expanding their conference series beyond Malaysia and adding a date in Bahrain to cater to

the Middle East region.

Dhillon has been involved with computers and network security for over 10 years and has

previously written for various technical publications including CNet, ZDNet, MIS Asia and PC

World to name a few. He was most recently employed by a Malayian Tier 2 telco as their Chief

IT Officer. However, he left in June 2004 to run and manage HITB on a full-time basis.

DHILLON ANDREW KANNABHIRANCEO, HACK IN THE BOX

The Internet has certainly grown by leaps and bounds over the last couple of years. Where

once there was only a collection of web pages and a handful of servers, there now sits a vast

and immersive world. Today, the Internet not only serves as an information resource but also

a transport agent for rich media, streaming movies, Internet banking, e-commerce, and a slew

of new technologies promising a better connected tomorrow. Along with this advancement,

the threats of attacks to businesses and individual users have also been increasing at a rather

alarming rate.

In today’s digital age, computers are not the only devices connected to the Internet. Personal

Digital Assistants (PDAs), cellular telephones, and even household items and kitchen appliances

are becoming ‘Internet aware’. In the past it was enough to have a ‘good password’ protecting

your computer (at least 6 characters in length consisting of both numbers, letters and special

characters), today the length of your password or how complex the permutation may be

serves as little protection for one simple reason – there are ‘easier’ methods to break into a

computer than brute forcing a password.

Home users have not always been targets of the cracker. It is only in the recent years that

home users have come under increasing risk, stemming mainly from the fact that in the past,

most home users were using dial-up Internet connections. As we all know, this is a narrow-

band technology while not only being extremely slow, also employed what is known as

‘dynamic IP address allocation’. This meant that computer users connected to their Internet

Service Provider (ISP) were ‘moving targets’ being assigned a different IP each time they

connected.

Today, on the other hand, most users have high-speed Internet connections at home, either

employing cable technology or a variant of DSL. The connections in addition to boasting higher

bandwidths also tout ‘24x7, always-on connections’. As such, users are keeping their

computers on for longer, and of course connected for longer, thus increasing their chances of

being ‘probed’ by an attacker or facing an actual attack.

In many cases, these home machines are then used by intruders to launch attacks against

other organizations or are used as launching pads for Spam and other associated nasties.

Home users in particular have generally been the least prepared to defend against attacks.

Many do not employ personal firewalls, keep their machines up to date with security patches

and workarounds, do not run current anti-virus software, and do not exercise caution when

handling e-mail attachments. That being said, corporate organizations are certainly not free of

blame either. Many believe attacks and viruses are something that happens to ‘other people’.

With this false sense of security, they choose instead to take a reactive approach rather than

a proactive one when it comes to the security of their computer networks.

ONLINE/CYBER THREATS TO HOME USERS AND BUSINESS ENTITIES

DHILLON ANDREW KANNABHIRAN

29

30

Although high-profile news items about computer security breaches tend to focus on sexy

external attacks, according to the FBI, about 80% of all attacks or security breaches come from

within the organization. Some are malicious, perhaps from disgruntled employees, but more often

than not, they are inadvertent, caused by well-meaning employees who fail to observe security

policies; most commonly due to not being adequately educated on the threats.

As organizations deploy extranets and accommodate home and mobile workers, they open a

series of security holes. Many a time a company will focus on putting up the best intrusion

detection systems and firewalls on their perimeter or border networks, but forget about the

security of their servers from within their network and organization believing that traffic behind

the firewall is ‘safe’.

In general, computer and information security is concerned with three main areas:

• Confidentiality – Information should be available only to those who rightfully have access

to it.

• Integrity – Information should be modified only by those who are authorized to do so.

• Availability – Information should be accessible to those who need it when they need it.

These are general concepts applied to both the home users as well as corporate users alike.

Just as you wouldn’t share your personal banking details with a stranger, you certainly wouldn’t

be agreeable to someone connecting to your computer and looking through your documents

at will. The tasks performed by you on your computer should remain confidential – regardless

of whether you’re checking your Internet bank balance or sending an e-mail message to your

loved ones, you are entitled to your privacy.

The good news about computer and network security is that there’s always a solution. The bad

news on the other hand is that it is next to impossible to be protected 100%.

Below are some of the general attacks home and business users face from day to day.

Viruses and Trojan horse programmes

The text book definition of a Trojan horse is “an apparently useful and innocent programme

containing additional hidden code which allows the unauthorized collection, exploitation,

falsification, or destruction of data.” Coupled with what has been termed as ‘social engineering’,

an attacker would attempt to trick you into running the Trojan horse which in turn would

install a ‘backdoor’ on your computer through which the attacker could enter and exit as he or

she pleases.

31

These backdoors can allow intruders easy access to your computer without your knowledge,

allowing them full, more often than not, Administrator level access over your machine. On its

own, a Trojan horse facilitates the installation of backdoor or remote control software, however

it is when a virus writer combines the functionality of a Trojan horse with that of virus duplication

and propagation when Trojans are referred to as viruses.

In the past, viruses were spread through the swapping of documents and applications on

floppy disks. Today, they spread most commonly through e-mail as an attachment. In addition

to updating your anti-virus protection, it is always better to be sure you know the source of the

attachment. It is NEVER enough that the mail originated from an address you recognize. The

ILOVEYOU virus and several of its predecessors spread precisely because it originated from

a familiar address. It is also common to find malicious code distributed in amusing or enticing

programs. The Anna Kornikova virus promised naked pictures of the young tennis star, but

instead installed a Trojan horse on unsuspecting victims that were duped into clicking on the

attached file.

Backdoors and Remote Administration Tools (RATs)

In the past, the three most commonly used ‘attack tools’ to gain remote access to your

computer were Back Orifice (or sometimes referred to as BO), Netbus, and SubSeven. These

backdoors or remote administration programmes, once installed, allow other people to access

and control your computer remotely.

It is somewhat interesting to note that while commercial Remote Administration Tools (like

Symantec’s PCAnywhere) which provide for stealth installation (i.e. installation without the

users’ knowledge or interaction) are not listed as a threat or a ‘backdoor’, however, their ‘free’

and non-commercial counterparts are.

Denial of Service (DoS) Attacks

Another form of attack is called a denial-of-service (DoS) attack. A DoS typically involves

overloading a remote computer with large amounts of superfluous data. The remote machine

having to process each and every request ends up crashing upon itself thus resulting in a ‘denial

of service’ or in short, the inability of the system to serve its purpose.

It is important to note that in addition to being the target of a DoS attack, it is possible for your

computer to be used as a participant in a denial-of-service attack on another target. Attackers

will frequently use compromised computers as launching pads for attacking other systems and

networks. A DoS of this sort is called a Distributed Denial of Service Attack or DDoS.

A DDoS involves an attacker installing a ‘zombie’ or an ‘agent’ (frequently through a Trojan horse

programme) which runs on the compromised computer awaiting further instructions. Then, when

a number of zombie machines are running, a single “master” can instruct all of them to launch a

denial-of-service attack on another system. As such, the victim of the attack is not your own

computer, but someone else’s – your computer is merely a pawn in a game.

32

Cross Site Scripting Attacks and Attacks Through the Web Browser

As more websites employ dynamic content and move towards database driven systems, the

humble web browser has also undergone several changes.

One increasingly common attack vector is through the use of message boards or other sites

that have been poorly designed allowing a malicious user to attach a script or embed

instructions into a URL or an element form.

When your web browser calls up this page, not only is the legitimate code of the site you’re

visiting executed, but so too is the attackers’ script. Attacks of this sort can be used to not

only steal the login information you use for other sites (usually contained within what is known

as a browser cookie), but may also enable an attacker to gain remote control of your machine

by installing a backdoor as outlined earlier.

The potential to exposure is not only limited to the websites you visit within your web browser,

but malicious code can also be embedded into e-mail messages, newsgroup postings and

instant messages.

There have also been numerous reports of problems with client side code that adds further

functionality to a web user’s ‘experience’. The most common of this client side code is Java

or JavaScript, and ActiveX. Although the code is generally useful, having the ActiveX or

JavaScript functionality turned-on or enabled within your browser can facilitate an intruder in

gathering information (such as which websites you visit) or to run other malicious code on your

computer. It is possible to disable Java, JavaScript, and ActiveX in your web browser, however

many choose not to as several legitimate sites make use of this. To turn it off would be to

cripple the full experience of the site.

Phishing Attacks & E-mail Spoofing

E-mail spoofing may occur in different forms, but all have a similar result: a user receives e-

mail that appears to have originated from one source when it actually was sent from another

source. Spoofing is often used in addition to a social engineering attack in order to trick a user

to reveal potentially sensitive information (such as usernames and passwords). Attacks of this

nature have since come to be termed as ‘Phishing Attacks’ (a play on the word fishing

indicative of how an attacker would ‘bait’ potential targets).

These so-called ‘Phishing’ attacks begin with an e-mail. Appearing to come from for example

a bank, it leads the recipient to a convincing web page, at which point he is tricked into entering

his username and password. Of course the web page has been set up by the attacker and

does not belong to the bank at all. Once obtained, these details are used by the attacker to

log-in to the user’s account and drain it of funds.

As the e-mail is sent to hundreds, if not thousands, of potential victims, only a very small

percentage of users need to fall for the scam for it to be worthwhile. The current industry trend to

counter this threat is the introduction of stronger user authentication or two-step authentication

as opposed to a single username and password.

33

For reasons of cost, mobility, ease of deployment and user acceptance, password-generating

tokens are the most commonly adopted technology used to thwart Phishing. These tokens supply

the user with a one-time password that is valid only for a single use. The idea is that the attacker

is thwarted since the one-time password, once obtained, has already been used or has expired.

Attacks via Instant Messaging & IRC clients

Internet chat applications, such as instant messaging applications and Internet Relay Chat

(IRC) networks, provides a mechanism for groups of individuals with the means to exchange

dialogue, web URLs, and in many cases, files of any type. As a result, instant messengers can

transfer worms and other malware.

Instant messaging can also provide an access point for backdoor Trojan horses. Hackers can

use instant messaging to gain backdoor access to computers without opening a listening port,

effectively bypassing desktop and perimeter firewall implementations. Furthermore, finding

victims doesn’t require scanning unknown IP addresses.

Because of the almost immediate two-way nature of communication, many users feel that the

use of instant messaging in the workplace leads to more effective and efficient workplace

communications and, therefore, to higher productivity. As a result, instant messenging is increasing

in popularity in both professional and personal applications. However, as with most things

Internet-based, the increasing use of instant messaging has led to an associated increase in

the number of security risks.

Securing instant messaging is not an easy task. One of the best ways to secure the information

being transmitted along an instant messaging network is to encrypt it. That being said,

encryption only helps in preventing information disclosure by an attacker ‘sniffing’ on a network.

How to Stay Protected

There’s no such thing as 100% security, however there are steps you can take in order to limit

your exposure to attack. These are general guidelines for both the home and business users.

1. Install a personal firewall

Unlike a full-fledged firewall, a personal firewall on the other hand is an application installed

on your desktop which provides for firewall like functionality. There are several to choose

from and most offer a ‘free’ or shareware based edition providing for the most basic of

firewalling capabilities.

While most corporate users do not bother with installation of personal firewall software,

believing it to be redundant, however it never hurts to be a little bit more paranoid.

2. Keep your anti-virus definitions up to date

Most anti-virus software allows for the automatic update of its virus definition files. If this

setting has not been enabled, you should turn it on immediately. If however you prefer to

do a manual update, simply use the Task Scheduler to set up a scheduled update for the

virus definitions.

34

3. Do not execute attachments that arrive via e-mail or instant messaging unless you

are expecting them

This is a simple rule to follow, but many times even knowledgeable users end up getting

fooled into launching an attachment, only to find they’ve infected their machines. While

most corporations are choosing to block file transfers via instant messaging clients, it is

generally not a good idea to accept files or even to click on URLs sent to you. If you do

choose to transfer files in this manner, ensure that each file is scanned by your anti-virus

software prior to being executed.

4. Encrypt and password protect all files and other important documents

There are several free encryption software you can use to protect your sensitive information

from prying eyes. The most popular choice is Pretty Good Privacy (PGP) which employs a

method of data-encryption that allows people to communicate on the Internet without fear

of their private messages being read by high-tech eavesdroppers. All important documents

on a system should be encrypted and password protected for added protection.

5. Encrypt all e-mails sent

PGP also supports the encrypting of e-mails. To exchange encrypted mail with another

person, you and that person must each have created two keys: a public key and a private

key. You keep your private key a secret, but you let any or everyone know what your public

key is. You must obtain the other party's public key. When you send a message to that

person, you encrypt your message with his or her public key. When your message is

received, your recipient decrypts it with his or her secret key. As such, only someone in

possession of the secret key which is paired with a given public key will be able to decrypt

the message.

6. Keep up to date with patches for your Operating System

Ensuring your computer is always patched and up to date is absolutely vital to the security

of system. Windows users have the option of having their system detect for updates

and download them automatically. To check for updates automatically, users can go to

http://windowsupdate.microsoft.com.

7. Develop a security policy

Establish a corporate security policy that details your company practices and procedures

when it comes to its network security. The policy should include information relating to

password choices, validity period of passwords (in general, passwords should be

changed every 60 to 90 days) and other associated guidelines. When an employee is no

longer with the company, a policy on account removal should be drawn up to ensure

access to the network with redundant and old accounts is denied. The policy should also

outline consequences for current and former employees found tampering with or entering

the network without authorization.

35

8. Don’t run unnecessary services

The default installations for most operating systems leave a system vulnerable by turning

on services which the user may or may not require. As such, every network service that

isn't in use should be disabled. For example, File and Print Sharing should never be turned

on for a machine connected DIRECTLY to the Internet. Corporate system administrators

should ensure that only the tools required by employees to get their job done should be

allowed on the company machines. If, for example, they do not require instant messaging

or file sharing applications, access controls should be placed at the border firewall level to

block outgoing connections from these applications. By limiting the network and excluding

non-essential services, security risks can be greatly reduced.

9. Conduct your own vulnerability tests

There’s no better way to know how susceptible you are to an attack unless you conduct

your own penetration tests or vulnerability assessment. While it may sound daunting, there

are several easy to use and free security tools which can help identify key vulnerabilities

or problems within your network/computer. These are precisely the same tools attackers

would employ to find computers to compromise.

10. Read up and Learn

There are numerous books, magazines, journals and online resources offering current

insights and information relating to the latest prevention methods as well as new and

upcoming technologies. Business users should also subscribe to vulnerability and exploit

newsgroups such as Bugtraq and Full Disclosure. Just as there are new exploits and

bugs discovered in software every other day, the technology to thwart attacks is also

being actively developed. Keeping abreast of the latest threats will put you in the best

position to act on them.

Note:

To outline ALL the possible threats to home and business users in this article would simply

be impossible. As such this document should serve as more of a ‘general guide’ to bring

the reader to speed on the overall risks inherent of being connected to the Internet.

HOMECOMPUTERSECURITY –

HOW TO SAFEGUARD YOUR

PRIVACY ANDSECURITY WHEN

UTILIZING THEINTERNET

38

PIKOM Special Interest Group (SIG) on Info-Security was formed in 2002 to provide a platform

for the industry to interact and exchange information on computer information security and

related issues. The SIG formulates plans and activities that would advance the interest of this

sector and the ICT industry.

The PIKOM Info-Security SIG’s key objectives are:

• To identify issues in Info-Security

• To identify opportunities in Info-Security

This would help promote growth of the security industry in Malaysia and at the same time

support good security practices, develop codes of practice & certification and promote users’

awareness education of info-security.

The Info-Security SIG, besides looking into the industry’s development and promotion, will also

focus on national positioning and thought leadership. It will create end-user awareness, facilitate

linkages with other bodies both locally and internationally, and study international standards for

local adoption.

Membership of PIKOM Info-Security SIG is open to users and providers of security-related

products and services.

Contact Information:

PIKOM Info-Security SIG

c/o PIKOM Secretariat

1107, Block B, Phileo Damansara II

15, Jalan 16/11

46350 Petaling Jaya

Tel: 03-7955 2922

Fax: 03-7955 2933

E-mail: info@pikom.org.my

URL: www.pikom.org.my

INFO-SECURITY SPECIAL INTEREST GROUP PIKOM

ABSTRACTWhile corporations spend millions every year securing their Internet-related network securities,

many home users make the mistake of thinking that they do not need to be concerned with

securing or protecting their computers. Consequently, home computers are typically not very

secure and easy to break in. This document looks into the general aspects of home computer

security and measures you can take to improve the security of your home computer system.

INTRODUCTIONThe Internet is a public network of millions of computers, all sharing information. On the

Internet, communications move back and forth across public lines and through numerous

connections. As with any public lines, eavesdropping is possible.

Online activities most common to home users are e-mails and web browsing. There are also

several things you personally can do to safeguard your home computer security and your

personal privacy, when you are on the Internet.

POSSIBLE MEASURES FOR HOME COMPUTER SECURITYSecuring your home computer is not a trivial task. The following areas should be considered

in securing home computers.

1. Use anti-virus software and keep it up to date

Anti-virus software is designed to protect your computer against known viruses, so make

sure you have it on your computer! Be sure to update your anti-virus software regularly.

Regularly download security protection update “patches”. Check your software vendors’

websites on regular basis for new security patches or use the new automated patching

features that some companies offer.

2. Secure your e-mail

Your e-mail address is a lot like your phone number. Unless you share it with others or have

it listed in a public directory, it will not be available to unknown people. Anyone you send

your e-mail to, will know your e-mail address. Spammers, who send junk e-mail, often pick

up e-mail addresses from newsgroups or mailing lists, therefore, if you participate in

newsgroups, you should be aware that you may be sharing your e-mail address with

Spammers.

In general, try not to respond to Spam as this will let the sender know that you have an

active, valid e-mail address. Simply reading an e-mail message cannot cause a virus to

infect your computer. However, infected attachments can. Your computer could become

infected if you download an infected attachment and then open the attachment. Therefore,

do not open suspicious attachments.

HOME COMPUTER SECURITY – HOW TO SAFEGUARD YOURPRIVACY AND SECURITY WHEN UTILIZING THE INTERNET

PIKOM

39

40

3. Secure your passwords

Choose a good password. Where possible, do not use personal information that could be

guessed such as your name, phone number, names of family etc. Do use special

characters (*!$+) mixed with letters and numbers and mixed upper- and lower-case letters

– putting capitals in random locations throughout a password. Change passwords regularly

and do not give out your password to anyone.

Keep in mind that ISPs and most server administrators never ask for your password. If you

receive an e-mail that asks you for your password, even if they appear to be from someone

in authority, ignore or delete it.

4. Get the most out of your anti-virus programme

The best way to protect your computer is to install an anti-virus programme. There are

several good virus protection programmes for your considerations. Get the most out of

your anti-virus programme by running it as recommended by the provider. If it has an

automatic virus scanning feature, keep it turned on. Heed all warnings that your anti-virus

software provides. Always install the latest version of your anti-virus programme; updates

often contain information about new viruses.

5. Secure your identity

The Internet is a public ‘place’. When someone asks you for your name, phone number,

address, and other information, you should assume that they may share that information

with others. Therefore, the best way to keep your information private is to be cautious in

providing it to others.

When you visit a website, the site can tell who and where your ISP is, what site you last

visited, what browser you are using, and what pages you visit at this site. The site has no

way of knowing your name, e-mail address, postal address, or other information about you

– unless you provide that information.

A site does know your IP address – the Internet address you are currently using. This

address is normally assigned to you, temporarily, by your ISP when you connect to the

Internet. It has nothing to do with your e-mail address, and it cannot be used to locate you later.

6. Use ‘firewalls’

Firewalls create a protective wall between your computer and the outside world. They

come in two forms; software firewalls that run on your personal computer and hardware

firewalls that protect a number of computers at the same time.

They work by filtering out unauthorized or potentially dangerous types of data from the

Internet, while still allowing other (good) data to reach your computer. Firewalls also ensure

unauthorized persons cannot gain access to your computer while you are connected to

the Internet.

41

7. Make Backups of Important Files and Folders

As you computerize the routine aspects of your daily life, making backup copies of

important files and folders becomes critical. Backup small amounts of data on floppy disks

and larger amounts on CDs. Most people make weekly backups of all their important data.

This will prevent you from the pain of losing data in the future.

CONCLUSIONSWhether your computer runs Microsoft® Windows®, Apple’s Mac OS, LINUX, the security

issues are the same and will remain so as new versions of your system are released. The key

is to be aware of security-related aspects and measures that could be taken in order to protect

users and computers when accessing the Internet.

REFERENCES:

http://www.cert.org/homeusers/HomeComputerSecurity/http://www.computerworld.com/http://netsecurity.about.com/www.infosecnews.com

WHAT YOUSHOULD

KNOW ABOUTCYBER CRIME

AND THEMALAYSIAN

CYBER LAWS

44

Deepak Pillai is an Advocate & Solicitor of the High Court of Malaya and a partner at Rajes

Hisham Pillai & Gopal, a law firm in Kuala Lumpur. He is also a registered trademark agent.

Deepak obtained his BA(Law) from the University of Durham in 1990. He was admitted as an

Advocate and Solicitor before the High Court of Malaya in February 1994.

He heads the Information Technology & Intellectual Property law practice at Rajes Hisham Pillai

& Gopal (rhpg), where he primarily advises financial institutions, telecommunications companies

and IT companies on the structuring, drafting and negotiation of contracts related to their IT &

Internet projects as well as on the impact of new regulations relating to online content, personal

data protection and online financial services, amongst others.

Deepak was appointed by NISER (National ICT Security and Emergency Response Centre) to

serve on its Panel of Experts from 2001 to 2002. He is currently a panellist of the Kuala Lumpur

Regional Centre for Arbitration for hearing domain name disputes.

He is a member of the Society of Computers and Law (SCL) in the UK, the Computer Law

Association (CLA) in the USA, the Licensing Executives Society of Malaysia (LESM) and the

Malaysian Intellectual Property Association (MIPA). He is also a member of the Information

Technology and Cyberlaws Committee of the Malaysian Bar.

Deepak speaks frequently on legal issues pertaining to the ICT industry and has presented

papers, including on Malaysia’s proposed data protection legislation and drafting IT contracts

at the Second MSC Cyberlaw Conference, Open Source legal issues at the Third MSC

Cyberlaw Conference, on the legal issues pertinent to setting up Internet Banking at the Law

School on Internet Banking jointly organised by BNM, IBBM and the Bar Council, and on

e-commerce transactions at the 11th Malaysian Law Conference, amongst others.

DEEPAK PILLAIPARTNER, RAJES HISHAM PILLAI & GOPAL

45

1. WHAT IS THE LEGAL DEFINITION OF CYBER CRIME?There is no fixed definition of what may amount to cyber crime. As was noted by the

National ICT Security and Emergency Response Centre (‘NISER’)1, the Oxford Reference

Online defines cyber crime as crime committed over the Internet. The Encyclopaedia

Britannica defines cyber crimes as any crime that is committed by means of special

knowledge or expert use of computer technology. It also appears that the word ‘cyber

crime’ is used interchangeably with the words ‘computer crime’.2

The United Nations in its ‘Manual on the Prevention and Control of Computer-Related

Crime’3 have noted activities such as fraud by computer manipulation, computer forgery,

damage to or modification of computer data or programmes, unauthorised access to

computer systems and services and unauthorised reproduction of legally protected

computer programmes, may amount to computer crime. The Australian Government have

also identified other activities that may amount to cyber crime, which includes, offences

against computer data and systems, computer-related offences, content offences and

copyright offences.4

In Malaysia, the Computer Crimes Act 1997 (CCA) together with other acts such as the

Communications and Multimedia Act 1998, the Digital Signature Act 1997 and the

Penal Code (Act 574) provides for computer crime offences. This act was modelled after the

Computer Misuse Act 1990 of the United Kingdom and came into force on 1 June 2000.

2. INCIDENTS THAT MAY AMOUNT TO CYBER CRIMECyber crime may occur in different ways. Viruses, worms and trojans are the more popular

computer programmes that are used to commit crimes by using computers. The following

is a non-exhaustive list of incidents which may amount to be a cyber crime in Malaysia:

i) virus;

ii) trojan;

iii) adware and spyware;

iv) cookies;

v) worms;

vi) mailbombs;

vii) e-mail forgery; and

viii) spoofing.

WHAT YOU SHOULD KNOW ABOUT CYBER CRIME AND THE MALAYSIAN CYBER LAWS

DEEPAK PILLAI

1 Is Cyber Crime Reigning on a no man’s land?, National ICT Security and Emergency Response Centre (NISER)2 ibid and The State of the Law on Cyberjurisdiction and Cybercrime on the Internet by Gabriole Zeviar-Geese, California Pacific School of Law 3 Both the above definition are quoted by NISER in (Is cyber crime reigning on a no man’s land?)4 Cybercrime definitions, Australian Government, Australian Institute of criminology, http://www.aic.gov.au/topics/cybercrime/definitions.html

46

It should be noted that cyber crime is not limited to remote attacks on computers. It also

very much includes gaining unauthorised access to computers and the data stored on

them by physical means, e.g. by gaining unauthorised access to a computer and copying

information from that computer’s hard drive onto a floppy disk or a zip drive without

authorisation.

3. MALAYSIAN COMPUTER CRIMES ACT 1997

3.1 Introduction

The CCA provides for the different offences that may be committed with a computer.

The offences are:

i) accessing computer material without authorisation;

ii) accessing a computer without authorisation with the intent to commit or facilitate

the commission of further offences;

iii) modifying contents of any computer without authorisation;

iv) wrongfully communicating a number, code, password or other means of access

to a computer or person whom one is not duly authorised to communicate to; and

v) abetting in a computer crime.

3.2 Accessing computer material without authorisation

This offence is provided by Section 3 of the CCA. A person may be guilty of such

an offence if the person knowingly and without authorisation causes a computer to

perform any function to secure access to any programme or data held in any

computer. The person need not intend to direct these acts to any particular

programme or data.

If found to be guilty of such an offence, the person may be liable to a fine not

exceeding fifty thousand ringgit (RM50,000) or to imprisonment for a term not

exceeding five (5) years or to both.

For example a person that uses viruses, trojans and spywares to gain access to

computers or programmes of strangers may have committed an offence as provided

by Section 3 of the CCA above. The hackers, when using such malicious

programmes, are gaining access to computers or programmes that may belong to

strangers, without authorisation from the owners of the computers or programmes.

3.3 Accessing a computer without authorisation with the intent to commit or

facilitate the commission of further offences

This offence is provided by Section 4 of the CCA. A person may be guilty of such

an offence if in the event a person commits an offence as stated in paragraph 3.2

above and with the intent to either commit or facilitate the commission of such offence

whether by himself or other person, involving fraud or dishonesty, thereby causing

harm to any person, in body, mind, reputation or property. The further offences may

not have to be committed at the same time as the offence for unauthorised access.

47

If found to be guilty of such an offence, the person may be liable to a fine not

exceeding one hundred and fifty thousand ringgit (RM150,000) or to imprisonment for

a term not exceeding ten (10) years or to both.

A person may be liable for an offence as provided by this section if the person uses

a virus, trojan, worm or spyware to commit fraud over the Internet. As such, these

malicious programmes are used to facilitate the commission of another offence that

may either involve fraud or dishonesty.

3.4 Modifying contents of any computer without authorisation

This offence is provided by Section 5 of the CCA. A person may be guilty of such

an offence if in the event a person does an act that he knows will cause unauthorised

modification of the contents of any computer. The person need not direct his act at

any programme or data. The unauthorised modification may be permanent or temporary.

If found to be guilty of such an offence, the person may be liable to a fine not

exceeding one hundred thousand ringgit (RM100,000) or to imprisonment for a term

not exceeding seven (7) years or to both. However, a person may be liable for a fine

not exceeding one hundred and fifty thousand ringgit (RM150,000) or to

imprisonment for a term not exceeding ten (10) years or to both if in the event such

unauthorised modification is done with the intention to cause any harm to any person,

in body, mind, reputation or unto the person’s property.

A person may be liable for an offence as provided by this section if the person infects

other computers with malicious programmes that modifies the contents of the

infected computer without the consent of the owner of the said computer. Such

malicious programmes may be viruses, spyware or worms. These programmes alter

or modify the working mechanisms of the infected computers.

3.5 Wrongfully communicating a number, code, password or other means of

access to an unauthorised computer or unauthorised person

This offence is provided by Section 6 of the CCA. A person may be guilty of such

an offence if in the event a person communicates a number, a code, a password or

other means of access to a computer to any person not authorised to receive such

information.

If found to be guilty of such an offence, the person may be liable to a fine not

exceeding twenty five thousand ringgit (RM25,000) or to imprisonment for a term not

exceeding three (3) years or to both.

A person may be liable for an offence as provided by this section if, for example, he is

an employee of a web-based e-mail company and he forwards customers’ passwords

to rogues intending to steal information from the e-mail company’s customers.

48

3.6 Abetting a computer crime

This is provided by Section 7 of the CCA. A person may be guilty of an offence if in the

event a person abets another person in the commission of any offence within the CCA.

If found to be guilty of abetting the commission of an offence, the person may be liable

to the sentence as provided for in the specific section that provides for the relevant

offence.

Following that, a person who does any act in preparation of or in furtherance to the

commission of any offence within the CCA may also be guilty of that offence within

the CCA.

3.7 Other matters provided by the CCA

The CCA also provides for other matters such as:

i) presumption;

ii) the territorial scope of the CCA;

iii) the scope of the power of the police in relation to search, seizure and arrest within

the ambit of the CCA; and

iv) obstructing a search exercise by the police.

3.7.1 Presumption

The CCA also provides the presumption that any person who has in his custody or

control any programme, data or other information held in a computer or retrieved

from any computer which he is not authorised to have in his custody or control shall

be deemed to have obtained unauthorised access to such programme, data or

information unless the contrary is proved.

Therefore, any person who is caught possessing a computer with information that

he is not authorised to have, may be guilty of an offence as stated in paragraph 3.2

above. Furthermore, any fraudster if caught with information that he is not authorised

to have may be guilty of an offence as stated in paragraph 3.3 above.

3.7.2 The territorial scope of the CCA

Section 9 of the CCA provides Malaysia with jurisdiction over any offence as

stated in the said act if in the event the affected computer, data or programme was

in Malaysia or is capable of being connected to or sent to or used with a computer

in Malaysia at the time of the commission of the offences.

The scope of this section is wide. Perpetrators of different nationalities may also be

subjected to the provisions of the CCA. Offences committed by foreign nationals

will be dealt with as if the offence was committed in Malaysia.

49

Therefore, if in the event a foreigner is to unleash a virus unto Malaysian computer

systems, he may be guilty of committing an offence within the CCA. This is

notwithstanding that he was not physically in Malaysia when he committed the

relevant offence.

3.7.3 The power of the police in relation to search, seizure and arrest within the

ambit of the CCA

Section 10 of the CCA provides a police officer above the rank of Inspector with

a warrant, the power to enter, search, seize and detain any evidence such as

computer peripherals, diskettes or other related materials that are of assistance to

the suspected offence that is being investigated. Such police officer may also have

the power to enter, search and seize without a warrant if in the event he has

reasonable grounds for believing that the delay caused by waiting for the issuance

of a warrant may frustrate the object of the search and seizure exercise. The said

section also provides that such police officer may arrest any suspected perpetrator

without any warrant.

3.7.4 Obstructing a search exercise by the police

Section 11 of the CCA provides that a person may also be guilty of an offence if

in the event he assaults, obstructs, hinders or delays any police officer from entering

into any premises in the execution of their duties under the CCA. If in the event a

person is guilty of such an offence, he may be liable to a fine not exceeding twenty

five thousand ringgit (RM25,000) or to imprisonment for a term not exceeding three

(3) years or to both.

4. OTHER STATUTES APPLICABLE IN COMPUTER CRIMESCyber crime is regulated in Malaysia by other acts in tandem with the CCA. These acts are

the Communication and Multimedia Act 1998 (CMA), the Digital Signature Act 1997

(DSA) and the Penal Code (Act 574) of Malaysia (PC). The following are certain examples

of the different types of cyber crime that are governed by the respective sections in the

different acts:

i) Section 415 PC which is for the offence of cheating;

ii) Section 467 PC which is for the offence of forgery of a valuable security or will;

iii) Section 471 PC which is for the offence of using as genuine a forged document;

iv) Section 472 PC which is for the offence of making or possessing a counterfeit seal,

plate, etc., with intent to commit a forgery punishable under section 467;

v) Section 234 CMA which is for the offence of interception and disclosure of

communications;

vi) Section 236 CMA which is for the offence of fraud and related activity in connection

with access devices, etc.;

vii) Section 72 DSA for the which is for the offence of providing false information; and

viii) Section 74 DSA for offences committed by corporate bodies.

50

4.1 Section 415 PC which is for the offence of cheating

This offence may be applicable if in the event a person is to use a stolen credit card

to purchase goods online.

4.2 Section 471 PC which is for the offence of using as genuine a forged document

This section may be used in tandem with Section 4 of the CCA as stated in

paragraph 3.3 in relation to incidences wherein a person hacks into an online merchant’s

website by using a trojan to obtain credit card particulars. These particulars are then

used to manufacture forged credit cards. Such cards are then used by the person to

purchase goods.

4.3 Section 233 CMA which is for the offence of improper use of network facilities

or network services, etc.

A person who is caught performing a denial of service attack upon a website may be

liable under this section. The person, by sending a death of pings, during the denial

of service attacks or other types of programmes have initiated a communication to the

targeted website with the intention to annoy.

4.4 Section 234 CMA which is for the offence of interception and disclosure of

communications

A person who is caught conducting a wire-tap upon any part of the telecommunications

infrastructure of Malaysia may be liable under this offence.

4.5 Section 72 DSA for the which is for the offence of providing false information

A person that manages to hack into the system of a repository thereby having access

to confidential details of persons or companies using digital signatures may be liable

under this section if in the event the person discloses any such information to another

person or publishes it in a website.

4.6 Section 74 DSA for offences committed by corporate bodies

If in the event the employee had committed any offence within the DSA, during the

course of his employment, his employer, i.e., a company may be liable to the same

punishment or penalty as that of the employee’s.

5. POWERS OF THE AUTHORITIES AND COMPUTER FORENSICS

5.1 Powers of search and seizure

The scope of the power of search and seizure of the relevant authorities in relation to

the different computer crimes are dependent upon the respective statutes that

provide for the specific offences. For example, if in the event a search is required to

51

be conducted in relation to an offence within the CMA, the CMA provides for the

scope and the power of enforcement of the authorities. The CMA provides that a

police officer not below the rank of an Inspector, an officer of the MCMC or a public

officer authorised by the Minister of Energy, Water and Communications of Malaysia

(‘the Minister’).

The DSA too has certain sections dedicated to the scope and power of the

authorities when conducting search and seizure exercises. The DSA empowers the

Minister to authorise any public officer to exercise the powers of enforcement under

this Act. Following that, any police officer not below the rank of Inspector may exercise

the powers of enforcement conferred by this Act.

As in relation to offences within the PC, the scope and the powers of the enforcement

officers are governed by the Criminal Procedure Code (F.M.S. Cap.6) (CPC). Any

police officer of any rank may conduct a search within the CPC, unless a search is

to be conducted to locate an object that may be concealed upon the person (for

example, to search for a microchip). In such an instance, a body search may only be

conducted upon persons found within the premises of the search location in the

presence of a magistrate, a Justice of Peace or a police officer not below the rank of

Inspector.

5.2 Computer Forensics

During the search, authorised officers are to collect information and evidence so as

to produce the same during the prosecution of the perpetrators. There are certain

guidelines that the authorised officers may adhere to in the collection and preservation

of the evidence.

For example, during the search exercise, photographs will be taken of the crime

scene. The suspect’s computer will not be switched off in the usual way. The power

plug is to be removed from the computer so as not to lose any information during the

process of switching off the computer. The crime scene will also be dusted for

fingerprints. When dusting for fingerprints, the authorised officer must be careful as to

not polarise storage devices as the fingerprint powder is magnetic in nature. This may

cause the data stored in the storage device to be irretrievable.

Evidence must be collected from the scene of crime to be stored in a special place

by the authorised officers. When collecting such evidence, the authorised officers

must be careful when packing and transporting the same. Generally, evidence are

packed into labelled bags that will be sealed and labelled. A checklist of all evidence

collected and details of the handling and management of the evidence after the

collection exercise should be kept to avoid any questioning of the authenticity of the

evidence.

52

6. CCA FOR CONSUMERS AND ORGANISATIONSThe CCA and other statutes such as the DSA, CMA and PC have provided a framework

to deal with the basic cybercrime offences as stated in the above paragraphs. It is

recommended that security or risk management systems take into account the

requirements of the CCA and the other stated acts so as to be effective in:

i) the providing assistance to the authorised officers in the collection of forensic evidence;

and

ii) the management of risk from any cyber crime;

The CCA, including the other abovementioned acts are tools to be used in curbing the

occurrence of computer crime. However, these tools will be more effective if used in

tandem with other tools such as good security systems and risk management systems. It

is suggested that given the rate of advancement in today’s technologies, a synergy of such

tools may be more effective as compared to the use of only one of the mentioned tools in

protecting oneself from being a victim of any cybercrime.

WHAT YOUSHOULD KNOWABOUT DIGITAL

SIGNATURE AND THE DIGITAL

SIGNATURE ACT 1997

54

A. WHY THE DIGITAL SIGNATURE ACT 1997 (DSA)?Enforced on the 1st of October 1998, DSA is an enabling law that allows for the development

of amongst others, E-Commerce by providing an avenue for secure online transactions through

the use of digital signatures. The Act provides a framework for the licensing and regulation of

Certification Authorities and the recognition of digital signatures.

One of the issues with the conduct of electronic commerce through a non-physical medium

is the problem with verification of the identity of the parties and DSA addresses this issue.

In using encryption technology, it enables a body to designate a digital signature to a party so

that it is unique to that party only.

B. WHAT IS DIGITAL SIGNATURE AS DEFINED BY THE ACT?Digital Signature is defined by the Act as a transformation of a message using an asymmetric

cryptosystem such that a person having the initial message and the signer’s public key can

accurately determine whether the transformation was created using the private key that

corresponds to the signer’s public key and whether the message has been altered since the

transformation was made.

Digital signature is basically an electronic version of a conventional signature. It is a pair of keys

created with the use of asymmetric cryptosystem and involves the use of algorithm or a

specific series of algorithm.

The pair of keys is made up of a private key as well as a public key. The private key is used to

create the digital signature while the public key is used to verify the digital signature.

C. BACKGROUND OF THE TECHNOLOGY INVOLVEDThe "Keys" are strings of binary codes or data which bear a complex mathematical relationship

to each other, the longer the strings of data are, the more secure the key will be.

The private key is secret and is kept by the party generating the message (the Author) while

the public key can be distributed openly to any person. The private key must be well guarded

so as to preclude the possibility of unauthorized abuse by any third party.

D. STRUCTURE OF DSAUnder the DSA, a licensed certification authority will only issue certificate to a subscriber upon

verification of the identity of the subscriber and upon satisfaction of requirements under

Section 29 and 30 of the DSA.

The certificate will state the identity of the subscriber and his public key. The certificate,

together with the public key, is then published in a recognized repository where the public key

can be accessed by the relevant parties and upon receipt of a message from the subscriber,

the recipient can then verify the digital signature with the repository.

THE DIGITAL SIGNATURE ACT 1997

MCMC

55

E. THE EFFECT OF A DIGITAL SIGNATUREThe effect of the digital signature created in accordance with the DSA is the same as any other

handwritten signature, thumbprint or mark. It is legally binding. A digitally signed document will

be treated as a written document and copies of a digitally signed document are also

enforceable as an original.

F. SUBSCRIBER’S DUTIES AND LIABILITIESThe subscriber’s has a duty to exercise reasonable care in keeping the private key secure and

preventing its disclosure to any unauthorized person.

Upon acceptance of a certificate issued by a licensed certification authority (CA), the subscriber

is subject to the following implied representations:-

• Subscriber rightfully holds the private key that corresponds to the public key listed in the certificate

• all representations made to the CA and information listed in the certificate are true; and

• all material representations made to the CA or in the certificate, even though not confirmed

by the CA, are true.

G. CA’S DUTIES AND LIABILITIES

The following prerequisites as per Section 29 DSA must be satisfied before the issuance of a

certificate to the subscriber:

• identity of the prospective subscriber;

• if an agent is involved, the authority of the agent to request for the issuance and to hold

custody of the private key;

• the information on the certificate is accurate;

• the prospective subscriber is the rightful holder of the private key;

• the prospective subscriber holds the private key that is capable of creating a digital signature;

and

• the public key to be listed in the certificate is capable of verifying a digital signature affixed

by the private key held by the prospective subscriber.

The CA has a duty to publish a signed copy of the certificate in a recognized repository upon

acceptance by the subscriber unless there is a contract between the CA and the subscriber

stipulating otherwise.

By issuing the certificate, the CA warrants to the subscriber that there is no information in the

certificate that is known to the CA as false, the certificate satisfies all requirements of the DSA

and the CA has authority to issue the certificate.

56

The CA has a responsibility to the subscriber to act promptly when suspending or revoking a

certificate and to notify the subscriber within a reasonable time of any facts known to the CA

which significantly affect the validity or reliability of the certificate once its issued.

H. LIMITATION OF LIABILITIESThe CA, the subscriber and the repository are only responsible for damages or loss that is

suffered by those who reasonably rely on the certificate.

The CA is to specify a recommended reliance limit beyond which it will not be responsible.

The CA is not liable for the following:-

• loss caused by reliance on a false or forged digital signature if the CA has complied with

the requirements of the Act;

• loss in excess of the recommended reliance limit for misrepresentation in the certificate of

a fact to be confirmed by the CA or its failure to adhere to the prerequisites for the issuance

of the certificate;

• punitive or exemplary damages; or

• pain or suffering.

CONCLUSIONThe DSA is an important foundation in the conduct of electronic commerce. It does resolve,

to a large extent, the problem with the identification of the parties.

Digital Signatures if properly implemented and utilized can provide the following benefits:-

• Reliable authentication of messages;

• Retain a high degree of information security, even for information sent over open or insecure

communication channels;

• Minimize the risk of tampering or altering of messages; and

• Minimize the risk of dealing with impostors

57

Digicert Sdn Bhd is a Malaysian Licensed Certification Authority offering ubiquitous trust

solutions and certification services. Digicert is a joint venture company between Pos Malaysia

Berhad and Mimos Berhad. Our mission is to materialise trusted and secured online electronic

transaction as recognized under the Digital Signature Act (DSA 1997).

Contact Details:

Digicert Sdn Bhd

Contact: customercare@digicert.com.my

Website: www.digicert.com.my

Tel: 03-8996 1600

JOSHEL WOODIGICERT SDN BHD

58

ABSTRACTCryptography is the study of the design of mathematical formulas (algorithms) for encryption and

decryption, intended to ensure the secrecy and/or authenticity of messages.

Encryption is the conversion of plaintext data to unintelligible data, called ‘ciphertext’, by using

algorithms and secret codes (keys). Decryption is defined as the reverse of this situation, the

conversion of unintelligible data into a legible format. The following diagram provides an

overview of encryption where simple message containing the word “private”.

PUBLIC KEY INFRASTRUCTURE AND DIGITAL CERTIFICATES

JOSHEL WOO

Key A Key B

Encryption DecryptionPlaintextCiphertext

Plaintext

Encryption Decryption

Private @Ca$1k Private

Figure 1: Example of Encryption

In the diagram above, the message “Private” is encrypted with the encryption key with the

encryption algorithm, to provide the unintelligible ciphertext “@Ca$1kw”. Subsequently, the

message is then decrypted with decryption key used with the decryption algorithm to derive

the original plaintext message “Private.”

Two primary means of encryption exist, based on symmetric keys (sometimes referred to as

secret key encryption) and that of asymmetric keys (sometimes referred to as public key

encryption).

1. Symmetric Key Encryption (Secret Key)

Symmetric key encryption is performed through the usage of a common ‘secret’ key, which

is only known to the transacting parties. Thus, in the example above, key A and key B

would be identical. Based on this secret key, both parties would encrypt messages to and

from each other, ensuring the confidentiality of their messages even if transmitted over

public networks (such as the Internet).

59

Symmetric key encryption is typically performed based on publicly known and industry

accepted encryption algorithms, such as Data Encryption Standard (DES), Triple-DES

(3DES), Rivest Cipher 4 (RC4), International Data Encryption Algorithm (IDEA) and Advanced

Encryption Standard (AES). As a result, the confidentiality of encrypted messages is based on

the confidentiality of the secret key (as the algorithm itself is publicly known). A compromise

in the private key would result in compromise of the entire encryption mechanism.

2. Asymmetric Key Encryption (Public Key)

Asymmetric key encryption, commonly known as public key encryption, is achieved

through the use of private and public “key pairs.” Each user in public key encryption has a

key pair, comprised of a private key and a public key. The keys in a key pair are unique to

each other, but possess a mathematical relation that allows messages that are encrypted

with one key to be decrypted with the other. Thus in the example given in Figure 1, key A

and key B are different keys, where messages encrypted by key A can only be decrypted

with key B.

In practice, confidentiality is achieved via the sharing and encryption of messages with the

public key (hence the name) with a transacting party. Where a person wishes to transmit a

message to another user, he/she must first obtain the receiver’s public key to encrypt

the message and subsequently send the encrypted message. The receiver then decrypts

the message with his/her own private key (which is kept secret), assuring that the

confidentiality of the message has been maintained.

The widely used asymmetric key algorithm in use is the Rivest Shamir Adleman (RSA)

algorithm. Other known asymmetric key algorithms include the ElGamal system, Merkle-

Hellman and the McEliece algorithms.

The primary difference in asymmetric key encryption (as opposed to symmetric/secret key

encryption) is that the public key used in asymmetric key encryption can be openly shared,

and compromise in this public key would not result in the compromise of message

confidentiality.

However, it must be noted that the consideration of safety of the private key (based on

knowledge of the public key) is based on computational feasibility. Because the private and

public keys are mathematically linked, computation of the private key is always ‘possible’

from the public key. The strength of the public key cryptosystem lies in the difficulty, time

and effort required for this ‘reverse computation.’ Thus, while the computing power

available today may make it extremely time-consuming and unrewarding to perform an

attempt to derive a private key from a public key (based on a particular key length), it can

be foreseen that future advances in computer technology would necessitate the need for

greater key lengths and possibly newer and stronger public key algorithm.

60

PKI INTRODUCTION Public Key Infrastructure or PKI, is defined as the set of hardware, software, people, policies

and procedures needed to create, manage, store, distribute and revoke Public Key Certificates

(PKCs) based on public-key cryptography6. To understand the basis for PKI, we must first

understand some of the key challenges in public key cryptography.

If user Amy wishes to communicate with user Sam, Amy must first obtains Sam’s public key.

Amy then proceeds to encrypt her message with Sam’s public key and sends the encrypted

message to Sam. Because Amy’s message has been encrypted with Sam’s public key, only

Sam can decrypt the message, as only Sam has access to his private key. This therefore

ensures that Amy’s message is transmitted securely to Sam, without compromising its

confidentiality. Even if another person obtains (or has previously obtained) Sam’s public key,

the encrypted message is still ‘safe’ as it can only be decrypted with Sam’s private key.

This, however, gives rise to a separate issue: the authenticity of the message. While the

message may be successfully sent and decrypted, how will Sam know that the message was

actually sent by Amy, and not somebody else who is impersonating Amy and has access to

his public key (remember that the public key can be made available to anyone)? In addition,

Sam may have dealt with other people previously and shared his public key with them.

Figure 2: Public Key Message Encryption

6 Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure PKIX Roadmap, Oct 1999.

61

The answer to this lies in the creation of a unique message signature; a digital signature that

will prove that the message was actually sent by Amy and has not been modified.

While there exists a number of methods of creating digital signatures, we shall focus our

discussion on the digital signatures created via the encryption of message digests. Such an

example is provided below.

Before encrypting and sending the message to Sam, Amy computes a message digest (Step

5), typically based on a publicly known message digest algorithm (such as MD5 and SHA-1).

Amy then encrypts the message digest with her own private key creating her digital signature

(Step 6), and includes this with the original message. The message is then encrypted with

Sam’s public key (Step 7) and sent to Sam (Step 8). Amy must also send Sam her own public

key so that he can verify her digital signature (Step 9).

When Sam receives the message, he decrypts it with his private key (Step 11) and separates

the message into the original message and the digital signature. Sam then proceeds to

compute his own message digest (12), based on the same algorithm as Amy. Sam must now

check this value with the message digests that Amy computed to ensure that the message

was unchanged. In order for this to be performed, Sam must have access to Amy’s public key

(as Amy’s signature was encrypted with her private key). After decrypting the digital signature

(Step 13), Sam checks his own message digest value against Amy’s computation. If the values

match, Sam can be assured that message has not been modified in transit.

Figure 3: Message Encryption with Digital Signatures

62

Figure 4: Simple Example of Impersonation

While the example provided illustrates the use of a digital signature along with an encrypted

message, it is important to point out that digital signatures may be used in isolation of message

encryption. This is the case if message confidentiality is not required, where for example a

publicly available document is published and the only concern of a user would be as to whether

the document itself has not been modified and is accurate. The digital signature scheme can

then be applied for such a purpose.

Based on our example, it can be seen that a number of key exchanges as well as extra

information (such as the message digest algorithm to be used) must be exchanged between

both parties. In addition, both parties need to be assured that he/she is dealing with the actual

or intended party. While a digital signature can assure a person that the message is authentic

and has not been modified, the signature in itself does not prove a person’s identity. A person,

say Ami, could easily replace Amy in the above example by intercepting Sam’s public key,

creating a new message and signing it with his own private key. Ami can then send this

message to Sam along with his own public key, claiming to be Amy. Unless Sam knows exactly

what Amy’s public key is supposed to be (digitally), Sam will not able to tell that the message

was not actually signed by Amy. An example of such an occurrence is as below.

63

7 Internet X.509 Public Key Infrastructure PKIX Roadmap8 RSA Frequently Asked Questions about Today’s Cryptography v4.1, May 2000

The example in the previous page identifies a need for a ‘protected’ method of distributing

public keys, as well the need to ensure that the public keys used actually belong to the

person/party intended. This is where Public Key Certificates (PKC), commonly referred to as a

digital certificates, arise.

A digital certificate is a user’s information and public key stored in a digital format (based on

the X509v3 certificate format). To ensure that the user information detailed in the certificate is

‘authentic’ and does not contain false information, the certificate itself is signed by a trusted

Certification Authority (CA). The CA’s signature provides assurance to the recipient of the

certificate that the information contained, including the public key of the certificate holder, is

authentic. As long as a user has access to the CA’s public key, he/she can then verify the

contents of the digital certificate.

While this creates another implication, that of a secure means of distributing the CA’s own

certificate (containing its public key), in practice, CA certificates for common CAs are often built

into key Internet applications and web browsers. In addition, the implementation of Root CAs

and a hierarchical model provide some level of security over the distribution of CA certificates

over the Internet.

PKI COMPONENTSAs mentioned previously, PKI is defined as the set of hardware, software, policies and

procedures needed to create, manage, store, distribute, and revoke Public Key Certificates

(PKCs) based on public-key cryptography. The key functions of PKI as an overall infrastructure

include the following:7

• Certificate Registration – issuing new certificates for public keys

• Certificate Revocation – canceling issues certificates

• Key Selection – obtaining another party’s public key

• Trust Evaluation – determining validity of certificates and the authority conferred

by the certificate

These PKI functions are performed by the following PKI components:8

• Certification Authorities – to issue and revoke certificates

• Registration Authorities (RAs) – to vouch for the binding of public keys, certificate

holder information and other attributes

• Certificate holders – that possesses certificates and can sign and

encrypt documents

• Clients – that verify digital signatures and their certification

paths through a known public key of a trusted CA

• Repositories – to store certificates and Certificates Revocation

Lists (CRLs)

64

USAGE OF PKI AND DIGITAL CERTIFICATESThe implementation of PKI capability into the MyKad along with the usage of Digital Certificates

will provide the following key benefits:

• Authentication

• Digital Signature and Non-repudiation

• Encryption

1. Authentication

The implementation of PKI provides a widespread means of performing user authentication. An

example of such an authentication function, through the use of a challenge-response

mechanism, is detailed below.

A simple method for authenticating a user to a system would be for the system to issue a

random challenge (simple data values) to the user, and require the user to encrypt the

challenge and send it back to the server. The server will then attempt to decrypt the

document based on the user’s public key (from the user’s digital certificate) and match it

against the original challenge. (Note: There are a number of methods for the server to obtain

the user’s digital certificate, such as when the user transmits his/her certificate directly to

the server, where the server stores a central copy of all certificates or where a server retrieves

the certificate from a central/common repository).

If the value of the decrypted challenge matches that of the server’s original

challenge message, the server can be assured the user is whom he/she claims

to be as only he/she would access to his/her private key (to ‘correctly’ encrypt

the challenge).

Such a system for authentication could be widely implemented: for example, users on the

Internet can be authenticated to computer systems (such as a user logging into his/her

Internet banking system or logging into public databases). This could also be implemented

in entire organizations, where all employees would authenticate themselves to the computer

systems via such a method.

2. Digital Signature and Non-repudiation

People sign documents in everyday life including credit card receipts, letters, legal and

business documents. Digital signatures provide a person with a means of performing this

signature function electronically. The most common means of performing a digital signature

is through encrypting a message digest with a person’s private key (refer to our example in

the Introduction to PKI).

65

Through the use of digital signatures, any person will be able to verify that a digital

document or message was indeed signed by a particular person. All a person would need

to do is to obtain the signer’s digital certificate in order to verify his/her signature.

In addition, the implementation of the Digital Signatures Act 1997 provides digital signatures

with legal effect, having the same level of assurance as that of a handwritten signature or

thumbprint. This allows digital signatures to be used online for formal, business and legal

purposes.

3. Encryption

Confidentiality of information and privacy can be achieved via the use of encryption.

PKI provides this function via the use of the public and private keys. The introduction and

examples from the previous pages provide an illustration on the use of encryption with PKI.

Information encrypted with a person’s public key can only be decrypted with his/her

private key, ensuring the confidentiality of the information and privacy between the

transacting parties. By obtaining and encrypting the intended message with the receiver’s

public key (through the digital certificate), a person can be assured that his/her message

is kept private.

In addition, where a person wishes to ensure the secrecy of his/her own documents (such

as those that may be stored in a shared location such as a network server or Internet

server), he/she can encrypt the document with his/her own public key, thereby preventing

others from decrypting it.

PKI AND DIGITAL CERTIFICATES IN A SMART CARD BASED SCHEMEIn a smart card scheme such as the MyKad, the PKI elements contained in the card must

successfully be read and used by the applications, PC and smart card readers of the PKI

components described above. The relevant interfacing standards are described in the table

below. Most of the elements described will be available from commercial vendors providing the

specific component, i.e. the smart card, the reader and the application or cryptographic library.

Function

• Interfaces to the Application requiring PKI

• Interfaces to the PC

• Interfaces to the Smart Card

• Reads Data from Card

• Generation of Keypair(s)

• Storage of Certificates

Card Element

Cryptography Library

Smart Card Reader Driver

Smart Card Reader

Smart Card with

RSA Co-processor

Interfacing Standard

PKCS#11 & CSP

PC/SC

ISO07816 part 1,2,3,4

66

UTILIZATION OF MYKAD PKI IN THE GOVERNMENT SECTORThis section will provide some examples into the possible usage and utilization of the MyKad

PKI capabilities. While the possibilities and potential benefits of a PKI implementation are

extensive, this section will provide some examples in specific key areas in MSC flagship

products and the government sector, and is not meant to be exhaustive. The principles and

examples used in a particular area (such as secure e-mail) are very likely to be applicable in a

large number of other areas.

Online Tax Submission

One of the widest and perhaps most obvious application of the MyKad PKI would be in

enabling online tax submissions. With the pending amendment to the Income Tax Act 1967,

taxpayers will be allowed to file their tax returns through the Internet. The application of the

MyKad in this area would include:

1. Authenticating users to the Inland Revenue Board (IRB) online systems; and

2. Digitall signatures to ensure the authenticity and confidentiality of documents transmitted.

In the area of authentication, taxpayers could use their GMPC/s to authenticate themselves to

the IRB servers to access their confidential information and required forms, such as Form B

and Form J. The forms themselves would be digitally signed to provide assurances to the

public on their authenticity.

Electronic Procurement (EP)

Based on the current Electronic Procurement model, with participation of over 15,000

government offices/purchasers and over 30,000 registered vendors, the MyKad PKI can be

implemented to provide authentication, confidentiality and privacy (via encryption) and support

non-repudiation via digital signatures.

The EP system would utilize a common online authentication mechanism based on the MyKad

for both government and vendor representatives. Such an authentication mechanism would

ensure that only specific and registered users would be able to access the system, while

allowing the system to operate on the Internet. This would essentially create a private

environment, allowing private communications and transactions to occur between registered

members to be conducted in a public network.

The flow of documentation within such an environment would require strict confidentiality and

this could be achieved via encryption mechanisms built around the MyKad. In order to ensure

that transactions are legally binding and to support non-repudiation in the EP environment, the

MyKad card would be utilized to digitally sign all formal documents and contracts. This will

enable the entire EP system to operate in a ‘paperless’ mode.

Government Office Environment (GOE)

In the area of general GOE, the primary benefit of the MyKad would be in the area of electronic

communication, filing and documentation. In addition, the use of the MyKad as a common

67

authentication mechanism to control access to all computer networks and systems as well as

physical access would allow a centralization and simplification of access control in the entire

environment.

Communication, reports and other documents can be encrypted and distributed over both private

and public networks in a secure manner, allowing the transmission of confidential information

between multiple offices and locations across the country to be performed over the Internet.

Where electronic filing is concerned, the digital signature from a MyKad card could overcome

one of the key issues surrounding electronic filing, which is the authenticity and integrity of

electronic documents. Documents protected with an appropriate digital signature from a MyKad

card would be able to provide assurance as to the authenticity and integrity of the documents,

providing an additional step towards a paperless office environment.

In the future, the application of a common authentication system could be extended towards

the storage of information online, in centralized public databases, where the security of access

to such systems would be built around the MyKad card.

Human Resource Management System (HRMS)

The key area of benefit for human resource workflow systems derived from PKI and the MyKad

would be in the area of encryption and secure document distribution. Confidentiality is especially

important in this area and this could be achieved through the usage of the MyKad card.

The use of encryption in such a system would allow private documents such as salary and

EPF information, promotion letters and other confidential documents to be transmitted

electronically, in a secure manner ensuring confidentiality, while digital signatures would provide

assurance as to the authenticity of such transmitted documents.

Telemedicine

In the area of Telemedicine, the MyKad PKI can be applied in all three key areas, that of

authentication, digital signatures and encryption.

In relation to the Lifetime Health Plan (LHP), secure online storage of medical records can be

achieved via authentication mechanisms built around the MyKad with secure and encrypted

data channels. This would allow access to specific information for patients and separate

access for authorized medical personnel.

The implementation of such a system could allow the private medical records of a person to

be downloaded and sent via secured e-mail to their Doctor, whom the patient is visiting for the

first time, or downloaded directly from the Internet at the clinic. Registered medical practitioners

would be able to obtain confidential patient information online in an encrypted format, based

on their authorisation, as granted by their own patients.

An online authentication mechanism can also be designed around the MyKad to assist in the

authentication of users in the Mass Customised Personalised Health Information & Education

(MCPHIE). The public could use their MyKad to access online health information specifically

tailored based on their personal profiles.

68

In terms of the Continuing Medical Education (CME) application, the MyKad can be used to

restrict access to specific medical knowledge bases and discussions based on an

authentication and authorisation mechanism. In addition, secure distribution of medical reports,

industry updates and other information can be achieved through the use of secure e-mail,

ensuring that information reaches the intended audience only.

Finally, in the area of Teleconsultation and peer knowledge sharing, medical practitioners could

use the MyKad to conduct secure online conferencing as well as to publish discussion papers

and contribute ideas in a private manner. All documents can be digitally signed to ensure

authenticity and to enhance the credibility of discussion-style databases.

Where medical practitioners wish to engage in direct online conferencing, this can be achieved

via mutual authentication with the MyKad digital certificates and appropriate session encryption

protocols.

Smart Schools

In line with the Smart Schools initiative, a number of MyKad-enabled solutions could be

implemented. This would include online classrooms and tutoring, online discussions, secure

distribution of courses and exam materials, as well as online examinations. Essentially, the

MyKad could provide security to initiatives that bring schools online.

An example of this would be for online classroom tutoring, where students can authenticate

themselves with a particular server providing this online service. The potential of online tutoring

can be enormous, in providing a means of education to remote locations, or areas where the

setting-up of physical schools may not be economically feasible. This would, however, be

dependent on the level of Internet penetration available as well as the widespread usage of

computers in remote areas, which may prove a greater challenge than PKI.

While online tutoring may not replace physical classrooms, at least in the near future, another

possible implementation could be for specific ‘Webcasts’ or special lectures and conferences

to be conducted online, targeting specific age groups or students. Any student wishing to

access such Webcasts would only be required to connect to the Internet and authenticate

him/herself to the server providing this service. This can extend to special broadcasts, key

topics of interest based on current industry trends as well as specific lectures/talks conducted

by Education Ministry officials and other invited speakers.

Students and teachers can also use the security features of the MyKad to participate in online

discussion and real-time communication. Among the key concerns in such an area would be

individual accountability, which could be achieved through the use of digital signatures.

Another area of possible PKI implementation would be in the area of online examinations and

submission of examination papers. Where standardized exams exist (such as UPSR, PMR and

SPM), this could be conducted online and provided to students via specific servers set up on

the Internet. The MyKad could be implemented in such an environment to provide access

69

security to the examinations and ensure secured transmission channels. Upon completion,

students would be able to digitally sign their submissions with their digital signature as proof of

submission and to ensure non-repudiation. Such an initiative could pave the way for common

and centrally administered examinations for all levels of education.

UTILIZATION OF MYKAD PKI IN THE PRIVATE SECTORA business transacting on the Internet must have the confidence that the other party is in fact

who they say they are, and they are legally capable of committing to a transaction of the size

and/or type desired. Authentication is not merely an issue of verifying mere representation by

a party but more of verifying the identity, as well as the level of authorization in performing the

transaction. Hence, the need to authenticate and verify the identity of transaction parties.

A business must be able to prove that they or their customers have sent or received a

transaction. Repudiation occurs when a user denies a specific action being performed.

A customer should never be able to repudiate a transaction that has actually occurred.

Non-repudiation requires indelible evidence that an action has occurred and there is proof that

can be shown to a third party.

Furthermore, a business must also ensure that:

• Confidentiality: a message is only viewed by the intended recipient

• Integrity: information is not tampered or altered whilst in transit

This section will provide some examples into the possible usage and utilisation of the MyKad

PKI capabilities by individuals in their capacity as both customers as well as employees of

businesses for three key business applications. The principles and examples used in a

particular area (such as signing and secure e-mail) are very likely to be applicable in a large

number of other areas.

Electronic Banking

In Bank Negara Malaysia’s (BNM) “Minimum Guidelines on the Provision of Internet Banking

Services by Licensed Banking Institutions”, BNM has detailed that a Bank’s security arrangements

should at minimum achieve the following objectives:

1. Data privacy and confidentiality;

2. Data integrity during both transmission and storage;

3. Authentication of communications, transactions and/or access requests;

4. Non-repudiation of communications and transactions.

BNM has advised that digital certificates issued in accordance with the Digital Signature Act

1997 should be considered by banks to address the issue of non-repudiation for high value

or important transactions, or at the request of customers. Customers, after authentication

themselves with the Bank using the MyKad card, may:

70

1. Make inquires and transact in a secure manner;

2. Sign documents and forms, such as loan applications, request for cheques, etc, online

with their digital signatures;

3. Transact online, such as fund transfers, payments etc., with indelible evidence in the form

of digital signatures.

In addition to internal banking transactions, banks are the leading issuers of credit cards, which

remains a popular form of consumer payment and settlement. The number of credit cards in

Malaysia as at the end of March 2000 is 2.415 million with an outstanding debt of RM5.719

billion.9 The credit card debt outstanding accounts for 1.35% of the total loans outstanding in

the country and 11.41% of the total consumption credit as at the end of March 2000. In many

online merchant and B2C transactions, payment instructions online use credit cards. In

addition to authenticating a customer with GMPC/PKI, digital signing of online purchases will

give added non-repudiation of transactions and ease the payment verification required by the

bank for credit card transactions.

Electronic Broking

Under the current provisions of the Securities Industry Act and KLSE Rules and Code on

Electronic Client-Ordering System (ECOS), electronic broking consists of order-routing and

messaging only. The actual trade is still transacted with manual intervention by a dealer’s

representative. The dealer representative retains the discretion to accept or decline the order.

However, most market analysis and draft regulatory reform anticipate market pressures, cost

and competitive pressures will eliminate the need for dealer representative intervention, subject

to the availability of strong authentication and non-repudiation measures.

The use of Certificates:

1. Will provide added assurance that a user/client will have been rigorously authenticated;

2. Address counter-party risks by providing non-repudiation and digital signatures for each

trade;

3. Provide confidentiality and privacy in terms of encryption sessions between the client and

the broker.

Clients, after authentication with a Broker using the GMPC/PKI, may:

1. Make inquiries and transact in a secure manner;

2. Transact online, such as purchase and sales of securities, with indelible evidence in the

form of digital signatures;

3. Make online payments, or send signed instructions, with a settling bank to pay for the

broking transactions above.

Supply Chain Portals (B2B & B2G)

A lack of trust online continues to restrict companies that want to move boldly onto the Internet.

Recent studies by the GIGA Group as well as Arthur Andersen have shown that the largest

9 BNM Press Release – Report on Credit Card, 25 September 2000

71

single barrier to the growth of B2B e-business is concern about whether Web security, as it

exists today, is strong enough for transactional commerce. In order for e-business to flourish,

trading partners must have complete confidence regarding each other’s identity. Even trading

partners with existing relationships cannot know for certain when communicating on the

Internet, whether they are dealing with an imposter or not. Business engaging in large

web-based transactions must be able to establish and maintain trust through each step of the

trading cycle – from initial overture right through payment and settlement. For B2B e-business

to gain acceptance, standards of identity verification and authentication have to be established,

so that procurement and financial settlements can take place in a secured environment. Although

most B2B and B2G will use Entity/Server-level PKI and Certificates, business transactions

must still be initiated and completed by individuals.

The corresponding workflows and supporting documentation will require the use of individual

certificates for:

1. Authentication of authorised signatories/officers for transacting and messages;

2. Encryption of transaction message; and

3. Signing and non-repudiation.

Client-side certificates can also be used to assign rights, roles and privileges of the individual

within his/her respective organization. When the client-side certificates are issued by a

licensed Certification Authority, these certificates can be used to access additional business

credentials. As each transaction commences, the user is authenticated and authorised using

his/her digital certificate to determine the identity as well as level of authorisation permitted

within the employer.

Subsequently, instructions, messages and confirmations of transactions, be it ordering,

receiving or payment authorisation must be signed by an authorised individual.

Within a supply chain portal, there exists a multitude of vendors and suppliers, many of whom

may be competitors. Hence, privacy of transactions is a major concern and the GMPC/PKI

keys can be used for transaction and message encryption.

Furthermore, payment and settlement may be transacted using the same certificate in the

electronic banking context. Note that message and transaction encryption may be addressed

with Entity/Server-level certificates.

Other Capital Market Consideration: SC/KLSE

In addition to the e-broking specific considerations, Capital Market application of the use of:

1. Online applications for Initial Public Offerings (IPOs);

2. Online account opening for both; and

3. Online enquiry, after a user has been rigorously authentication.

In all three scenarios, individual investors/users could use the MyKad PKI abilities to provide

the necessary authentication and digital signatures necessary to facilitate these transactions.

72

In its “Framework for the Implementation Commerce Electronic in the Capital Market”, the

Securities Commission (SC) has expressed its intention to:

1. Amend provisions in the securities and futures laws to ensure they cater to both the

traditional paper-based environment and an electronic one.

2. Study the need to impose encryption or other security requirements on intermediaries’

electronic communications with their clients.

3. Study the possibility of replacing all legislative requirements for manual signatures with the

technological neutral term “authentication”.

Furthermore, the SC has also recommended that:

1. Market intermediaries ensure security and integrity of their data storage systems, whether

manual or electronic, by ensuring the records, where required by law, are created and

maintained that such records are durable and cannot be altered (integrity and possibly

non-repudiation).

2. The central depository consider providing depositors access to their securities balances

via the Internet (authentication & encryption).

3. Eventually, a pure order execution system, may be the first candidate for the online opening

of accounts, provided there is a safe and secure way of authenticating the identity of the

investor.

In keeping with its stance on technological-neutrality, the SC will not prescribe specific

methods, such as digital signatures. It may, however, issue policy statements to provide

guidance as to what constitutes suitable authentication. Furthermore, its upcoming Capital

Markets Master Plan has indicated that its will be aligned with existing Cyberlaws (i.e. the Digital

Signatures Act 1997) as well as MSC initiatives.

CONCLUSIONSAlmost all studies conducted on the network economy and the Internet identify “security” as a

major concern for business. Like electricity and telephone infrastructures, a security infrastructure

like PKI has become an essential enabler of business objectives, be they increasing revenue,

reducing costs, meeting compliance mandates, or reducing risk. The PKI application in MyKad

would be a catalyst in generating the spread of e-commerce.

REFERENCES:

Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure PKIX Roadmap, Oct 1999RSA Frequently Asked Questions about Today’s Cryptography v4.1, May 2000BNM Press Release – Report on Credit Card, 25 September 2000Security Commission – Framework for the Implementation

73

MSC Trustgate.com Sdn Bhd was initiated in 1999 by Multimedia Development Corporation

(MDC) and has been licensed under the Digital Signature Act 1997 as a Certification Authority

(CA) to provide digital certification services including Digital Certificates, Public Key Infrastructure

(PKI) and cryptographic products.

Being a member of the VeriSign Trust Network, MSC Trustgate.com is perfectly positioned to

provide its clientele leading security infrastructure solutions in ASEAN and beyond.

MSCTrustgate.com leverages on proven technology and technical expertise to help companies

build a secure online web presence by encrypting communications and transactions; authenticating

the identities of individuals; offering secure online payment functions and validating transactions.

The company also provides MyKad PKI solution for the Malaysian government.

Today, MSCTrustgate.com is the fastest growing Trusted Internet Services company in the

region. For information, please visit www.msctrustgate.com.

For more information on Digital ID or MyKad PKI, please contact:

MSC Trustgate.com Sdn. Bhd. (CA Lic. No: 0022000)

Ground Floor Belatuk Block

Cyberview Garden

63000 Cyberjaya, Selangor, Malaysia

Tel: +6 03 8318 1800

Fax: +6 03 8319 1800

E-mail: marketing@msctrustgate.com

Websites:

http://www.msctrustgate.com

http://www.mykey.com.my

YVONNE OUNGMSC TRUSTGATE SDN BHD

74

That is the saying in diplomacy. The same applies to Internet transactions.

Imagine you are an Internet user…

• How do you ensure that the other party you communicate or transact with is who he claims

he is?

• How do you ensure that the information you send to the other party is not being “eaves-

dropped” by someone?

• How do you ensure that the information you send via the Internet is not being altered by

some intruders?

Now, imagine you are operating an Internet business that offers products or services….

• How do you verify the identity of your online visitors each time they transact with you?

• How do you give your customers a peace of mind that when they transact with you, their

confidential information will be secured during the transmission?

FIVE SECURITY PRINCIPLES FOR COMMERCEFor a long time, these principles provide a basic foundation for a transaction to be carried out

by two or more parties whom may not know one another, or in different geographical areas:

• Authentication – you must make sure you know who you are communicating with

• Privacy – all confidential information must remain confidential

• Authorization – user should not exceed their allowed authority in the system

• Integrity (of the Data) – information should not being tempered with during transmission

• Non-repudiation – transaction must be disputable in the court of law

In the brick-and-mortar world, we use identification card or fingerprint as form of authentication.

We use sealed envelope, secret code, and invisible ink to ensure confidentiality. We use locks

and keys, deploy security guard to control access to particular areas or sections in the

building. We initial changes in the contract or uses a third party witness or notary to guarantee

the integrity of a document. Lastly to ensure that our commerce transaction is proven in the

court of law we get the parties involved to sign the document, we use registered mail, we

record time of transmission, receipt acceptance by using date and time-stamping.

HOW DO WE APPLY THESE FIVE SECURITY PRINCIPLES TO E-COMMERCE?Today the most commonly form of authentication is the use of user ID and password.

Unfortunately, this method does not provide enough authentication or protection as required

in the five security principles of commerce. The transaction is also not disputable in the courts

of law in Malaysia.

TRUST BUT VERIFY

YVONNE OUNG

75

SAY HELLO TO DIGITAL CERTIFICATEDigital Certificate, also commonly refer to as Digital ID, is a form of electronic identity document

based on public/private key encryption. It provides authentication, verification, encryption and

digital signature capabilities for transactions over the Internet. It is an electronic credential that

contains your name, certificate issuers’ name, certificate expiration dates and your public key

(used for encrypting and decrypting messages and digital signatures). Most certificates

conform to the International Telecommunication Union’s X.509 standard, but not all are

compatible across all Web browsers.

KNOW YOUR CERTIFICATION AUTHORITYDigital certificates are issued by Certification Authority (CA). The CA is a trusted third party

organization that issues and manages certificates. The CA will first validate that an entity (an

organization or a person) is exactly who or what it claims to be, and then issue that entity with

a digital certificate. The certificate will then be presented electronically during electronic

communication or transaction so that two parties can trade securely without further proof of identity.

The CA operates within a Public Key Infrastructure (PKI). PKI is a structure of hardware, software,

people, processes and policies that employs digital certificates technology. The end result is

a form of cryptography of a public key and private key. Messages are sent encrypted with the

receiver’s public key; the receiver decrypts them using the private key.

The CA’s role is to ensure that electronic transactions are conducted with confidentiality, data

integrity, proper user authentication, and protection against repudiation. In Malaysia, the CA is

governed by Digital Signature Act 1997.

DIGITAL CERTIFICATE IN ACTIONThere are over 4,500 organizations and governments and 400,000 e-commerce website

worldwide that are using digital ID to secure their online businesses.

Financial Institution:

Banks and brokers are using Digital IDs to give customers secure access to their accounts for

stock trading and account management. Customers can use their Digital IDs as a universal

log-on at a bank’s website for quick access to account information, without having to

memorize multiple passwords.

76

Telecommunications:

In a highly competitive marketplace of the telecommunications industry, it is crucial to deliver secure

and consistent connectivity to achieve good customer experience. Telecommunications providers

are integrating Digital ID in their services offering to differentiate themselves from their competitors.

Public Sector:

Government must provide a secure and safe e-government environment so that the public can

have trust in dealing with them over the Internet. Digital ID helps to create a safe Internet

environment by securing critical data being transmitted electronically to and from the government

websites. It also ensures that right people are getting access to the right information.

Healthcare:

Security and privacy are critical to all institutions in the healthcare industry – from electronic

patient records to automated claims processing. Healthcare provider uses Digital ID to protect

medical information, to reduce risk of lawsuits and achieve compliance with applicable regulations.

Retailers:

By accepting Digital IDs at their site, a store manager can collect information about who

accesses the website and which services are most popular, or set up accounts for purchasers.

This enables them to provide relevant content on an individual basis, link Digital ID information

to order status and purchase history databases, and eliminate false orders or repudiated sales.

Publishing/Subscription Services:

Digital ID helps maximize subscription revenue by preventing multiple users from sharing a

password, and help to enhance the user experience by providing a one-step registration

process. They can also boost advertising revenue by enabling companies to present precise

demographic information about their readership to advertisers.

Services Companies:

Digital IDs give organizations the ability to provide higher level of service because they can

identify their customers. These companies can use Digital IDs to track shipments without

having customers enter user names or tracking information, which also provides increased

efficiency and privacy.

77

MYKAD PKI FOR MALAYSIAN CITIZENSIn 2001, the National Registration Department introduced MyKad, a new form of national

identity card that contains a smart chip to store information such as driving licence, MEPS

cash, Touch ’n’ Go, etc. Many do not know that the new 64K MyKad is PKI-enabled. This

means you can inject the digital certificate inside MyKad and use it to securely conduct

transactions on the Internet.

In May 2004, the Internal Revenue Board (IRB) also introduced the first government-to-public

application called e-Filing. This application allows Malaysian Citizens with MyKad that is PKI-

enabled to file their income tax online. The first phase of e-Filing is opened to corporate

taxpayers while the next phase will be opened to individual taxpayers.

With a click of a button, you can trigger MyKad PKI to generate digital signature so that you

can electronically sign your income tax form and submit online to IRB.

For more information on Digital ID or MyKad PKI, please contact:

MSC Trustgate.com Sdn. Bhd. (CA Lic. No: 0022000)

Ground Floor Belatuk Block

Cyberview Garden

63000 Cyberjaya, Selangor, Malaysia

Tel: +6 03 8318 1800

Fax: +6 03 8319 1800

E-mail: marketing@msctrustgate.com

Websites:

http://www.msctrustgate.com

http://www.mykey.com.my

E-SECURITYAWARENESS

SURVEY2003 & 2004

80

The Malaysian Communications and Multimedia Commission (MCMC) conducted E-Security

Awareness Survey for the year 2003 and 2004.

The main aim of the survey was to create greater awareness of security issues and to promote

e-security best practices among the general public.

The survey was designed to identify and record the level of awareness and understanding of

the general public in relation to security issues.

The findings of the survey enables MCMC to design and develop relevant action plans to

educate and enhance awareness of the general public in the field of information and network

security.

INTRODUCTION

81

E-SECURITY AWARENESS SURVEY 2003

OBJECTIVE OF THE SURVEY

The objective of the survey is many-fold and, among them is as follows:

To create greater awareness of security issues for the general public

To avoid, lessen or minimize the probability of security incidences among the general public

by encouraging the usage of e-security solutions

To promote e-security best practices among general public

To educate the general public of the benefit of securing their electronic identity and access

devices

To create responsible and knowledgeable users of the Internet

To promote the usage of the Internet in a responsible manner

To gauge the level of awareness of e-security issues within consumers

SURVEY AREAS

DEMOGRAPHIC DATA

To capture age, race, sex, marital status and work status of the respondents

GENERAL KNOWLEDGE

To capture level of awareness of respondents on computer viruses, anti-virus tools, firewall,

hacking and prevention measures

PASSWORD

To capture level of awareness of respondents on password settings

INTERNET ACCESS

Questions based on the Internet usage (where and when), Internet security and Internet

commerce

DIGITAL SIGNATURE

To test the knowledge of respondents in relation to digital signature and PKI

E-SECURITY

To gauge the general level of awareness of the public on security issues

82

WHO RESPONDED

A total of 1,211 respondents took part in the survey in three locations in Kota Bahru (KB),

Kelantan, Kota Kinabalu (KK), Sabah and Johor Bahru (JB), Johore.

Figure 1: Respondents by Locations

83

Figure 2: Respondents by Race and Sex

Figure 3: Respondents by Work Status

Location KB KK JB Total

Race\Sex Male Female Male Female Male Female

Malay 230 52 183 47 175 86 773

Chinese 35 19 50 25 92 51 272

Indian 3 2 2 2 35 14 58

Others 2 1 65 32 7 1 108

Total 270 74 300 106 309 152 1,211

Figure 4: Respondents by Age

Work Status\Location KB KK JB Total %

Student 126 189 220 535 44.2

Employed 191 191 202 576 47.5

Unemployed 34 26 27 17 1.5

Self-Employed 223 128 32 83 6.8

Total 344 406 461 1,211 100.0

Age\Location KB KK JB Total %

Student 126 189 220 535 44.2

1 – 10 6 7 2 15 1.2

11 – 20 63 90 105 258 21.3

21 – 30 158 181 235 574 47.4

31 – 40 73 74 73 220 18.2

41 – 50 41 48 34 123 10.2

51 – 60 3 6 12 21 1.7

Total 344 406 461 1,211 100.0

Total respondents: 1,211

84

Figure 5: Respondents by Marital Status

Marital Status\Location KB KK JB Total %

Single 198 253 325 776 64.1

Married 146 153 136 435 31.9

Total 344 406 461 1,211 100.0

ABOUT THE RESPONDENTSInformation on the individuals responded to the 2003 survey is summarized in Figures 1 to 5.

Overall, a total of 1,211 respondents took part in the survey at the three locations. From the

total respondents, 879 respondents (72.58%) were male while 332 respondents (27.42%)

were female.

In terms of employment, 44.2% were University Students, 47.5% respondents were employed.

Only 1.5% were unemployed and 6.8% self-employed.

47.4% respondents were from the ages of 21–30, 21.3% (11–20), 18.2% (31–40), 10.2%

(41–50) and 1.7% (51–60). Only 1.2% respondents were between the ages of 1–10.

63% of the respondents were single and 31.9% married.

85

SURVEY ANALYSIS: EXECUTIVE SUMMARY

Observations on General Knowledge

• Approximately 97.8% of the respondents answering the survey reported they have access

to a PC either at home, school, office, and university or cyber café.

• 90.9% claimed that they know what a computer virus is and 85.5% are aware of anti-virus

software.

• Apart from that, only 84.3 % of respondents reported to have anti-virus software installed

on the PC that they use.

• The greatest concern among the majority of the respondents is computer viruses and being

hacked while online.

• 69.4% reported that they have experiences of being infected by a computer virus.

• 60.3% did not report the incident to the respective government or regulatory bodies.

• 49% reported that they do not know what a personal firewall is.

• 54.6% of the respondents did not install a personal firewall on their PC.

Observations on Passwords

• The survey found that 62.4% of respondents reported using passwords with five to eight

characters, while 24.6% use more than eight characters.

• 1.1 % of respondents change their passwords daily and a further 65.2% change their

passwords once in a month.

• The survey also found that the majority of the respondents are most concern about

revealing or sharing their passwords. For that reason, 78.6% of the respondents memorise

their passwords.

• 77.7% reported that they do not share their passwords with others.

Observations on Internet Access

• A total of 76.6% respondents reported that they have access to the Internet. From the

above percentage, 49.2% claimed that they access the Internet at home while 19.8%

access the Internet at places of work (office).

• A total of 102 students use the Internet at school whereas 175 of those who are employed

use the Internet at their offices.

86

• From the survey, it is recorded that 28.8% of respondents spend more than 10 hours on the

Internet in a week. Only 36.6% claimed that they spend three hours in a week on the Internet

• Based on the survey, over 67% reported that they have not performed an online financial

transaction on the Internet, both in local and international websites.

• 17% feel these transaction are very safe, with less than 38% perceiving a serious security issue

• More than 29.1% of respondents indicated they make Internet purchases from local sites

whereby 15.9% make purchases from international sites.

• At least 14.3% of respondents claimed that payment method is a reason for them to

purchase online from local websites, while 12.3% of respondents mentioned that security

is a factor that make them purchase online from international websites.

Note: Internet dial-up penetration rate for Malaysia in 2003 is 11.4%.

The Internet dial-up penetration rate for each of the state in Malaysia is as follows:

Johore 9.6%

Kedah 6.3%

Kelantan 6.9%

Melaka 11.5%

Negeri Sembilan 10.5%

Pahang 6.7%

Penang 15.8%

Perak 8.0%

Perlis 8.3%

Selangor 14.2%

Terengganu 6.6%

Wilayah Persekutuan Kuala Lumpur 32.8%

Wilayah Persekutuan Labuan 17.8%

Sabah 3.6%

Sarawak 6.2%

The broadband penetration rate for Malaysia in 2003 is 0.44%.

87

Observations on Digital Signature

• More than 49% of the respondents do not know what a digital signature is, and only 5.9%

claimed to have a digital signature.

• 66.5% of the respondents reported that they do not know which government body

regulates the digital signature.

• 8.8% of the respondents get their digital signatures from Digicert while 7.5% from MSC

Trustgate. Majority are employed in companies, which used the digital signatures.

Observations on E-Security Awareness

• 55.2% of respondents consider themselves as beginners whereas 41% appraise themselves

in the intermediate level on E-Security issues. Only 1.4% of the total respondents claimed

that they experts in handling E-Security issues.

• 87.5% of respondents said that they have concerns on security issues when connected to

the Internet.

• More than 84% of respondents reported that there is not enough awareness campaign on

the E-Security issues particularly for computer users at home.

KEY FINDINGS OF THE SURVEYThe following points summarize the key findings of the survey:

• Most of the respondents have access to a PC and the Internet. But some of them do not

have anti-virus software installed in their PCs. They risk having the PCs being open to

Internet threats e.g. worms, viruses and hackers.

• Respondents are worried about the increased threats against their computer systems.

Respondents are increasingly worried about the sophistication of computer security

breaches and their fears are valid. Even relatively low grade threats, e.g. viruses, worms and

being hacked can result in significant financial and time losses.

• Respondents are recognizing the need for awareness programmes and education.

Awareness programmes and education which address Internet, e-mail usage, firewall,

digital signature and computer system breaches can go a long way to mitigating the impact

of some of the problems related to security issues.

• Most of the IT security incidents are not reported to government bodies.

• Most of the incidents occur as a result of poor or no security awareness procedures and

could, therefore, be prevented.

CONCLUDING COMMENTSIt is imperative that agencies such as the MCMC continue to play their roles in ensuring a safe

and secure networking environment by creating greater awareness amongst users by holding

a series of awareness programme on e-security in the future.

88

Q1: Do you have access to a PC?

Q2: Do you know what a computer virus is?

FULL SURVEY RESULTSURVEY ON GENERAL KNOWLEDGE

Q3: Do you know what an anti-virus software is?

Location KB KK JB Total %

Home 232 245 273 750 62.0

School/University 25 51 76 152 12.6

Office 81 77 105 263 21.7

Home and School/

University 2 1 2 5 0.4

Home and Office 0 3 1 4 0.3

Cyber Café 4 3 2 9 0.7

All 0 0 2 2 0.2

NA 0 26 0 26 2.1

Total 344 406 461 1211 100.0

KB KK JB Total %

Yes 308 363 430 1101 90.9

No 18 22 31 71 5.9

NA 18 21 0 39 3.2

Total 344 406 461 1211 100.0

KB KK JB Total %

Yes 288 342 405 1035 85.5

No 37 42 56 135 11.1

NA 19 22 0 41 3.4

Total 344 406 461 1211 100.0

89

Q4: If yes, do you have an anti-virus software installed in the PC that you use?

KB KK JB Total %

Yes 285 326 410 1021 84.3

No 30 46 51 127 10.5

NA 29 34 0 63 5.2

Total 344 406 461 1211 100.0

KB KK JB Total %

Yes 540 282 319 841 69.4

No 83 99 142 324 26.8

NA 21 25 0 46 3.8

Total 344 406 461 1211 100.0

KB KK JB Total %

Yes 83 105 83 262 21.6

No 280 239 280 730 60.3

NA 98 62 98 219 18.1

Total 344 406 461 1211 100.0

KB KK JB Total %

MCMC 60 84 65 209 17.3

ISP 59 76 68 203 16.7

Police 3 4 6 13 1.1

NA 222 242 322 786 64.9

Total 344 406 461 1211 100.0

Q7: If you did report the incident, to whom did you report it to?

Q5: Have you ever been infected by a computer virus?

Q6: If yes, did you report the incident to anyone?

90

KB KK JB Total %

Yes 126 158 213 497 41.0

No 187 216 190 593 49.0

NA 31 32 58 121 10.0

Total 344 406 461 1211 100.0

KB KK JB Total %

Yes 66 87 112 265 21.9

No 191 230 240 661 54.6

NA 87 89 109 285 23.5

Total 344 406 461 1211 100.0

Q8: Do you know what a personal firewall is?

Q9: Do you have a personal firewall installed in your PC?

KB KK JB Total %

Yes 75 84 67 226 18.7

No 241 291 330 862 71.2

NA 28 31 64 123 10.1

Total 344 406 461 1211 100.0

Q10: Has your PC ever been hacked while you were on the Internet?

91

Q12: How often do you change your passwords?

Q11: How many characters does your password have?

SURVEY ON PASSWORDS

Location KB KK JB Total %

5 0 0 0 0 0.0

Less than 5 but more than 8 221 161 274 756 62.4

More than 8 91 105 102 298 24.6

NA 32 40 85 157 13.0

Total 461 406 461 1211 100.0

Location KB KK JB Total %

Daily 3 6 4 13 1.1

Weekly 19 20 26 65 5.4

Monthly 225 286 279 790 65.2

NA 97 94 152 343 28.3

Total 461 406 461 1211 100.0

Q13: Where do you keep your passwords?

Location KB KK JB Total %

On Post It Notes 11 11 10 32 2.6

On Paper 15 15 12 42 13.8

Memorise it 279 334 339 952 78.6

Other (e-mail, computer,

mobile phone) 1 0 3 4 0.3

NA 38 46 97 181 4.7

Total 461 406 461 1211 100.0

Q14: Do you share your passwords with others?

KB KK JB Total %

Yes 37 38 47 122 10.1

No 277 337 327 941 77.7

NA 30 31 87 148 12.2

Total 461 406 461 1211 100.0

92

SURVEY ON INTERNET ACCESS

Q15: Do you have access to the Internet?

Q16: If yes, where do you access the Internet?

KB KK JB Total %

Yes 274 323 331 928 76.6

No 43 58 39 140 11.6

NA 27 25 91 143 11.8

Total 461 406 461 1211 100.0

Q17: How often do you surf the Internet in a week?

KB KK JB Total %

1 hour 33 42 33 108 8.9

2 hours 51 64 72 187 15.4

3 hours 134 164 145 443 36.6

More than 10 hours 126 101 118 345 28.5

NA 0 35 93 128 10.6

Total 461 406 461 1211 100.0

KB KK JB Total %

Home 195 216 185 596 49.2

School 18 48 54 120 1.0

Office 74 72 94 240 19.8

University 4 5 14 23 1.9

Cyber café 7 7 12 26 2.1

All 0 0 2 2 0.2

NA 46 58 100 204 16.4

Total 461 406 461 1211 100.0

93

Q18: Have you ever purchased anything on the Internet?

KB KK JB Total %

Yes 72 82 83 237 19.6

No 238 289 287 814 67.2

NA 34 35 91 160 13.2

Total 461 406 461 1211 100.0

Q19: If yes, were you comfortable with the security when you make your purchaseon the Internet?

KB KK JB Total %

Yes 58 72 71 201 16.6

No 115 149 137 401 33.1

NA 171 185 253 609 50.3

Total 461 406 461 1211 100.0

Q20: If No, what stopped you from making your purchase on the Internet?

KB KK JB Total %

Security 135 168 165 468 38.6

Price 28 34 24 86 7.2

Payment method 85 97 101 283 23.3

Others 7 4 11 22 1.8

NA 89 103 160 352 29.1

Total 461 406 461 1211 100.0

Q21: Where did you make your Internet purchase from?

KB KK JB Total %

Local websites 104 131 117 352 29.1

International websites 45 79 69 193 15.9

NA 195 196 275 666 55.0

Total 461 406 461 1211 100.0

94

Q22: If from local websites, why did you make your purchase?

KB KK JB Total %

Security 31 50 52 133 11.0

Price 36 61 47 144 11.9

Payment Method 57 59 57 173 14.2

Others 3 6 4 13 1.1

NA 217 230 301 748 61.8

Total 461 406 461 1211 100.0

Q23: If from an international websites, why did you make your purchase?

KB KK JB Total %

Security 38 60 51 149 12.3

Price 29 40 40 109 9.0

Payment Method 31 38 45 114 9.4

Others 4 8 8 20 1.7

NA 242 260 317 819 67.6

Total 461 406 461 1211 100.0

95

Q25: Do you have a digital signature?

Q24: Do you know what a digital signature is?

SURVEY ON DIGITAL SIGNATURE

KB KK JB Total %

Yes 128 163 191 482 39.8

No 192 220 186 598 49.4

NA 24 23 84 131 10.8

Total 461 406 461 1211 100.0

KB KK JB Total %

Yes 27 29 90 146 12.1

No 20 30 21 71 5.9

NA 297 347 350 994 82.0

Total 461 406 461 1211 100.0

Q26: If yes, where did you get your digital signature?

KB KK JB Total %

Digicert 32 43 32 107 8.8

MSC Trustgate 26 37 28 91 7.6

Others 2 6 2 10 0.8

NA 284 320 399 1003 82.8

Total 461 406 461 1211 100.0

Q27: Do you know which government body is the regulator of digital signature?

KB KK JB Total %

Yes 63 74 67 204 16.8

No 233 281 291 805 66.4

NA 48 51 103 202 1.8

Total 461 406 461 1211 100.0

96

Q29: Do you consider E-Security issues a concern when you connect to theInternet?

Q28: How do you rate yourself on E-Security issues?

SURVEY ON E-SECURITY

KB KK JB Total %

Yes 128 163 191 482 39.8

No 192 220 186 598 49.4

NA 24 23 84 131 10.8

Total 461 406 461 1211 100.0

KB KK JB Total %

Yes 299 351 410 1060 87.5

No 27 40 51 118 0.2

NA 18 15 0 33 12.3

Total 461 406 461 1211 100.0

Q30: Do you think that there is enough awareness campaign on E-Security issuesfor home computer users?

KB KK JB Total %

Yes 32 53 67 152 12.6

No 294 338 394 1026 84.7

NA 18 15 0 33 2.7

Total 461 406 461 1211 100.0

Notes:

The category “NA” includes cases where a respondent selected more than one answers, or

where the respondent did not fall within one of the other categories.

97

WHO RESPONDED

A total of 3,628 respondents took part in the survey in four locations in Kuala Lumpur (KL),

Penang, Ipoh, Perak and Kuching, Sarawak.

Figure 1: Respondents by Locations

E-SECURITY AWARENESS SURVEY 2004

98

Figure 2: Respondents by Race and Sex

Figure 3: Respondents by Work Status

Location KL Penang Ipoh Kuching Total

Race\Sex M F NA M F NA M F NA M F NA

Malay 155 160 2 372 144 7 474 223 8 200 93 19 1,857

Chinese 28 31 1 217 135 6 234 104 7 401 176 9 1,349

Indian 10 7 0 36 7 5 58 12 2 11 0 6 154

Others 11 6 0 7 11 0 16 3 0 127 86 1 268

Total 204 204 3 632 297 18 782 342 17 739 355 35 3,628

Total respondents: 3,628

Work Status\Location KL Penang Ipoh Kuching Total %

Student 215 475 587 515 1792 49.4

Employed 154 370 396 468 1388 38.3

Unemployed 5 22 30 24 81 2.2

Self-Employed 7 22 37 13 79 2.2

NA 30 58 91 109 288 7.9

Total 411 947 1,141 1,129 3,628 100

Figure 4: Respondents by Age

Age\Location KL Penang Ipoh Kuching Total %

1 – 10 0 0 0 3 3 0.1

11 – 20 102 262 415 276 1,055 29.1

21 – 30 246 446 427 560 1,679 46.3

31 – 40 50 130 147 156 483 13.3

41 – 50 8 65 100 74 247 6.8

51 – 60 0 2 5 1 8 0.2

NA 5 42 47 59 153 4.2

Total 411 947 1,141 1,129 3,628 100

99

ABOUT THE RESPONDENTSInformation on respondents in the 2004 survey is summarized in Figures 1 to 5.

From the total respondents, 2,357 were male (65%), 1,198 were female (33%) and 73 (2%)

did not indicate their gender.

In terms of employment, 49.4% of the respondents were students, 38.3% employed, 2.2%

unemployed, 2.2% self-employed and 7.9% did not indicate the category they are in.

46.3% respondents are from the ages of 21–30, 29% are from the ages of 11–20, 13.4% are

from the ages of 31–40, 6.8% are from the ages of 41–50, 1.7% are from the ages 51–60

and 0.3% are aged 60 and above. Only 0.1% respondents are from ages 1–10. 2.4% of the

respondents did not indicate their age group.

71% of the respondents are single and 23.5% married. 5.5% of the respondents did not

indicate their marital status.

SURVEY ANALYSIS: EXECUTIVE SUMMARYObservations on General Knowledge

• 94.6% claimed that they know what a computer virus is and 91% reported that they are

aware of anti-virus software.

• Apart from that, only 88% of respondents reported to have an anti-virus software installed

in the PC that they use.

• The greatest concerns among the majority of the respondents are computer viruses and

being hacked while online.

• 68.4% reported that they have experiences of being infected by a computer virus.

Figure 5: Respondents by Marital Status

Marital Status\Location KL Penang Ipoh Kuching Total %

Single 314 664 790 807 2,575 71

Married 87 237 287 242 853 23.5

NA 10 46 64 80 200 5.5

Total 411 947 1,141 1,129 3,628 100

100

• 53.6% of the respondents did not report the incident to the respective government or

regulatory bodies.

• 44.5% reported that they did not know what a personal firewall is.

• 60.6% of the respondents did not install a personal firewall in their PC.

Observations on Passwords

• The survey found that 58.5% of respondents used passwords with five to eight characters,

while 21.6% use more than eight characters.

• 1.6% of respondents changed their passwords daily, and a further 37.5% changed their

passwords once in a month.

• The survey also found that the majority of the respondents are most concerned about

revealing or sharing their passwords. 87.7% admitted that they memorised their passwords.

• 84.3% reported that they do not share their passwords with others.

Observations on Internet Access

• A total of 85.6% respondents reported that they have access to the Internet. From the

above percentage, 59.5% claimed that they access the Internet at home while 11.4% of

respondents access the Internet at their places of work/offices.

• A total 480 of students use the Internet in schools, whereas 415 of those employed use

the Internet at their offices.

• From the survey, it is recorded that 20.8% of respondents spend more than 10 hours on

the Internet in a week. Only 39.7% claimed that they spend less than five hours in a week

on the Internet.

• Based on the survey, over 76.4% reported that have not performed an online financial

transaction on the Internet, either in a local or international website.

• 22% feel these transactions are very safe.

• More than 34.1% of respondents indicated they make Internet purchases from local sites

whereby 17.6% from international sites.

• At least 11.9% of respondents claimed that the payment method is a reason for them to

purchase online from local websites, while 9.4% of respondents mentioned that security is

a factor that make them purchase online from an international website.

101

Note: Internet dial-up penetration rate for Malaysia in 2004 is 12.7%.

The Internet dial-up penetration rate for each of the state in Malaysia is as follows:

Johore 9.9%

Kedah 6.6%

Kelantan 6.7%

Melaka 11.8%

Negeri Sembilan 10.8%

Pahang 6.3%

Penang 16.3%

Perak 8.5%

Perlis 9.3%

Selangor 14.3%

Terengganu 6.5%

Wilayah Persekutuan Kuala Lumpur 34.5%

Wilayah Persekutuan Labuan 16.2%

Sabah 4.2%

Sarawak 6.7%

The broadband penetration rate for Malaysia in 2004 is 0.98%.

Observations on Digital Signature

• More than 51% of the respondents do not know what a digital signature is and only 8.7%

claimed that they have a digital signature.

• 69.3% of the respondents reported that they do not know which government body is the

regulator of the digital signature.

• 7.4% of the respondents get their digital signatures from Digicert while 7.1% from MSC

Trustgate. Majority of them are employed in companies, which use digital signatures.

Observations on E-Security Awareness

• 81.8% of respondents said that they are concerned with security issues when connected

to the Internet.

• More than 78% of respondents reported that there is not enough awareness campaign on

the E-Security issues particularly for home computer users.

102

KEY FINDINGS OF THE SURVEYThe following points summarize the key findings of our survey:

Most of the respondents have access to a PC and the Internet

However, some of them do not have anti-virus software or personal firewalls installed in their

PCs. They risk having their PCs exposed to Internet threats e.g. worms, viruses, spywares, etc.

Respondents are worried about the increased threats against their computer systems

Respondents are increasingly worried about the sophistication of the computer security

breaches and their fears are valid. Even relatively low grade threats e.g. viruses, worms and

hacking can result in significant financial and time loss.

Respondents are recognizing the need for awareness programmes and education

Awareness and education programmes that address Internet, e-mail usage, firewall, digital

signatures and computer system breaches can go a long way to mitigating the impact of some

of the problems related to security issues.

Most of the IT security incidents are not reported to relevant bodies

Most of the incidents occur as a result of poor or no security awareness procedures

and in most instances can be prevented

CONCLUDING COMMENTSIt is imperative that agencies such as the MCMC continue to play their roles in ensuring a safe

and secure networking environment by creating greater awareness amongst users by holding

a series of awareness programmes on e-security in the future.

103

Q1: Do you have access to a PC?

Location KL Penang Ipoh Kuching Total %

Single 314 664 790 807 2,575 71

Home 254 705 901 776 2,636 72.7

School/University 70 135 123 97 425 11.7

Office 69 83 96 103 351 9.7

Home and School/ 0 0 0 16 16 0.4

University

Home and Office 0 0 0 101 101 2.8

Home, School 0 0 0 13 13 0.4

and Office

Home, School 0 0 0 5 5 0.1

and Cyber Café

Cyber Café 5 4 6 7 22 0.6

NA 13 20 15 11 59 1.6

Total 411 947 1,141 1,129 3,628 100

Q2: Do you know what a computer virus is?

KL Penang Ipoh Kuching Total %

Yes 385 892 1,077 1,077 3,431 94.6

No 18 49 60 49 176 4.9

NA 8 6 4 3 21 0.5

Total 411 947 1,141 1,129 3,628 100

FULL SURVEY RESULTSURVEY ON GENERAL KNOWLEDGE

Q3: Do you know what an anti-virus software is?

KL Penang Ipoh Kuching Total %

Yes 367 868 1,010 1,056 3,301 91

No 35 72 126 69 302 8.3

NA 9 7 5 4 25 0.7

Total 411 947 1,141 1,129 3,628 100

104

Q7: If you did report the incident, to whom did you report it to?

KL Penang Ipoh Kuching Total %

MCMC 11 52 51 60 174 4.8

ISP 85 237 336 303 961 26.5

Police 1 3 4 6 14 0.4

Company 13 1 0 19 33 0.9

Vendor 15 15 0 49 79 2.2

NA 286 639 750 692 2,367 65.2

Total 411 947 1,141 1,129 3,628 100

Q4: If yes, do you know if an anti-virus software is installed on the PC that you use?

KL Penang Ipoh Kuching Total %

Yes 355 847 982 1,007 3,191 88

No 46 76 139 95 356 9.8

NA 10 24 20 27 81 2.2

Total 411 947 1,141 1,129 3,628 100

Q5: Have you ever been infected by a computer virus?

KL Penang Ipoh Kuching Total %

Yes 291 566 780 843 2,480 68.4

No 109 238 342 262 951 26.2

NA 11 143 19 24 197 5.4

Total 411 947 1,141 1,129 3,628 100

Q6: If yes, did you report the incident to anyone?

KL Penang Ipoh Kuching Total %

Yes 126 307 376 444 1,253 34.6

No 224 517 632 571 1,944 53.6

NA 61 123 133 114 431 11.8

Total 411 947 1,141 1,129 3,628 100

105

Q8: Do you know what a personal firewall is?

KL Penang Ipoh Kuching Total %

Yes 197 457 559 704 1,917 52.8

No 201 455 558 401 1,615 44.5

NA 13 35 24 24 96 2.7

Total 411 947 1,141 1,129 3,628 100

Q9: Do you have a personal firewall installed in your PC?

KL Penang Ipoh Kuching Total %

Yes 95 263 346 448 1,152 31.8

No 276 583 713 625 2,197 60.5

NA 40 101 82 56 279 7.7

Total 411 947 1,141 1,129 3,628 100

106

Q11: How often do you change your passwords?

KL Penang Ipoh Kuching Total %

Daily 3 21 15 18 57 1.6

Weekly 15 37 60 55 167 4.6

Monthly 114 353 429 465 1,361 37.5

Yearly 14 28 22 46 110 3.0

When necessary 6 0 0 18 24 0.7

Seldom/Sometimes 1 0 0 31 32 0.9

Quarterly 4 7 8 3 22 0.6

Never change 17 0 0 60 77 2.1

NA 237 501 607 433 1,778 49.0

Total 411 947 1,141 1,129 3,628 100

Q12: Where do you keep your passwords?

KL Penang Ipoh Kuching Total %

On Post It Notes 6 20 19 21 66 1.8

On Paper 9 37 40 43 129 3.6

Memories it 355 821 1,016 989 3,181 87.7

Other (e-mail, computer, 2 1 1 5 9 0.2

mobile phone)

NA 39 68 65 71 243 6.7

Total 411 947 1,141 1,129 3,628 100

Q10: How many characters does your passwords have?

KL Penang Ipoh Kuching Total %

5 47 109 140 129 425 11.7

Less than 5 but 258 558 673 635 2,124 58.6

more than 8

More than 8 58 203 240 286 787 21.7

NA 48 77 88 79 292 8.0

Total 411 947 1,141 1,129 3,628 100

SURVEY ON PASSWORD

107

Q13: Do you share your passwords with others?

KL Penang Ipoh Kuching Total %

Yes 47 122 152 140 461 12.7

No 337 793 959 969 3,058 84.3

NA 27 32 30 20 109 3

Total 411 947 1,141 1,129 3,628 100

Q14: Do you have access to the Internet?

KL Penang Ipoh Kuching Total %

Yes 343 805 965 991 3,104 85.5

No 57 123 164 126 470 13

NA 11 19 12 12 54 1.5

Total 411 947 1,141 1,129 3,628 100

Q15: If yes, where do you access the Internet?

Location KL Penang Ipoh Kuching Total %

Home 189 601 731 638 2,159 59.5

School 65 128 143 144 480 13.2

Office 83 107 113 112 415 11.4

Cyber café 16 15 39 21 91 2.6

Home, school and office 0 0 0 11 11 0.3

Home and office 1 0 0 83 84 2.3

Home and school 0 0 0 24 24 0.7

NA 57 96 115 96 364 10.0

Total 411 947 1,141 1,129 3,628 100

108

Q16: How often do you surf the Internet in a week?

KL Penang Ipoh Kuching Total %

1 hour 145 359 515 424 1,443 39.8

2 hours 97 271 293 320 981 27.0

3 hours 96 215 196 248 755 20.8

More than 10 hours 9 28 40 50 127 3.5

NA 64 74 97 87 322 8.9

Total 411 947 1,141 1,129 3,628 100

Q17: Have you ever purchased anything on the Internet?

KL Penang Ipoh Kuching Total %

Yes 74 177 190 319 760 20.9

No 320 738 924 788 2,770 76.4

NA 17 32 27 22 98 2.7

Total 411 947 1,141 1,129 3,628 100

Q18: If yes, were you comfortable with the security when you make your purchaseon the Internet?

KL Penang Ipoh Kuching Total %

Yes 65 199 232 302 798 22.0

No 134 419 532 468 1,553 42.8

NA 212 329 377 359 1,277 35.2

Total 411 947 1,141 1,129 3,628 100

109

Q19: If no, what stopped you from making your purchase on the Internet?

Location KL Penang Ipoh Kuching Total %

Security 161 419 472 404 1,456 40.1

Price 31 86 107 114 338 9.3

Payment method 112 225 301 287 925 25.5

Not interested 0 0 0 5 5 0.1

Security, price and 0 0 0 8 8 0.2

payment

Security and payment 0 0 0 22 22 0.6

Price and payment 0 0 0 3 3 0.1

NA 107 217 261 286 871 24.1

Total 411 947 1,141 1,129 3,628 100

Q20: Where did you make your Internet purchase from?

KL Penang Ipoh Kuching Total %

Local websites 130 311 392 405 1,238 34.1

International websites 35 166 198 238 637 17.6

NA 246 470 551 486 1,753 48.3

Total 411 947 1,141 1,129 3,628 100

Q21: Why did you make the Internet purchase?

KL Penang Ipoh Kuching Total %

Security 18 93 123 109 343 9.5

Price 64 161 168 181 574 15.8

Payment method 44 97 133 157 431 11.9

Not interested 0 0 0 2 2 0.1

Easy/faster 1 1 0 13 15 0.4

Product not available 1 0 0 8 9 0.2

in Malaysia

NA 283 595 717 659 2,254 62.1

Total 411 947 1,141 1,129 3,628 100

110

SURVEY ON DIGITAL SIGNATURE

Q22: Do you know what a digital signature is?

KL Penang Ipoh Kuching Total %

Yes 180 400 512 564 1,656 45.7

No 211 507 603 535 1,856 51.1

NA 20 40 26 30 116 3.2

Total 411 947 1,141 1,129 3,628 100

Q23: Do you have a digital signature?

KL Penang Ipoh Kuching Total %

Yes 30 85 93 106 314 8.7

No 361 811 1,013 980 3,165 87.2

NA 20 51 35 43 149 4.1

Total 411 947 1,141 1,129 3,628 100

Q24: If yes, where did you get your digital signature?

KL Penang Ipoh Kuching Total %

Digicert 13 57 104 95 269 7.4

MSC Trustgate 11 77 93 76 257 7.1

NA 387 813 944 958 3,102 85.5

Total 411 947 1,141 1,129 3,628 100

111

Q25: What do you use the digital signature for?

KL Penang Ipoh Kuching Total %

Secure my website 10 52 51 70 183 5.0

Secure my e-mail 24 92 103 116 335 9.2

Secure my Internet 30 80 116 99 325 9.0banking transaction

Secure my Internet 14 27 27 33 101 2.8banking transaction, to file income tax online and secure my Internet trading transaction

Secure my e-mail 12 39 58 40 149 4.1and secure my Internet trading transaction

Secure my website, 7 12 16 15 50 1.4secure my e-mail, secure my Internet banking transaction, file income tax online and secure my Internet trading transaction

Secure my website, 11 15 22 15 63 1.7 secure my e-mail and secure my Internet banking transaction

NA 303 630 748 741 2,422 66.8

Total 411 947 1,141 1,129 3,628 100

112

Q26: Do you know which government body is the regulator of digital signature?

KL Penang Ipoh Kuching Total %

Yes 79 179 221 202 681 18.8

No 285 640 801 789 2,515 69.3

NA 47 128 119 138 432 11.9

Total 411 947 1,141 1,129 3,628 100

Q27: Do you have a MyKad?

KL Penang Ipoh Kuching Total %

Yes 254 627 808 807 2,496 68.8

No 136 283 308 289 1,016 28.0

NA 21 37 25 33 116 3.2

Total 411 947 1,141 1,129 3,628 100

Q28: Do you know that MyKad is PKI-enabled?

KL Penang Ipoh Kuching Total %

Yes 146 366 512 462 1,486 41.0

No 244 526 590 628 1,988 54.8

NA 21 55 39 39 154 4.2

Total 411 947 1,141 1,129 3,628 100

Q29: Are you aware that you can file income tax online using MyKad?

KL Penang Ipoh Kuching Total %

Yes 106 282 433 336 1,157 31.9

No 281 611 671 750 2,313 63.8

NA 24 54 37 43 158 4.3

Total 411 947 1,141 1,129 3,628 100

113

Q32: If no, do you plan to PKI-enabled your MyKad?

KL Penang Ipoh Kuching Total %

Yes 260 529 665 680 2,134 58.8

No 84 265 351 325 1,025 28.2

NA 67 153 125 124 469 13.0

Total 411 947 1,141 1,129 3,628 100

Q30: Have you applied for digital certificate for your MyKad?

KL Penang Ipoh Kuching Total %

Yes 30 79 108 99 316 8.7

No 346 811 992 972 3,121 86.0

NA 35 57 41 58 191 5.3

Total 411 947 1,141 1,129 3,628 100

Q31: If yes, where did you get your MyKad PKI-enabled?

KL Penang Ipoh Kuching Total %

Digicert/Ivest 23 109 150 131 413 11.4

MSC Trusgate 36 135 184 149 504 13.9

NA 352 703 807 849 2,711 74.7

Total 411 947 1,141 1,129 3,628 100

114

SURVEY ON E-SECURITY

Q33: Do you consider E-Security issues a concern when you connect to theInternet?

KL Penang Ipoh Kuching Total %

Yes 245 746 1,005 970 2,966 81.8

No 130 141 108 126 505 13.9

NA 36 60 28 33 157 4.3

Total 411 947 1,141 1,129 3,628 100

Q34: Do you think that there is enough awareness campaign on E-Security issuesfor home computer users?

KL Penang Ipoh Kuching Total %

Yes 58 136 227 237 658 18.1

No 333 758 887 861 2,839 78.3

NA 20 53 27 31 131 3.6

Total 411 947 1,141 1,129 3,628 100

Notes:

The category “NA” includes cases where a respondent selected more than one answers, or

where the respondent did not fall within one of the other categories.

INCIDENCERESPONSE

ANDHANDLING

FOR EVERYONE

MORE SPECIFIC INFORMATION FOR BUSINESSES

116

MOHAMED SHAFRI HATTANISER, AUTHOR

Mohamed Shafri Hatta graduated from Universiti Utara Malaysia (UUM), Sintok, Kedah Darul

Aman, in Bachelor of Information Technology (BIT) with Hons, majoring on networking, in 1998.

Mohamed Shafri was also a GIAC Security Essentials Certified (Certifications issued by SANS

Institute, USA). He is also a EC Council Certified Ethical Hacker (CEH) and pursuing Cisco

Certified Network Associates (CCNA).

In February 2001, he joined National ICT Security Emergency Response Centre (NISER) where

he was with the Malaysian Computer Emergency Response Team (MyCERT) as one of the

pilers under NISER. His main task is to do first and second level support for MyCERT. His other

tasks include network security audit, network and system penetration testing. He has done

more than 10 presentations for NISER & MyCERT in seminars, conferences and trainings since

2002. He is currently the Network Security Analyst for NISER and his field of expertise is

Incident Handling and Network Security.

ORGANIZATION

NISER (National ICT Security and Emergency Response Centre) was formed by the National

Information Technology Council (NITC). The agency began its operation in November 2000

and was officially launched on 10 April 2001. NISER has been specifically tasked to support

the nation’s ICT security and cyber defense initiatives to avert potential intrusions and unlawful

cyber actions that could threaten the nation’s critical infrastructure.

NISER also deals with computer abuses and information security breaches through the

Malaysian Computer Emergency Response Team (MyCERT). MyCERT, which was established

in 1997, is a national incident response centre responsible for rapid response to problem

identification and solutions implementation.

NISER functions through collaborations with organisation from both private and public sector,

including the Internet communities, to continuously identify possible gaps that could be

detrimental to national security. It believes in this collaborative model as it recognises that no

organisation can champion and resolve ICT security issues single-handedly.

In performing its tasks, NISER is guided by the following principles: to maintain technical

competency, to pursue proactive action, to harness collaborative effort, to remain neutral and

impartial and to be a not-for-profit organisation.

117

ABSTRACTHacking, cracking and now hacktivism is fast becoming a serious threat to inter-networking.

ISPs and companies whose businesses depend on network availability are faced with a new

challenge greater than recovering from service hiccups, which is defending and recovering

from attacks.

Denial of Service attack, intrusion and domain rerouting are major threats to the Internet

services. Despite the many technologies such as firewall and Intruder Detection Systems, the

human element is required in Incident Response – to ensure responsiveness and effectiveness

of the technology. NISER will share some of the major requirements in running an effective

Incident Response Team, now a necessity in operating and maintaining any network.

INTRODUCTION

What is an Incident?

The term “incident” refers to an adverse event in an information system, and/or network, or the

threat of the occurrence of such an event. An incident can be defined as any activity that

interrupts the normal activities of a system and may trigger some level of crisis. Incident implies

harm or the attempt to harm.

What is Incident Handling?

Incident Handling is a series of actions taken to protect and restore the normal operating

condition of computers and the information stored in them when an adverse event occur, with

well-defined procedures involving several stages. It involves all the activities used before,

during, and after a computer security incident occurs on a host, network, site, or multi-site

environment.

Purpose of Incident Handling

• To mitigate or reduce risks associated to an incident.

• To respond to all incidents and suspected incidents based on pre-determined processes.

• To provide unbiased investigations on all incidents.

• Establish a 24x7 hotline/contact to enable effective reporting of incidents.

• Each organization should have an incident handling team to control and contain any

incidents that may occur.

• Incident handling team should recommend short-term and long-term solutions.

INCIDENT RESPONSE AND HANDLING FOR EVERYONE

MOHAMED SHAFRI HATTA

118

CATEGORIES OF INCIDENTS

Crisis

Crisis can be categorized as any incident that may cause destruction or service disruption

such as natural disaster and infrastructure attack.

Security Breach

Any event which breach the security policy of an organization or the laws of the country. Some

of the examples are breach of confidentiality, modification of data or compromisation of integrity.

Abuse & Misuse

Any activity conducted which are against the acceptable use policy of the organization such

as causing annoyance or conducting non-work related activity such as e-mail abuse (spamming

and mail bomb) and illegal content (pornography and piracy).

Human Error

Human error can be categorized as any accidental damage done due to human error, which

may cause disruption of service, and may not involve criminal activity. An example is information

disclosure and misconfiguration by the organization.

TYPES OF INCIDENTS

Spamming

Spamming would refer to e-mails that you do not wish to receive and are irrelevant to you.

These mails usually have business motives for marketing purposes and sent by individuals with

personal goals, or by marketing agents for selling their products.

Mail bomb

Mail bomb is the act of sending large quantities of e-mails to a single user or system, which

could flood his/her mailbox and may crash the system. Mail bomb is considered as serious as

it can disrupt mail traffic and in some cases, could lead to denial of service to the network.

Intrusion

Intrusion is referred to the unauthorised access or illegal access to a system or network. This

could be the act of root compromise, web defacements and installation of malicious

programmes, i.e. backdoor or trojan.

Hack threat

Hack threat is referred to illegal and unauthorised hacking attempts to a system or a network

with malicious intention to compromise a vulnerable system, such as illegal port scanning

and probes.

119

Virus

Virus is a malicious code of programming, which survives and replicates in a computer system

and attacks silently and without the user’s knowledge. Once in the system, the virus will

replicate and infect other files, thus changing them in the process. Viruses are mainly found in

software, programmes, screen savers and data files. A virus might carry a “payload” which is

released by the virus upon a triggering event and also determines the extent of the damage

the virus does.

Worm

Worm is a self-contained programme that is able to spread functional copies of itself and does

not need any external help, to other computers via the network.

Denial of Service (DoS)

Denial of service would refer to the illegal act of bringing a particular system down, or to disable

a system. There are various types of DoS attacks, i.e. ping flood attack, Smurf attack and SYN

attack.

Destruction

Destruction is defined as an illegal act made to destroy the system, data/information and/or

physical assets, crippling the whole system. Such incidents can be the results from repeated

attempts toward the targeted system which finally lead to destruction of the whole system.

Fraud

It is strictly where a computer system is used as an instrument to a crime, for example, its

processing capability is used to divert funds illicitly such as in e-mail forgery (user impersonation),

e-commerce (payment anonymity) and e-banking (ATM and credit card fraud).

Forgery

Forgery would mean to forge or impersonate something/someone to make it as if real and true.

These include forgeries of your name and e-mail address in messages to others, or of other

people's identities in mail to you. Both can be extremely unpleasant or even damaging, if the

recipient gets fooled.

Harassment

Harassment is a malicious act of annoying and threatening someone through various means;

i.e., via e-mails, and/or letters with personal motives and reasons. Harassment is usually done

by someone close to the victim or someone unknown to the victim.

INCIDENT HANDLING: STEP BY STEP

Preparation

System or network administrator should take proactive techniques in securing their organization

system. This includes applying proper patches and service pack, upgrade operating system,

120

applications and software. An organization should also have defence mechanism such as

firewall, intrusion detection system and anti-virus programme to defend their network.

Any unnecessary services or ports should be closed to minimize the probability of attack.

Other preparations that can be undertaken by an organization is to send their staff for security

training, such as Incident Handling training. With this training, incident handler or system

administrator should include maintaining the organization infrastructure in their day-to-day task.

Constant log monitoring is the most important process and system administrator should be on

the alert and suspicious of anomalous activities.

Organization should establish contacts with local ISPs, other Computer Emergency Response

Teams (CERTs) and law enforcement agencies. This will help the organization when an incident

happens. Keep a database of the relevant person in charge and their contact detail’s must be

made accessible to your team. Make sure you have their contact numbers, i.e. phone, fax,

e-mail, pager.

Last but not least, an organization should have a standard operating procedure (SOP) of

Incident Handling and enforce it within the organization. Policies on password, system/network

access and secure communication are a must.

Identification

Organization should verify an incident which has occurred and exclude the possibility of human

error by checking any errors in system configuration, users or administrator errors. Once the

above errors ruled out, determine the type of incident.

IT personnel should not panic when an incident occurs. Panicking will make coordination and

communication difficult and remaining calm can avoid making critical errors.

Incident handler should take note of and document every piece of information or evidence

associated to the incident. Use the four principle of W's: Who, What, When, Where and some

more extras like How and Why.

Analyze the information and evidence. Safeguard the evidence you have by keeping a backup

copy. Incident handler should analyze any relevant logs, files and codes that might indicate

successful penetration or traces left by the intruders.

Incident handler or system/network administrator should notify the appropriate parties. Notify

the appropriate people like the security coordinator and the manager.

Containment

The first action in containment is to disconnect the affected machine from the network. This is

to prevent further spread of the incident. It will also avoid intruders from getting into the server

again. The security manager should deploy a small team to physically secure the incident area.

121

Incident handler should be alert to potential planted malicious codes or scripts in the affected

system. Incident handler should not log in to the compromised system immediately, as you

need to check if there is any rootkit installed. Analyze the cryptographic fingerprint of core

binary files of the compromised system against a trusted system. For best practice, check

other neighboring system or network for possibility of compromised. Review all logs and file

signature databases.

Incident handler should make a back up copy of the compromised system to a new media.

Make binary to binary or bit to bit back up. Seal and store the back up tapes securely so that

no one can temper with the evidence. This process is necessary for forensic analysis and

court proceedings.

System or network administrator should change the password of the compromised system or

other systems that it regularly connects. If the system is subjected to a sniffer attack, you may

need to change passwords of all systems on the affected LAN or subnet.

Eradication

In this process, incident handler should determine the root of attack. How do you do that?

Analyze all information gathered during the identification phase and look for weaknesses in the

operating system and application that could have been exploited.

The next step is to apply defense mechanism. Organization should apply firewall, routers filters,

intrusion detection system (IDS), intrusion prevention system (IPS) and anti-virus programme

both at network and host level. If possible change the server name and IP address.

The last process is to carry out vulnerability assessment on the system and network to

determine if the software needs to be upgraded/patched. Run a host-based and network-based

assessment tools to test the robustness of your system and network configurations. Remove

the cause of the incident. Close unnecessary ports/services if the incident was due to an open

port. Patch and upgrade software if the incident was due to vulnerable/older version of

software. Malicious code planted by the intruder should also be removed and cleaned.

Recovery

Restore the system for a clean backup. After restoration, verify that the operation was successful

and system is back to normal. Security manager will determine when to restore operations. Once

the system is back to normal, monitor for any hidden backdoors that may have escaped

detection.

Follow-Up

In the follow-up process, produce a comprehensive report on the whole incident for reference

purposes. Incident handler should follow-up with owners of the system to check whether they

have done the necessary. Conduct assessment to the system regularly, to verify the system

is secure and is not vulnerable.

122

BEST PRACTICEIntrusion Detection Checklist

http://www.cert.org/tech_tips/intruder_detection_checklist.html

Windows NT Intrusion Detection Checklist

http://www.auscert.org.au/render.html?it=1972&cid=1920

UNIX Security Checklist

http://www.auscert.org.au/render.html?it=1935&cid=1920

Securing an Internet Name Server

http://www.cert.org/archive/pdf/dns.pdf

Secure Infrastructure Design

http://www.cert.org/archive/pdf/Secure_Infrastructure_Design.pdf

Internet Information Service 5.0 Security Checklist

http://www.microsoft.com/technet/security/chklist/iis5chk.mspx

Internet Information Service 4.0 Security Checklist

http://www.microsoft.com/technet/security/chklist/iischk.mspx

Windows Server 2003 Security Guide

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx

Windows XP Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/xpcl.mspx

Windows 2000 Server Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx

Windows NT 4.0 Server Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/nt4svrcl.mspx

Windows NT 4.0 Workstation Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/nt4wscl.mspx

Steps for Recovering from a UNIX or NT System Compromise

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

123

CONCLUSIONSAn incident handling and response team must strive for quicker response time to minimize the

downtime. An organization should have proper policy and mechanism in place. This will expedite

the incident handling process. The effectiveness of incident handling team in managing

escalation and investigation is the most critical asset of an organization. Incident handling team

should notify the appropriate or affected parties of any incidents. This will minimize the probability

of successful attack. The best thing is to communicate with Internet Service Provider (ISP),

vendors or Computer Emergency Response Team (CERT).

REFERENCES

1. http://www.mycert.org.my/resource.html2. http://www.mycert.mimos.my/securityterm.html3. http://www.cert.org/tech_tips/4. http://www.microsoft.com/technet/security/default.mspx5. http://www.auscert.org.au/render.html?cid=19206. Computer Security Incident Handling Step by Step, SANS Institute, 1999

VIRUSES,WORMS,TROJAN

HORSES 101

126

Madihah Mohd Saudi is the virus analyst for NISER and is responsible for conducting in-house

testing for virus analysis; reviewing standard operating procedures for virus analysis;

developing acceptable user policies; damage control and laboratory specifications. She is also

accountable in responding to virus cases, as MyCERT (Malaysia Computer Emergency

Response Team) 2nd level support. Her other tasks are Windows security audit and Anti Virus

audit. Madihah joined NISER in 2001 as a Computer Forensic analyst and project manager for

the Computer Forensics’ department.

Madihah earned her Bachelor’s Degree in Computer Science from Universiti Kebangsaan

Malaysia (UKM) in 2001. Her mission for NISER and for herself is to be one of the best security

analysts in the nation.

She holds the GIAC Security Essentials Certification which was issued by SANS Institute, USA

in 2001 and also a Certified Ethical Hacker (2003) awarded by the EC-Council, USA.

MADIHAH MOHD SAUDINISER, AUTHOR

127

ABSTRACTNowadays large or small computer applications developers are adopting the trend of “push to

market first” – fix the bugs later. This leads to disaster outbreak such as the Melissa virus, Code

Red Worm, NIMDA worm and the more recent Blaster and Nachi worms.

Thus, it is critical that we understand these malicious codes or better known as virus, worm

and Trojan Horse. There are many ways in which malicious codes spread. The common

mediums are through e-mail attachments, scripts in web pages and networks and file sharing.

In this paper we will discuss what these malicious codes are; how they behave; their impact

on society; the countermeasures that can be taken which include the detection, removal and

prevention methods; two case studies on issues related with worm outbreak; the propagation

of malicious codes; who is responsible for the damage it caused; whether the virus writer or

person who distribute it and the future of malicious codes.

Keyword: malicious code, virus, worms, Trojan horse

INTRODUCTION

Definition of malicious code

Malicious code is a term used to describe all sorts of destructive programmes which are

viruses, worms, Trojans, pests and rogue Internet content[1]. Malicious code is more prevalent

today than ever before, and both home users and system administrators need to be on the

alert to protect their network or company against attacks. It is coming out so fast these days

that even the most accurate scanners cannot track all the new ones.

By referring to MyCert’s Abuse Statistics from 1997 until June 2004, we can see a rapid

increase of computer crime cases in Malaysia, especially in virus cases[2]. For virus cases,

from seven cases in 1997, it has increased to 379 cases in 2001 and until June 2004 it has

touched 158 cases. As we know, Code Red worm hit the world in August 2001, followed by

Nimda Worm in September 2001 and Blaster worm, Nachi worm and Sobig.F worm in August

2003. A huge amount of money had been used to recover from the attacks. These worms

instigated a classified infrastructural attack to the Malaysian public. Details of the worms can

be referred at ‘Situational Report on Major Worms up to 2003 in Malaysia’ available from

NISER’s website[3].

VIRUSES, WORMS, TROJAN HORSES 101

MADIHAH MOHD SAUDI

128

DEFINITION OF VIRUS, WORM AND TROJAN HORSEThe Internet is constantly being flooded with information about computer viruses, worms and

Trojan Horses. Terms like virus and worm have been used interchangeably, but they have

different meaning and function. The definitions are listed below:

Viruses

Virus is defined as a programme, which when executed, can add itself to other programmes,

without permission[4]. This is done in such a way that the infected programme, when

executed, can add itself to other programmes as well. The virus inserts itself into the chain of

command and executes a legitimate programme that results in the execution of the virus as

well as the programme.

If we relate to our daily life, virus programming logic mimics their biological counterparts.

First, they invade their host victims by changing the underlying structure. Once infected, host

file becomes viruses themselves and begin to infect other files. Later, computer viruses mutate

and evolve to fight anti-virus ‘antibiotic’ programmes, and massive infection results in the larger

system malfunctioning.

Virus hoax is another term given to a message warning about non-existent viruses. It generally

asks readers to forward the message to everyone possible. It is highly recommended that users

ignore or delete such e-mail.

As for viruses, it can be categorized into six categories, which are:

a. Boot Sector Virus

These viruses infect floppy disk boot records or master boot records in hard disks.

They replace the boot record programme (which is responsible for loading the operating

system in memory), copying it elsewhere on the disk or overwriting it when you first turn on

your computer. Boot viruses load into memory if the computer tries to read the disk while

it is booting. This kind of virus can prevent you from being able to boot your hard disk.

b. File Virus

These are viruses that attach themselves to (or replace) .COM and .EXE files, although in

some cases they can infect files with extensions like .SYS, .DRV, .BIN, .OVL and .OVY.

With this type of virus, uninfected programmes usually become infected when they are

executed with the virus in memory. In other cases they are infected when they are opened

(such as using the DOS DIR command) or the virus simply infects all the files in the

directory is run from (a direct infector).

c. Macro Virus

Written using a simplified macro programmeming language, these viruses affect Microsoft

Office applications, such as Word and Excel, and account for about 75% of viruses found

in the wild. A document infected with a macro virus generally modifies a pre-existing, commonly

used command (such as Save) to trigger its payload upon execution of that command.

129

d. Multipartite Virus

A multipartite virus is a hybrid of Boot and Programme viruses. They infect programme files

and when the infected programme is executed, these viruses infect the boot record. When

you reboot the computer the virus from the boot record loads in memory and start infecting

other programme files on disk.

e. Polymorphic Virus

These viruses change code whenever they are passed to another machine; in theory these

viruses should be more difficult for anti-virus scanners to detect, but in practice they are

usually not that well written.

f. Stealth Virus

These viruses hide their presence by making an infected file to appear infected, but do not

usually stand up to anti-virus software.

From these six categories of virus, it can be simplified that the virus can spread through file,

boot programme and macro file.

The first viruses emerged in the mid-1980’s. By 1990, there were still less than 100 viruses.

Today it is estimated that there may be more than 50,000 viruses. Interestingly, the majority of

viruses are not out in the public, referred to as “in the wild.” Resources say that only 100-180

of the 50,000 viruses account for all the viruses that are in the wild. Most of the viruses exist

only in personal virus collections, also called “virus zoos.”

Worms

A worm is a self-contained programme (set of programmes), that is able to spread functional

copies of itself to other computer system (usually via a network). It is very similar to virus in that

it is a computer programme that replicates and often, but not always, contains some

functionality that will interfere with the normal use of a computer or a programme. Worms do

not need to attach themselves to other files or programmes, where the worm exists as a

separate entity. A worm can spread itself automatically over the network from one computer to

another. But it can always exist as an e-mail attachment.

Worms can be categorized into two categories, which are:

a. Host computer worms

Host computer worms are entirely contained in the computers on which they run and use

network connections only to copy themselves to other computers. The original worm

terminates itself after launching a copy on another host (so there is only one copy of the

worm running somewhere on the network at any given moment).

130

b. Network worms

Network worm consists of multiple parts (called ‘segments’), each running on different

machines (possibly performing different actions) and using the network for several

communication purposes. Propagating a segment from one machine to another machine

to another is only one of those purposes. Network worms that have one main segment that

coordinates the work of the other segments are sometimes called ‘octopuses’. An example

of the latest network worm is Bobax worm.

Trojan Horse

A Trojan horse is defined as a programme, which masquerades as a legitimate programme,

but does something other than what it was originally intended. It is a programme that looks

useful but contains unauthorized, undocumented code for unauthorized functions. It can be

passed via worm or virus. There are many different types of Trojans that are existed. These are:

a. Remote Access Trojan

These are probably the most popular and very likely the most dangerous of the many Trojan

classes currently available. It is these types that work in the server/client mode. The server

part installs itself on the unsuspecting user’s computer and the client remains on the

attacker’s system. Once an infected machine has been discovered, the intruder establishes

a link between the two. He can subsequently perform any action the user can and more.

For example, let’s assume that the user has valuable data stored in a folder called “XYZ”

on his C: drive. In order to steal that data, all the intruder needs to do is to drag and drop

the folder called XYZ from the user’s C: drive onto his own. It is as simple as that! Examples

of most popular Remote Access Trojans are Net-bus, Sub-seven and Back Orifice (The

Cult of the Dead Cow – CDC).

b. Mail Trojan

Another popular type of Trojan in hackers’ circles is the mail Trojan. It works in server mode

only and its main function is to record certain data such as the keystrokes the user enters

when passwords are typed, the websites he regularly visits and files in general. An infected

machine will automatically send the information by e-mail to the attacker. These are very

difficult to spot because the e-mail client is part of the Trojan itself.

c. FTP Trojan

This particular class of Trojan works in server mode only. It allows FTP access to an infected

machine and can download or upload files at the intruder’s whim.

d. Telnet Trojan

Telnet Trojans run in server mode only and allow an intruder to execute DOS commands

on a remote machine.

131

e. Key logger Trojan

These Trojans record the keystroke input on an infected machine and then stores the

information in a special log file that the intruder can access in order to decipher passwords.

f. Fake Trojan

This type of Trojan uses fake dialog boxes and other bogus windows that purport to show

that the user has attempted to perform an illegal operation. By displaying a dialog box, its

sole purpose is to get the user to enter his user name and password. That information is

then stored on file so that the intruder can use it at a later date.

g. Form Trojan

This is a Trojan that once installed ascertains the users’ personal data such as IP address,

passwords and other personal data that he or she has stored on their system and then by

connecting to the cracker’s web page, submits the online form via HTTP. A cracker can

then use the information gained whenever he wishes. The Trojan performs this function

without any user intervention and without the user’s knowledge. The user will not see any

indication of the transmission such as pop-up windows that would indicate that this is

taking place.

To perform most of the above stated tasks, one has to grab the IP address of the victim. This

can be done by using either a third party programme or if the victim does not have a great

knowledge of computers. The other way is to create an FTP link between you and the victim

while chatting and while the file is being transferred, note down the IP address of the victim;

using commands like “netstat -an” or any telnet command.

132

DIFFERENCES BETWEEN VIRUS, WORM AND TROJAN HORSE

From the table above (taken from NISER virus lab testing), we can conclude that worm and

virus are very similar to one another but are technically different in the way that they replicate

and spread through a system. As for Trojan Horse, its capability to control PC remotely makes

it different from worm and virus.

IMPACT TO SOCIETYFrom NISER ICT Security survey for Malaysia 2001/2002, based on the results shown in

Figure 1 at Appendix A, virus attacks were the most frequent security breach experienced in

2001/2002 with a record of 1,280 times. In terms of financial losses, virus attacks thus

become one of the major contributors.

A breach in information security can impact many business processes within an organization

and that impact becomes more difficult to assess. It is not simply a case of how much it costs

to rectify the breach but of a range of other issues such as; delayed delivery of contracts, lost

opportunities, legal and contractual liabilities incurred, loss of customer confidence and loss of

trust. Furthermore, organizations do not like to publicize that they have suffered a security

breach because of the adverse publicity that it brings and the damages it is likely to inflict on

the company’s reputation.

Below are other impacts to society:

a. Loss of data

For example Excel spreadsheets which consists of client information. The virus might

damage the data, or accidentally e-mail the data to the competitor which lead to disclosure

of confidential information.

Virus

1. Non self-replicate

2. Produce copies ofthemselves using host file as carriers

3. Cannot control PCremotely

4. Can be detected anddeleted using anti-virus

Worm

1. Self-replicating

2. Do not produce copiesof themselves using host file as carriers(independentprogramme)

3. Cannot control PCremotely

4. Can be detected anddeleted using anti-virus

Trojan Horse

1. Non self-replicate

2. Do not produce copiesof themselves using host file as carriers (independentprogramme)

3. Control pc remotely

4. Sometimes cannot bedetected and deletedusing anti-virus

133

b. Loss of trust and reputation

If a customer receives inaccurate data, will they return? Reputation risks depend on worm

publicity profile. For example: wide spreading worm carries high reputation risk

c. Information compromised

User may be working unknowingly with data that is wrong.

d. Loss of customers

If customers are not happy due to viruses, they will find someone else.

e. Loss of loyalty and retention

Return customers do not like problems.

f. Loss of website

If certain data is corrupted, business which is based on online transaction might not work.

If the website for the transaction distributes viruses, it may be disabled.

g. Loss of time

How much time can company afford to waste? And how much cost of repair or of business

loss would company have to suffer.

Another scenario the impact of key logger (Trojan Horse) is taken from the article in The Star

newspaper in 2003. Details of the article can be referred at Appendix B. The student was

accused of hacking into university system and then installs a key logger Trojan Horse to

capture keystrokes entered by another person.

This scenario which took place at Michigan, USA is not something which is impossible to

happen in Malaysia.

SIGNS AND SYMPTOMS

Diagnosis questions

Below are sample of diagnosis questions which can helps user to identify if he or she has been

infected by virus.

1. Did loading programmes take more time than usual?

2. Did other disk accesses take more time than usual?

3. Was there unusual screen activity or any warning messages appear?

4. Did drive lights come on without reasons?

5. Was memory or disk space reduced?

6. Any files disappear or appear?

7. Was there any increase in programme size?

134

How can these diagnosis questions help user identify if he/she has been infected

by a virus?

As for the first question, if programme loads take longer than normal, this might indicate the

virus has already gained control at the start up of the procedures for a system or programme.

When the system is booted up or an application programme is loaded, the virus will perform

its activities. Quite possibly, the virus will extend the time taken for the load to be completed

by several seconds

For the second diagnosis question, the situation where the disk accesses excessive for very

simple tasks might indicate that virus activities have been performed. For example, saving a

page of text usually takes about a second, but a virus extends this to two or three seconds.

Make sure to watch out for a slow down in directory access and updating procedure times.

As for the third question, this is the easiest way to detect if a PC has been infected. Unusual error

messages appear might give a clue that something is wrong with the PC. This is especially so

if the message appears frequently. It might indicate virus infection.

Access lights will come on when there is no obvious reason presented for question number

four. For example, if the light for one of the drives keeps flashing even when no access is being

made to load or save data, then it may very well be that the PC has been infected.

For question number five, if memory or disk space is reduced, then this is a common warning

sign that a virus has moved in and begun replicating. Some viruses affect the memory once it

has been activated.

For question number six, some viruses delete files, either randomly or according to specific

instructions. If a file has disappeared from a PC directory for no good reason, suspect a virus

is at work. Also check for infection if unexplainable files start appearing.

As for question number seven, if programmes change size rapidly particularly an executable

file, then further inspections for virus infection should be performed. One thing that one should

bear in mind, some viruses increases the size of the programme, but return the number

displayed back to the original specification. In this situation you are recommended to use file

integrity checker.

All of these questions can be used as guidelines in identifying or detecting virus infections.

System administrator

All the signs and symptoms below must be investigated especially by the system administrator.

• E-mail appearing at two or more connected PCs at the same time.

• The e-mail server and network could start to slow down under the strain of sending

thousands of e-mails all at once

• A firewall might report a sudden onset of either incoming or outgoing traffic on a rarely used

TCP/IP port

135

• Sudden decrease in processing speed soon after downloading a new file/the machine

appears sluggish

• Reading unexpected e-mail or visiting a new website (redirect by the Internet Explorer).

With an e-mail worm, the same strange e-mail massage with an attached file or web link starts

appearing all over the corporate network at once. A message with exactly the same subject

line starts appearing in everyone’s inbox from several different users, including users who don’t

normally send a lot of e-mails.

PREVENTION TECHNIQUESA malicious attack can enter your company’s network through an e-mail attachment, shared

file folders, wireless peripherals, web pages, laptops or even a direct attack on a router or

server. The bottom line is that any point of access to your network may be at risk.

Below are the recommended prevention techniques:

Risk Opportunity

Opening every e-mail andattachment you receive

Using your e-mail preview

Responding to SPAM

Visiting unknown websites

Connecting to unknown Networks

Using unlicensed software

Using any diskette or CD withoutverifying the source

Prevention Technique

Screen your e-mail (visually and with anti-virus software). Considerlimiting e-mail attachments.Filter all double extension attachment or any executable attachment.

Turn off preview pane, read text instead of html. Update and install thelatest patch for e-mail application and the Internet Explorer

Report SPAM to:mycert@mycert.org.myAbuse@domainnameWebmaster@domainname

Be cautious when visiting unknown websites. Use personal firewall toavoid any unexpected file to be downloaded automatically.

If you are not sure and do not need it, do not connect.

Follow copyright laws

If you aren’t sure and don’t need it, don’t use it. Trust references.

136

Risk Opportunity

Using shared systemsPeer-to-peer systemsFile sharing

Allowing unauthorized users access to your system

Did not patch PC especially forWindows platform

Browsing and downloading MP3 song

Prevention Technique

Avoid all this. May violate some copyrights laws and allows too muchaccess. Use password protect drive shares

Lock your system and use password screen savers. Use personal firewall.

Always install the latest patch and make sure your machine Windowsupdate is updated regularly.

Install software for anti-spyware.

Figure 3: E-mail with anti-virus result

Believe it or not this anti-virus result is fake.

CASE STUDY OF INFECTED E-MAIL AND SASSER.A WORM

Case Study 1: Infected E-mail

If the e-mail server for your organization has an anti-virus software to filter the infected attachment,

it will not be a problem (Please refer to Appendix C Figure 2). Another question user might ask

is does he or she get infected by virus from just opening the e-mail? The answer is yes, there

are viruses that can infect the PC without launching the application. Such viruses can penetrate

through some e-mail client application, like the Microsoft Outlook. It is advisable to remove the

scripting tool facility. However, virus infections happen when you launch or execute file attachments

without first scanning the file for any unknown virus.

What if you received with an e-mail with the anti-virus scan result as below? Would you just open

the attachment or scan the attachment even though the anti-virus results already displayed?

137

Above is the example of Netsky.P worm which includes message containing fake results of

anti-virus scanning.

The lesson learnt here is to scan all e-mail attachment before executing or reading them.

For details on safe e-mail practices, please visit: http://www.mycert.org.my/faq-safe_

e-mail_practices.htm

Case Study 2: Sasser.A worm

Harith was browsing the Internet using his machine (Windows XP) to search for information for

an assignment. A few minutes later, a pop-up message appeared with a LSASS shell error (as

displayed below). Harith ignored the message and closed it. The then PC prompted for reboot

in 60 seconds. When the machine restarted, after a few minutes his machine kept rebooting

again and again…

Figure 4: E-mail with fake result

138

He did not know what to do. When he asked his colleagues, most of them claimed that they

had experienced the same situation. When he checked his machine, he found that his

machine had a few unknown files at windows directory, registry and memory. An unknown

connection also had happened.

(Please refer to Appendix D for the screen captured found in his windows directory, registry

and memory).

What is the next proper step should scenario 1 happens?

General information about this infected machine:

Harith’s machine was infected by Sasser.A worm.

On 2 May 2004, MyCERT received reports and detected a new Internet worm that propagated

rigorously upon infection by scanning TCP port 445 and sending payload to random IP

addresses. The worm, W32.Sasser, is an Internet worm that arrived as AVSERVE.EXE on

target systems, and once infected a machine the worm would open TCP port 9996 and TCP

port 5554 for malicious activities.

The worm exploits vulnerability that exists in Microsoft Windows Systems:

*Exploits the Local Security Authority Subsystem Service (LSASS) vulnerability released on 13

April, 2004 (partly described in Microsoft Security Bulletin MS04-011), using TCP port 445 and

specifically targets Windows XP, Windows 2000 and Windows 2003 machines.

Once infected, the worm exploits the vulnerable system by overflowing a buffer in LSASS.exe.

It creates a remote shell on TCP port 9996. Then, it creates an FTP script named cmd.ftp on

the remote host and executes it. The FTP script instructs the targeted victims to download and

execute the worm from the infected host. The infected host accepts this FTP traffic on TCP

port 5554. The worm would have the name consisting of 3 to 5 digits, followed by _up.exe

(eg. 12345_up.exe).

The infected host would prompt LSASS shell error and reboot. After the reboot, the worm

would scan for other active machines to infect by scanning random IP address TCP port 445.

Details for solution 1: Manual Removal Steps and solution 2: Automatic Removal Tool Steps

can be referred at Appendix E.

139

ISSUES

How does malicious code spread?

Some users believe that by not opening any e-mail attachment they are saved from viruses,

worms, Trojans or pest patrols. The truth is that malicious codes can spread from one

computer to another through many methods, all of which depend on users’ carelessness. It is

considered lucky if a user has never been infected but others who are not as careful (or

unlucky) infect their hard disks by running downloaded files, or after placing a newly-obtained

floppy disk in a drive. Viruses and worms spread fastest among computers networked on a

LAN, especially when e-mail file attachments are involved.

Sharing certain types of files with others always involves certain risk factors. The medium is

irrelevant: files from a LAN server, downloaded from Internet sites or from a floppy (even from

shrink-wrapped software). The riskiest of all are files posted on Internet newsgroups, because

there is totally no control or accountability. Many people have become victims of brand new

viruses and worms, by downloading executable files posted deliberately by vandals.

Before the growth of the Internet, viruses used to spread more gradually, from user to user,

and anti-virus vendors were usually able to distribute a remedy before things got out of hand.

That has all changed, especially with worms, because some people will click on any e-mailed

file that they receive. Vandals have seized this opportunity, and created programmes designed

to spread to all those who correspond with careless users. Because of this threat, the only

100% safe e-mail file attachment is a deleted e-mail file attachment.

Some websites store information on your computer, in small text files called cookies that can

be used when you re-visit their sites. It is also known as spyware. Examples include items you

have selected for purchase, registration data, or your user name and password, for websites

that require them. Since cookies are text files, they are not executable, and this fact eliminates

the possibility of viruses, because they must be hosted by an executable file. Anti-spyware

software can be used to eliminate the spyware.

Another example of how malicious code is spread is through malicious applet: an applet that

attacks the local system of a Web surfer [6].

Malicious applets involve denial of service, invasion of privacy or annoyance. It will forge e-mail

from you to whomever the applet’s author chooses, saying whatever they wish while

masquerading as you; steal your CPU cycles to perform their own work while your legitimate

processes languish, and crash your local system by using all available system resources. The

best way to avoid or stop malicious applet is to set a security policy that allows only applets

signed by trusted parties to run.

140

Who is responsible of the damage it caused, whether the virus writer or person who

distribute it

A survey carried out by Sophos Anti Virus showed that:

• The majority of virus writers are male and aged between 14 and 24.

• Most do not seem to have active social lives or girlfriends.

• Once virus writers go to university, develop a large social circle and pursue other activities,

they tend to stop writing viruses.

Virus writing is not cool and can get the writer into serious trouble. For example, in November

1988, Cornell graduate student Robert Morris wrote the first worm to propagate over the

Internet. The Morris Worm exploited a Unix-related vulnerability. Morris, the son of a security

expert at the National Security Agency, was convicted of computer abuse offences and

sentenced to three years probation, 400 hours of community service and a $10,000 fine.

The following suggestions are drawn from observation and from personal exchanges of views

with virus writers as well as with anti-virus researchers, rather than from any formal research.

The first batch of observation is drawn from alt.com.virus newsgroup and is based on an entry

in the FAQ for the newsgroup. It is assumed that a virus writer:

• Does not understand or prefer not to think about the consequences their action will have

on other people, or they simply do not care.

• Draws a false distinction between creating /publishing viruses and actually distributing them.

Apparently they consider it perfectly reasonable to make a virus available to anyone who

cares to distribute it.

• Considers it to be the responsibility of someone else to protect other systems from their

creations. They think it is the responsibility of the victim to defend him or herself.

Why people want to distribute it? The answers are:

• They do not know it is malicious code.

• The malicious code is binding to a legitimate object (example a Word document)

• Fooled by unexpected e-mail subject/content

(example: E-mail subject : Help!)-which consist infected attachment.

• Surfs across a malicious web page

• Did not know they were infected

• Resistant to good security practices

In this situation, we cannot point finger to virus writer or person who distribute it! The most

important thing is user education. It is a key component of anti-virus strategy.

The security manager is advised to assume that system users are incompetent and to tailor

anti-virus strategy accordingly and consider social factors such as policy and education when

attempting to reduce security risks and malicious code.

141

The future of malicious code

David Harley, co-author of Viruses Revealed (Osborne/McGraw-Hill, 2001) predicted that to

produce a malicious code, the author must exploit one of the three vulnerabilities: software,

“liveware” or hybrid [7].

An example of software is a self-launching worm which requires no human activity. As for

“liveware”, it will manipulate victims into running unsafe codes (can also be defined as using

social engineering to trick victim), for example running infected e-mail attachment. As for

hybrid, it is known as blended threats which is a combination of software and “liveware”.

Even now, all of these three vulnerabilities have been widely used by authors of malicious

codes.

CONCLUSIONSAs more new technologies are invented, so do the malicious codes. Nobody knows in what

form it will be and how will it spread and the damage it can do. One thing is for sure the author

of malicious codes will try to make them more complex, unpredictable and easy to spread.

The best way to avoid malicious codes is to prevent it. By practicing good and safe computing,

updating your anti-virus software regularly and be aware of new vulnerabilities and patch it, the

spread of malicious codes can be reduced.

REFERENCES

1. http://www.indefense.com/manuals/white/malicious.htm 2. http://www.mycert.org.my/abuse-stat/index.html3. http://www.mycert.org.my/other_resources/NISER-MYC-PAP-7070-1.pdf4. David Harley, Robert Sladeurs, Urs E. Gattiker, Viruses Revealed, USA, Osborne/McGraw Hill, 2001,

pg 5.5. Colin Haynes, The Computer Virus Protection Handbook, Singapore, Tech Publications, 1990,

0pg 88.6. http://www.securingjava.com/chapter-four/chapter-four-1.html7. http://www.infosecuritymag.com/2002/may/maliciouscode.shtml8. www.sophos.com

142

APPENDIX A

Figure 1

143

APPENDIX B

144

APPENDIX C

Figure 2

145

APPENDIX D Screen captured

146

147

148

Solution 1: Manual Removal Steps

1. Disconnect the infected machine from the network.

2. Disable system restore for Windows XP

Steps:

a. Click Start.

b. Right-click My Computer, and then click Properties.

c. Click the System Restore tab.

d. Select “Turn off System Restore” or “Turn off System Restore on all drives” check box

3. Apply the latest Service Packs.

* For Windows 2000 apply SP4

* For Windows XP apply SP1

4. Apply the Microsoft Security Bulletin MS04-011 patch.

The MS04-011 patch can be downloaded at:

http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

5. Terminate the malicious process that is running.

Steps:

a. Press Ctrl+Alt+Delete .

b. Click at 'Task Manager' tab.

c. Click the Processes tab.

d. Scroll through the list and look for the following processes and click 'End Process'

tab.

-'avserve2.exe'

-any process with a name consisting of four or five digits, followed by _up.exe (for

example, 12345_up.exe).

*Each of the malicious file size is 15.5 kb.

e. Exit the 'Task Manager'.

6. Delete malicious file at Windows directory.

Steps:

a. Delete the AVSERVE.EXE and <random numbers consisting of

4-5 numbers>_UP.EXE files from the WINDOWS directory. Example:

C:\Windows\System32\12345_up.exe

** %Windir% is a variable. The worm locates the Windows installation folder

(by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

*Each of the malicious file size is 15.5 kb

APPENDIX E

149

7. Delete the dropped file by the worm at registry

Steps:

a. Click Start, and then click Run.

b. Type regedit and click OK. (The Registry Editor opens.)

c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

d. In the right pane, delete the value:

"avserve.exe"="%Windir%\avserve.exe"

e. Exit the Registry Editor.

f. Enable system restore for Windows XP.

8. Re-scan the PC to make sure it has been cleaned completely. If there are still infected files,

delete them. Please make sure to write down the filename before deleting to make things

easier when you want to reinstall the files later.

9. Re-connect the machine to the network. Take preventive measures against such virus as

written in this paper or refer to MyCert’s web pages for details.

Solution 2: Automatic Removal Tool Steps

1. Disconnect the infected machine from the network

2. Disable the system restore for Windows XP.

Steps:

a. Click Start.

b. Right click My Computer, and then click Properties.

c. Click the System Restore tab.

d. Select “Turn off System Restore” or “Turn off System Restore on all drives” check box

3. Apply the latest Service Packs.

* For Windows 2000 apply SP4

* For Windows XP apply SP1

4. Apply the Microsoft Security Bulletin MS04-011 patch.

The MS04-011 patch can be downloaded at:

http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

150

5. Download an Automatic Removal tool provided by the following anti-virus vendors which

detects and removes the worm.

Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee:

http://vil.nai.com/vil/stinger/

Trend Micro:

http://www.trendmicro.com/download/dcs.asp>http://www.trendmicro.com/download/d

cs.asp

6. Enable the system Restore for Windows XP

7. Re-scan the PC to make sure it has been cleaned completely. If there are still infected files,

delete them. Please make sure to write down the filename before deleting to make things

easier when you want to reinstall the files later.

8. Re-connect the machine to the network. Take preventive measures against such virus as

written in this paper or refer to MyCERT’s web pages for details.

THE IMPORTANCE OF AN

INFORMATIONCOMMUNICATION

AND TECHNOLOGY(ICT) SECURITY

AUDIT FORBUSINESS

ORGANIZATIONS

152

Murari Kalyanaramani

Manager – Security and Technology

PricewaterhouseCoopers Advisory Services Sdn. Bhd.

• Certified Information Systems Auditor (CISA)

• BS 7799 Lead Auditor Certificate

• Bachelor of Business (Accounting and Information Technology), University of Technology

Sydney (UTS), Australia

• Member of the Information Systems Audit and Controls Association (ISACA) – Malaysian Chapter

Murari joined PricewaterhouseCoopers in July 2000 and is currently the lead Manager for the

Information Assurance team within the Security and Technology Group. He has participated in

numerous systems audits, business process reviews, business continuity and information security

framework development projects for clients in diverse environments, inclusive of pharmaceutical,

aviation, oil and gas, financial institutions, telecommunications, gaming, broadcasting and

manufacturing sectors.

James Tseng

Associate Consultant – Security and Technology

PricewaterhouseCoopers Advisory Services Sdn. Bhd.

• Micrsoft Certified Professional – Security and Network Design

• Bachelor of Computing (Distributed Design), Monash University, Australia

James Tseng joined PricewaterhouseCoopers in June 2002 and has participated in numerous

systems audits and network security reviews for clients in diverse environments, inclusive of

aviation, broadcasting, manufacturing, oil and gas, financial institutions, pharmaceuticals and

telecommunications sectors. Prior to joining PricewaterhouseCoopers, he worked as a Security

Analyst with e-Cop, a regional Managed Security Services (MSS) company, specializing in

Internet security surveillance, security consulting and network security implementation.

MURARI KALYANARAMANI AND JAMES TSENGPRICEWATERHOUSECOOPERS

153

1. ABSTRACTInformation, Communication and Technology (ICT) Security audit is a holistic exercise, which

encompasses an assessment of an organisation’s controls implemented to counter the

threats and vulnerabilities an organisation’s ICT infrastructure is susceptible to. Essentially,

ICT security audits contribute to the preservation of the confidentiality, integrity and availability

of an organisation’s information assets. This paper will examine in detail the importance of

ICT security and the need for ICT security audits to be carried out to protect organisational

information assets.

2. INTRODUCTION“If senior management have yet to establish priorities to perform security audits on their

ICT infrastructure which supports critical business processes, how and when would

they intend to evaluate the current security posture of their ICT infrastructure?”

Over the years, more businesses and organisations have expanded their geographical

boundaries through the usage of the Internet. Such exponential growth has created a new

paradigm of communication through this network of systems’ interconnectivity. Securing

ICT infrastructure is not a matter of just implementing policies, procedures and technical

controls to counter the accompanying threats and vulnerabilities. A mechanism of ensuring

the controls implemented are operating as intended is essential to provide assurance to

the Board of Directors, stakeholders, business partners and regulators, that organisational

assets and processes are secure against fraud and the risks arising from global interconnectivity.

A continuous programme of assessment and monitoring should be implemented to ensure

that risks are managed within the acceptable levels established by management.

3. DEFINING ICT SECURITYICT security can be defined by its strategic role in business performance, its potential in

enhancing the protection of information assets while enabling proper access to them, and

the resource components that must be engaged to ensure its effectiveness. Security also

can be defined as an increasingly important aspect of the relationship between an organization

and its customers, partners, and employees.

Most importantly, security is a strategic business process for organizations because providing

a balance of protection and enablement in line with business objectives will substantially

improve operating performance.

THE IMPORTANCE OF AN INFORMATIONCOMMUNICATION AND TECHNOLOGY (ICT)

SECURITY AUDIT FOR BUSINESS ORGANIZATIONS

MURARI KALYANARAMANI AND JAMES TSENG

154

Forward-looking organisations that align security with enterprise objectives are more likely

to translate security strategy into reduced costs of doing business, revenue enhancement,

competitive advantage, and ultimately, shareholder value. Organizations that fail to align

security with their business objectives will find their performance diminished and long-term

viability threatened. This notion of security as a business enabler is now an essential concept

for enterprises in every industry. As a strategic process, security either protects an organization’s

information assets from harm or misuse, or enables access to information assets in a

manner that supports the organization’s objectives.Together, these two concepts – security

as protection and security as enablement – comprehensively define the promise of security

for organizations.

4. THE NEED FOR ICT SECURITYInformation is an extremely valuable asset to any organization and like all valuable assets,

it should be protected from both internal and external threats.

Figure 1: The Security of Inclusion and Exclusion

ICT security has long centered around the concept of “exclusion”, the primary goal of

which is to prevent unauthorised access to the internal sources of an ICT environment.

Organisations implemented the security of exclusion by setting up security perimeters

between enterprise networks and the outer world. These virtual boundaries isolated internal

networks – keeping out unwanted visitors, defending against viruses and malicious code

and protecting against external attack.

This approach to information security has been practised since the 1970’s when

mainframe-based applications were the dominant systems in use by organisations. As

companies migrated their systems to client/server-based applications in the 1980s and

early 1990s, they continued to strictly separate internal and external environments.

During the late 1990s and early 2000s, businesses began deploying Internet-based

applications, in which customers, employees, and business partners could access enterprise

applications from inside their Web browsers. Companies began to implement Internet-

based environments such as user portals, supplier portals, intranets, and extranets in order

to reduce costs, improve collaboration, and increase productivity. This transition to an

extended enterprise created the need for a fundamental shift in the approach to information

security to that of “inclusion”.

The implementation of Internet-based environments, other new technologies and rapid

connectivity to external parties has led to increased risks to an organisation’s information

assets. Information that is more valuable than ever before is more accessible and easier to

divert. Organisations that fail to address the broader security issues that accompany this

change will have insufficient controls in place to minimize risks. These risks could lead to

155

significant financial, legal difficulties and reputation risk for these organisations. Appropriate

preventive, detective and corrective controls in the form of policies, standards, procedures,

organisational structures or software/technology functions and monitoring mechanisms are

therefore required to minimise the risks associated with the confidentiality, integrity and

availability of information assets within an organisation.

These aspects of security should be the underpinnings of any ICT security programmeme.

5. WHY ICT SECURITYAUDIT IS IMPORTANT TO BUSINESS ORGANISATIONS?For an ICT security programme to be effective, monitoring processes need to be

implemented to ensure security policies, procedures and technology implemented are

operating effectively and are operating as intended monitoring processes include the

operational procedures that auditors, systems and security administrators use to monitor

security levels and compliance to organisational policies and procedures. These processes

are essentially carried out to ensure that risks are mitigated through the implementation and

operation of controls in an organisation’s ICT environment to safeguard organisational

information assets from damage, loss, unintended disclosure or denial of availability.

Audits also provide a means for organisations to identify security gaps before it is breached

and to provide a means of evaluating the governance over outsourced operations.

5.1 To identify security gaps before it is breached

Identifying threats that can put an organization at risk is only one part of a comprehensive

security strategy. Companies must also actively identify asset weaknesses that could

be exploited in an attack. Every enterprise asset has attributes that make it vulnerable

in some way, whether the asset is a server, a client, a website, transactional data, or

a business process. Some vulnerabilities might be the result of weaknesses in the

technologies that control the asset, such as a bufferoverflow bug in the application

software that runs a company’s website. Others are simply due to the inherent nature

of the asset itself, such as the need for confidential data to remain private. Table 1

provides an overview of some common enterprise vulnerabilities.

Although an enterprise cannot control the existence of vulnerabilities, it can control the

way in which it chooses to deal with them. Properly implemented security policies,

standards, and technologies can help to limit risk by proactively identifying weaknesses

in enterprise assets. The goal of this activity, called vulnerability detection, is to allow

sto remediate vulnerabilities before they can be exploited by an attack. Before

organisations can undertake vulnerability detection, they must first develop an

understanding of where their vulnerabilities might exist – whether in their technology,

process, environment, or some other potential point of failure.

156

Table 1: Common Enterprise Vulnerabilities

This general understanding should inform the organisation’s security policies and

standards. Organisations usually implement vulnerability detection programmes in phases,

starting with the most necessary assets (as identified during the risk assessment or

asset classification process) and widening the scope to less essential assets as the

overall environment becomes more controlled. Managing the scope of the project in

this way is often essential to its success, as it limits the amount of raw data generated

by vulnerability detection activities to a level that can yield usable information.

The vulnerability detection process consists of three primary activities:

Compliance testing

Compliance testing can occur at many levels of the enterprise. Its primary aim is to

ensure that organizations conform to their own established security policies and

standards. An organization might choose to measure compliance against any number

of criteria, such as:

❥ Security policies against regulatory requirements

❥ Corporate standards against security policies

❥ Documented procedures against security policies

❥ Procedures as practised against documented procedures

❥ Technical controls against security policies

❥ Integration of information systems against technical controls

❥ Organisational security policy against specific departmental or system procedures

❥ Risk exception inventory against documented policy exceptions

In the same way that creating and implementing corporate security policies require a

well defined method, so must companies define their approach to compliance testing.

An effective compliance-testing programme has five basic characteristics: independence,

planning, evidence gathering, reporting, follow-up. Failure to include any one of these

criteria when devising test procedures can undermine the results of the testing process,

thus limiting its usefulness.

Compliance testing is of value only if the results of the test are impartial. To ensure

that a compliance test maintains its integrity and objectivity, the person or group

conducting the test must be independent of the asset being tested. In its strictest

sense, independence can be defined as lacking any direct or material indirect financial

interest in the asset being tested. In simple terms, this means that the testers should

not be involved in any operational or financial decisions.

Furthermore, they should be responsible to a department other than the department

that is conducting the test, to avoid any kind of managerial influence or pressure that

157

may skew analysis of test results. For example, in a typical company the security group

might be responsible for maintaining the security policy and the technical controls to

be tested, while the IT department maintains the information systems. In such a case,

neither the security group nor the IT department should perform the compliance tests.

Instead, the company should call upon another internal entity, such as an IT auditing

department, or perhaps an outside specialist.

Vulnerability scanning

Vulnerability scanning is the process of identifying and assessing the weaknesses in

a given enterprise environment. It takes a comprehensive view of all technology assets,

including applications, servers, workstations, and network elements, and evaluates

how susceptible the environment is to attack. By looking at how the individual assets

fit into the larger environment, vulnerability scanning can help organisations spot weak

links in their IT infrastructures.

Too often, organisations are preoccupied with preventing so-called gaping holes in

their environments. They focus on the major vulnerabilities that could lead directly to

unauthorized access, while failing to resolve the small vulnerabilities in less essential

systems that can also be jumping-off points for attacks. Trust relationships, unsecured

single sign-on privileges, and misconfigured user accounts are just a few examples

of minor vulnerabilities that make it easy for an attacker to jump from machine to machine

until he finds the target he seeks.

To conduct comprehensive vulnerability scanning, companies usually take a two-

pronged approach. First, they scan for common vulnerabilities that can affect individual

assets. Next, they analyze their unique environments to identify how vulnerable they

are to highly customized attacks. Vulnerability testing should be a proactive process.

Companies should develop procedures to routinely perform vulnerability testing as

part of the application development life cycle, and especially when designing and

deploying new applications.

For example, when deploying web-based applications, a company might use

automated scanners to identify common vulnerabilities. Several recent studies have

demonstrated that the later in the application life cycle a bug is discovered, the more

expensive it will be to remedy. Identifying any weaknesses during application

development facilitates correcting the flaws before deployment.

Best practices dictate the use of many vulnerability scanning techniques. For instance,

automated scanning tools can identify weaknesses, while penetration testing (sometimes

called ethical hacking) can simulate the routes an attacker might use and demonstrate

the potential for unauthorized access.

158

Operations availability analysis

Another important component of vulnerability detection is operations availability

analysis, the process of maintaining the operational resilience of a company’s systems

and ensuring that systems remain available and can be easily recovered if unplanned

downtime occurs. Global competition and near-instantaneous communications are

just two of the factors why availability is so important for today’s modern enterprise.

While a true 24-hour global economy might not be reality yet, maximum availability is

more and more important for a growing number of companies. Typical candidates for

high-availability system design include:

❥ Networks – Connecting to Internet service providers (ISPs), LANs, and WANs.

❥ Application servers – Deploying server farms to distribute processing across

several application servers.

❥ Web servers – Caching or load balancing front-end Hypertext Transfer Protocol

(HTTP) or HTTPS requests, or distributing them across server farms.

❥ Databases – Clustering, replicating, and distributing data stores.

Any number of factors can have a negative impact on the availability of enterprise

systems. Poor resource management, inadequate operational procedures, and even

natural disasters can bring down entire networks. Likewise, an unforeseen security

incident can have disastrous consequences for today’s always-on applications.

Operations availability can be viewed as an umbrella process model that includes

numerous focus areas and systems, such as:

❥ Workflow engines

❥ Business process modeling

❥ Networking environments

❥ Operating systems

❥ Application servers

❥ Web servers

❥ Call centers

❥ Enterprise resource planning (ERP)/customer relationship management

❥ (CRM)/portal environments

❥ Mainframe/legacy systems

❥ Telecommunications/phone systems

❥ Custom application development

❥ E-mail/groupware systems

Disaster Recovery

Disaster recovery is a crucial part of operations availability analysis. Disaster recovery

measures are designed to guide a company’s IT operations through the recovery process

following a major incident. Types of incidents include fire, natural disasters, terrorism,

malicious acts, accidents, or other hazards specific to an industry. Disaster recovery

159

plans should be part of larger business recovery and continuity plans that ensure critical

business processes are operational following a disaster. Plans should be developed to

address short-, medium- and long-term scenarios, ranging from a few hours of service

interruption to several months of unavailability.

Organisations need to identify the risks or impacts each type of disaster presents to

business continuity and operations and prioritize their disaster recovery efforts based

on those most likely to impact core business processes. Next, the company should

determine acceptable levels of downtime based on the acceptable level of risk relative

to it core business processes. These estimates will drive policies and procedures

governing IT operations (such as frequency of backups), as well as investments in

people, processes, and technologies to ensure operations are restored within the

allotted timeframe. Finally, organisations should develop appropriate plans to address

these risks and develop contingency plans in the event a particular incident or set of

incidents should occur.

Disaster recovery plans should include the relocation of people, equipment, and data

to a suitable remote center of operations. The remote center must have adequate

equipment, supplies, and capacity to handle the infrastructure supporting critical

business processes. Books, manuals, and operating instructions should be available

and staff must be trained in the tools and procedures needed to restore operations

(for example, data backup and recovery, archiving, and retrieval). The disaster recovery

plan must be reviewed, updated, and tested regularly to ensure it is viable and usable

when needed. Organisations must also disseminate disaster recovery policies and

procedures to employees at all levels; identify and train appropriate staff to coordinate,

manage, and execute the recovery plan; and coordinate with community and government

organisations to ensure smooth, orderly management of the situation.

5.2 To keep organisations better informed and assured on their outsourced

IT operations

Today, IT outsourcing is an increasingly important strategy for global enterprises. Many

companies worldwide are either currently outsourcing key portions of their IT infrastructure,

or considering doing so in the new future. When appropriately implemented, outsourcing

of IT functions can deliver a significant portfolio of business benefits in the form of cost

saving, achieving standardisation and allowing organisations to focus on the core

capabilities of IT. With these benefits, however, come a whole set of risks.

❥ Failure to retain control of the strategic direction of the organisation’s IT infrastructure

as the vendor may not fully understand the business and may not always represent

the best interests of the organization

❥ Inadequate service levels resulting in potential loss of data, breach of confidentiality

and loss of reputation

❥ Inappropriate staffing and skill sets to manage outsourcing relationships and contracts

160

It is even more risky if the IT outsourcing involves parties offshore. It is one thing to

pass tasking authority to a separate organisation, it is quite another when the supporting

organisation is operating from offshore, or working to support customer operations

spread out across a global footprint. The stakes are higher – and the effects of a

mistaken or poorly executed strategy can be both magnified, and harder to correct.

To mitigate such risks, outsource governance processes should be implemented,

including the monitoring and audit over the outsourcing service provider. For many

companies undertaking an IT outsourcing initiative, governance is arguably an area

that organisations most frequently underestimate – in terms of time and investment,

as well as in terms of the structural architecture necessary to manage accountability.

Companies that commit to IT outsourcing without a strong governance capability do

not have any appropriate means of controlling performance. IT outsourcing does not

change the fact that the customer's organisation still carries the burden of operational

risk. In fact, because the processes, roles, responsibilities, and incentives that determine

project performance are now spread across two entirely separate organisations, the

need for a clear governance structure is even more critical in IT outsourcing arrangements.

It is the customer organisation's responsibility – not the IT outsourcing vendor's – to

establish a disciplined governance structure.

Part of the governance processes would include the performance of regular ICT

security audits to ensure the preservation of confidentiality, integrity and availability over

the organisation’s information assets. In essence, the establishment of a robust

governance structure, helps an organization meet the following objectives:

❥ Ensure alignment of the IT outsourcing initiative: Every IT outsourcing

contract must be carefully aligned with the organisation’s key business objectives,

as well as the needs of the primary stakeholders

❥ Verify that the IT services outsourced are being performed: At a basic level,

the first question is generally simple: “Was the job completed?”

❥ Manage changing priorities across complex portfolios of discrete IT

projects and continuous IT services: Operating environments change constantly

– and in order to remain agile, an organisation must have the managerial levers of

control necessary to prioritise, redirect, and manage the performance of any

outsourcing contract.

❥ Establish direct, visible accountability for performance related to IT:

Specific ownership responsibility must be 1) clearly defined for all parties, including

IT, business units, corporate department, users, and vendors and 2) appropriately

measured using relevant metrics.

❥ Define specific ownership of the key drivers: The engine of accountability is

the ability of management to know precisely - at any time, and for any key stage in

the IT outsourcing process, both inside the customer organisation as well as the

vendor's organisation – who is responsible.

161

❥ Craft well-integrated IT management processes: Customer organisations

must build a culture of accountability and continuous improvement of IT

management processes, controls, and support based on internal and external

best practices. Too often, IT leaders and managers focus only on a single point

within the IT management and delivery framework. Instead, they must concentrate

the need to fully integrate and link strategies, plan, actions, results, and measurement

across both the client organisation's internal processes as well as the outsource

vendor’s processes.

6. THE CHALLENGE OF IMPLEMENTATION – COSTThe outcome of a security vulnerability assessment or audit results in the ICT security and

operations managers being confronted with a new challenge – the challenge of implementing

the necessary solutions to plug the security gaps utilising cost-effective measures but at

the same time not compromising on the controls required.

Essentially, these managers are faced with aligning the implementation of the solutions

which may take the form of individual security initiatives, with their associated costs, justifying

the cost in terms of the business, increasing the efficiency of existing services, and mitigating

business risk.

Risk-based decision analysis

When organisations create their investment strategies to implement the necessary security

and control mechanisms, they face a number of issues, including:

❥ Security investments are justified against hypothetical losses.

❥ Security benefits are difficult to quantify.

❥ Limited capital could be allocated against a wide variety of risks and possible solutions.

❥ Communicating risks and benefits of specific security investments to nontechnical

stakeholders could be difficult.

To overcome these obstacles, companies must develop a risk-based decision analysis

that enables them to allocate security resources and prioritize security projects. Such an

analysis considers the risk decision, uncertainties that make the decision difficult, and

preferences that value the outcomes. In doing so, the organisation creates a common

language and structure that can be used and understood by both technical and non-technical

stakeholders to reach consensus in security investment decision-making.

A crucial component of the risk-based decision analysis is an organisation’s risk and value

map. The map illustrates the current annualized cost of a security event and the projected

costs of the same event after the security investment.

162

Figure 2: A Simplified Version of a Risk And Value Map

For example, the costs might take into account such costs as the number of customers

who switch to another supplier due to an event, the value of each lost customer, the additional

advertising required to counteract the effects of the event, and the cost to reimburse customers

for disrupted service, and so on.

7. CONCLUSIONAs ICT and organisational business models continually evolve, new threats will rear their

ugly head providing more opportunities for exploitation. The tendency for organisations to

react to these new emerging threats is still largely reactive in nature.

Threats will continue to increase in numbers, and to counter-balance these threats,

International Standards and Professional Bodies, such as the International Organisation for

Standardisation (ISO), British Standards Institute (BSI), SANS and the Information Systems

Audit and Controls Association (ISACA) will constantly update and develop best practices

(both strategically and technically) for organisations to adopt to counter these threats.

In tandem, organisations need to continually assess their ICT environment to ensure that

policies, procedures and best practices implemented are achieving their intended objectives

and providing a sufficient measure of protection over organisational information assets.

REFERENCES

1. National State Auditors Association (NSAA) and the U.S. General Accounting Office (GAO),Management Planning Guide for Information Systems Security Auditing, December 10, 2001

2. Murphy, Bruce. Boren, Rik. Schlarman, Steve., “Enterprise Security Architecture”, InformationSystems Security, CRC Press, 2000

3. IT Governance Institute, IT Control Objectives – The Importance of IT In The Design, Implementationand Sustainability of Internal Control over Disclosure and Financial Reporting, ITGI, 2004

4. Lutchen, Mark D., Managing IT as a Business, John Wiley & Sons, 2004

5. Institute of Internal Auditors, Building, Managing and Auditing Information Security, IIA, April 2000

6. Milus, Stu, “The Institutional Need for Comprehensive Auditing Strategies”, GIAC Security Essentialsv1.4b, SANS Institute, 2003

7. IT Governance Institute, CoBIT Mapping – Overview of International IT Guidance, ITGI, 2004

8. Humphreys, Ted., “Information Technology – Securing Your Business Connections”, ISO BulletinJune 2002, ISO, 2002

9. PricewaterhouseCoopers, Information Security – A Strategic Guide for Business,PricewaterhouseCoopers Global Technology Centre, 2003

THE PORTRAYAL OF

APPLICABLEINFORMATIONTECHNOLOGY

(IT) SECURITYSTANDARDS

IN MALAYSIA

164

ABOUT THE AUTHOR

Basri Zainol graduated with a Master’s degree in computer science from State University of

New York, USA in 1987. He has been in the IT industry for the last 17 years. He started his

career as an officer in the Information Services Department of the banking industry. He has

been implementing an integrated banking system during his employment.

He is presently the Programme Head of Software Compatibility & Assurance Programme,

Electronics & Information Technology Centre, SIRIM Berhad. He is responsible for the research

& development of core technology areas of encryption and software assurance. He has been

performing research based activity such as the development of the information broker (IB),

Malaysian Public Sector Management of ICT Security Handbook (MyMIS), automated

information security review methodology AISec), an Information Security Management

assimilator application toll (aISMilator), software assurance tool and digital encryption He has

been trained in the information security area (ISO 17799 and BS7799) from various experts

from Europe, Australia and United Kingdom. He is considered as one of the experts in

Malaysia and a consultant of ISMS.

ABOUT THE ORGANISATION

Established in 1975 under the SIRIM (Incorporation) Act 157 under the Ministry of Science,

Technology and the Environment. SIRIM was corporatised on 16 November 1995 as a

government-owned company under the Ministry of Finance Incorporated. On 1 September

1996, SIRIM Berhad was fully operationalised. SIRIM’s vision is to be a world class corporation

of choice for Technology and Quality while its missions are to enhance customers’

competitiveness through Technology and Quality and to fulfil the needs of the stakeholders.

SIRIM’s role is to act as:

• A champion of quality

• The national technology development corporation

• A vehicle for technology transfer

• A provider of institutional and technical infrastructure for the Government

• A national focal point for market driven R&D

BASRI ZAINOLSIRIM BERHAD

165

ABSTRACTTechnology alone is not the key to information security. If 90% of respondents to the annual

CSI/FBI Survey on Information Security say they have anti-virus software, how is it that 85% of

those same respondents were hit by viruses, worms and other malicious codes? In any team

situation we are only as strong as our weakest link, and with information now a valuable

business commodity, even the most sophisticated computer security systems are vulnerable

to human interference (intentional or otherwise). What the major information security failures

now appearing in newspaper headlines represent is that human fallibility can have an impact

on information security.

This article explores a portrayal of applicable Information Technology (IT) Security standards in

Malaysia. It shall provide enlightening information on the applicable and most widely used IT

Security standards in Malaysia. Hence, the outcome is an explanation of each IT Security standards

either guidelines or certification standards.

1. INTRODUCTIONIn this new era of knowledge-based society, information becomes a very important asset.

Knowledge becomes a key issue to either make decision or improve the skill of employees.

Information is an asset, which has value to an organisation and consequently needs to be

suitably protected.

Information Security has long been viewed by IT professionals as being fundamental. Computing

facilities and the information systems they support have become increasingly accessible as a

result of the explosion of the open public Internet. The successful operation of business in

Malaysia in the present day relies on information and the exchange of information. But threats

to its confidentiality, integrity and availability abound.

Organisations are realising that their information is an asset to the business and should be

regarded as such in the same way as cash and buildings. The impetus to do something then,

comes from a number of sources.

Guidelines for Corporate Governance, new onerous legislative requirements, increasing reliance

on timely accurate information and recognition of the increased threats to the organisation both

internally and externally, have all contributed to information security management becoming a

major issue for business. The demand for information security safeguards has long been

dominated by the military and banking sectors. As a result, the orientation is rather different

from what corporations, government agencies and the public really need. Meanwhile, the supply

of information security safeguards has been dominated by computing and communications

specialists.

THE PORTRAYAL OF APPLICABLE INFORMATIONTECHNOLOGY (IT) SECURITY STANDARDS

IN MALAYSIA

BASRI ZAINOL

166

2. NATURE OF INFORMATION SECURITYIn the mainframe computer environment of the past, information security could be handled by

an isolated and highly technical staff. Today, information processing technology is widely

distributed not only to employees, but to a wide range of third parties, as well as consultants,

contractors, temporary employees, business partners and customers. Users now perform

tasks that were previously handled by highly trained specialists, and they have generally

received little or no training in the most common information security procedures. Critical

information is now in the hands of a much larger number of people, and it is stored in remote

and disparate locations.

Which makes the results of another recent survey on security a sobering read: two out of three

workers happily gave their computer passwords away to complete strangers when asked in

Victoria Station in London. And hardly surprisingly, their chosen phrase was rarely difficult to

guess with “password” being the most popular choice. Yet another survey in April 2002

revealed that 60% of employees knew little about information security, with almost 50% saying

that they had never received any formal security awareness training. It is an oft-used example,

but based on fact: some people do still write their passwords on post-it notes and stick them

on the front of their computers!

It is applicable to the information security of people, buildings, the contents of buildings,

organisations, and even nations, as well as information. Information security is used in at least

two senses:

i. Condition in which harm does not arise, despite the occurrence of threatening events; and

ii. Set of safeguards designed to achieve that condition.

Threatening events can be analysed into the following kinds:

i. Natural threats are commonly referred to in the insurance industry as Acts of God or

Nature, e.g. fire, flood, lightning strike, tidal wave, earthquake, volcanic eruption;

ii. Accidental threats by humans who are directly involved, e.g. dropping something, tripping

over a power-cord, failing to perform a manual procedure correctly, mis-coding information,

mis-keying, failing to perform a back-up;

iii. Intentional threats by humans who are directly involved, e.g. sabotage, intentional capture

of incorrect data, unjustified amendment or deletion of data, theft of backups, extortion,

vandalism;

Threatening events may give rise to harm. The generic categories of harm are as follows:

i. Injury to persons;

ii. Damage to property;

iii. Loss of data, alteration of data, access to or disclosure of data, and replication of data;

iv. Loss of value of an asset; and

v. Loss of reputation and confidence.

167

Local area networks linked the computing islands within organisations as far back as the mid-

1980s. Interconnection between organisations over wide-area networks was mainstreamed by

the late 1980s. Widespread interconnection via the open public Internet has exploded since

about 1992.

The amazing growth of the Internet, both in size and in influence on our society has led to

increased risks of its exploitation by criminal and terrorist groups. As of now, this exploitation

has been relatively limited, at least with respect to the likely activity in the years to come. There

is a need to act now to develop and put into place intelligence methodologies to aid analysis

of Internet-based security and criminal threats and to augment existing Internet security

practices.

These methodologies cannot be a purely technically based, or the true societal significance of

Internet activity will be overlooked. They cannot be a purely localized activity, or the divergent

needs of various regions and organizations will not be represented. They cannot be simply

responsive to incidents, such as viruses or system attacks, or the advantage will remain with

the intruders. They cannot be centrally controlled or performed, or the need for rapid “Internet-

speed” response will not be met. Internet security threats are distributed, ongoing and multifaceted,

so the strategy for dealing with them must be distributed ongoing and multifaceted.

3. NEEDS OF IT SECURITY STANDARDSAccompanying the growth in the power and sophistication of information systems has been

an enormous increase in dependence on these systems. Information and communication

technologies have been embraced enthusiastically but with little attention to attendant, if

inadvertent, vulnerabilities. Indeed, reliance on the new systems has grown much faster than

our grasp of the vulnerabilities inherent in the networks, systems and core technologies that

underlie the information and communications revolutions.

Moreover, in spite of some well-publicized and extremely costly incidents, there remains a

remarkable level of complacency. Results from the annual Computer Security Institute and FBI

Annual Survey have revealed considerable reluctance to report problems. In 1999, for

example, only 32% of those who suffered serious attacks reported the intrusions to law

enforcement. While this almost doubled from the 17% figure of the three preceding years, it

was still a remarkably low percentage- and actually dropped back to 25% in the 2000 survey.

Such reticence is not confined to the United States.

This was apparent in a report on British business by the Department of Trade and Industry’s

Information Security Breaches Survey 2000. Although the report suggested that up to 60% of

the UK’s connected businesses might have been the victims of cyber crime within the last two

years, two-thirds of the companies interviewed noted that nothing had changed since the

intrusions, while 30% did not see protection of business information to be a priority.

168

Information security protects information from a wide range of threats in order to ensure business

continuity, minimize business damage and maximize return on investments and business

opportunities. Information can exist in many forms. It can be printed or written on paper, stored

electronically, transmitted by post or using electronic means, shown on films, or spoken in

conversation. Information security is about people and process. Recent high profile information

security breaches and the value of information are highlighting the ever increasing need for

organizations to protect their information. This has improved the awareness to either adopted

or adapted the internationally or nationally recognised standards by organisations in Malaysia.

4. AVAILABLE STANDARDS IN MALAYSIAThere are more than 200 IT standards available in Malaysia. These standards either have been

adopted or adapted to become Malaysia Standard. Some of the related IT Security standards

of which have addressed the Information and Network Security are:

4.1 ISO 17799: 2000 INFORMATION SECURITY MANAGEMENT STANDARD

This code of practice may be regarded as a starting point for developing organisation

specific guidance. Not all of the guidance and controls in this code of practice may

be applicable. The objective of the standard is to serve as a single reference point for

identifying the range of controls needed for most situations where information systems

are used in industry and commerce and to be used by large, medium and small

organisations. ISO 17799:2000 standard Information Security Management has been

adapted to Malaysian standard. This standard is the most widely recognised security

standard based on BS7799, which was last published in May 1999. It has been

included many enhancements and improvements on previous versions. The first

version of ISO 17799 was published in December 2000.

ISO 17799:2000 is a comprehensive in its coverage of security issues. It contains a

substantial number of control requirements. Information security protects information

from a wide range of threats in order to ensure business continuity, minimize business

damage and maximize return on investments and business opportunities. Information

can exist in many forms. It can be printed or written on paper, stored electronically,

and transmitted by using electronic means or spoken in conversation. Information security

is characterised as the preservation of:

I. confidentiality: ensuring that information is accessible only to those authorized to

have access;

II. integrity: safeguarding the accuracy and completeness of information and processing

methods; and

III. availability: ensuring that authorized users have access to information and associated

assets when required.

169

Information security is achieved by implementing a suitable set of controls, which

could be policies, practices, procedures, organisational structures and software

functions. These controls need to be established to ensure that the specific security

objectives of the organisation are met. It is organised into 10 major sections:

Business Continuity Planning

The objectives of this section are to counteract interruptions to business activities and

to critical business processes from the effects of major failures or disasters.

System Access Control

The objectives of this section are to:

I. control access to information;

I. prevent unauthorized access to information systems;

II. ensure the protection of networked services;

III. prevent unauthorized computer access;

IV. detect unauthorized activities; and

V. ensure information security when using mobile computing and tele-networking

facilities.

System Development and Maintenance

The objectives of this section are to:

I. ensure security is built into operational systems;

II. prevent loss, modification or misuse of user data in application systems;

III. protect the confidentiality, authenticity and integrity of information;

IV. ensure IT projects and support activities are conducted in a secure manner; and

V. maintain the security of application system software and data.

Physical and Environmental Security

The objectives of this section are to prevent unauthorised access, damage and

interference to business premises and information; to prevent loss, damage or

compromise of assets and interruption to business activities; to prevent compromise or

theft of information and information processing facilities.

Compliance

The objectives of this section are to:

I. avoid breaches of any criminal or civil law, statutory, regulatory or contractual

obligations and of any security requirements;

II. ensure compliance of systems with organisational security policies and standards;

and

III. maximize the effectiveness of and to minimize interference to/from the system

audit process.

170

Personnel Security

The objectives of this section are to reduce risks of human error, theft, fraud or misuse

of facilities; to ensure that users are aware of information security threats and

concerns, and are equipped to support the corporate security policy in the course of

their normal work; to minimise the damage from security incidents and malfunctions

and learn from such incidents.

Security Organisation

The objectives of this section are to:

I. manage information security within the organisation;

II. maintain the security of organisational information processing facilities and information

assets accessed by third parties; and

III. maintain the security of information when the responsibility for information processing

has been outsourced to another organisation.

Computer & Network Management

The objectives of this section are to:

I. ensure the correct and secure operation of information processing facilities;

II. minimise the risk of systems failures;

III. protect the integrity of software and information;

IV. maintain the integrity and availability of information processing and communication;

V. ensure the safeguarding of information in networks and the protection of the

supporting infrastructure;

VI. prevent damage to assets and interruptions to business activities; and

VII. prevent loss, modification or misuse of information exchanged between organisations.

Asset Classification and Control

The objectives of this section are to maintain appropriate protection of corporate

assets and to ensure that information assets receive an appropriate level of protection.

Security Policy

The objective of this section is to provide management direction and support for

information security.

171

4.2 BS7799-2: 2000 INFORMATION SECURITY MANAGEMENT SYSTEM

STANDARD (ISMS)

The BS7799-2:2002 ISMS standard is a standard developed by British Standards

Institute (BSI). It is a new standard, being published and released in September 2002.

It is a certification standard, similar to ISO9001 standard. However, this standard

requires the implementation of all controls specified in the ISO17799:2000 or

BS7799-1:2000 Information Security Management (ISM).

Implementation of BS7799-2:2002 ISMS and ISO 17799:2000 ISM shall be a very

focal agenda for ICT related organisations or department to achieve the recognised

level of information security management standard in the compliance or certification

arena. The process of implementing to achieve the compliance or certification includes

the definition process of scope and policy, risk assessment process, definition

process of information controls, definition process of statement of applicability. These

processes are in line with the ISO methodology of Plan-Do-Check-Act.

The execution of this programmeme requires enormous commitment from management.

This is not only ICT related issues, it focuses on information security. The information

is an asset to any organisation or department. An asset that carries the information is

the information asset. Therefore, information assets shall be protected at the acceptable

information risk level.

The implementation of this standard either for certification or compliance shall be the

following steps:

Step 1: Define the organisation’s information security policy

Step 2: Define the scope of the ISMS, going through the controls outlined in

ISO17799:2000 an organisation will need to decide which controls are suitable for

assessment within their organisation. The outcome of the selected controls will be

dependent on: the business requirement, the assets to be protected, location and the

technology.

Step 3: Risk assessment: The aim of the assessment is to identify the threats and

vulnerabilities to assets and the impacts to the organisation. The results of this will

determine the degree of risk.

Step 4: Risk management, the areas of risk to be managed are identified by the

information security policy and the degree of assurance required by the organisation.

Step 5: Selection of the controls detailed in clause 4 to be implemented and the

objectives of these controls. Justification for the selections made must be provided.

Step 6: Statement of applicability: An organisation will need to document the selected

control objectives and controls, the reasons for selection and justification for the exclusion

of any of the controls listed in clause 4.

172

4.3 ISO 13335 PART 1 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – CONCEPT AND MODEL

The purpose of ISO 13335 Part 1 is to provide guidance on the management aspect

of IT security. The objectives of the standard are to:

I. define and describe the concepts associated with the management of IT security;

II. identify the relationships between the management of IT security and the

management in general;

III. present several models; and

IV. provide general guidance on the management of IT security.

Part 1 describes an overview of the fundamental concepts and models used to

describe the management of IT security. All organisations depend heavily on the use

of information to conduct their business and activities. Loss of confidentiality, integrity

and accountability of information and services can have a direct impact on the

organisations.

Hence, there is a need to protect information and to manage the security of IT

systems within the organisations.

IT security management functions include:

I. determining organisational IT security objectives, strategies and policies;

II. determining organisational IT security requirements;

III. identifying and analyzing security threats to IT assets within the organisation;

IV. identifying and analyzing risks;

V. specifying appropriate safeguards;

VI. monitoring the implementation and operation of safeguards that are necessary in

order to cost; and

VII. effectively protect the information and services within the organisation.

The adoption of the concepts that follow needs to take into account the culture and

the environment in which the organisation operates, as these may have a significant

effect on the overall approach to security. In addition, they can have an impact on

those that are responsible for the protection of specific parts of the organisation.

An approach is necessary for the identification of requirements for IT security within an

organisation. This also is true for the implementation of IT security, and its ongoing

administration. This process is referred to as the management of IT security and

includes the following activities:

• development of an IT security policy;

• identifying roles and responsibilities within the organisation; and

• risk management, involving the identification and assessment of assets to be

protected.

173

Corporate security objectives, strategies and policies need to be formulated as a

basis for effective IT security in an organisation. They support the business of the

organization and together they ensure consistency between all safeguards. The

objectives identify what shall be achieved, strategies identify how to achieve these

objectives, and the policies identify what needs to be done. Objectives, strategies

and policies may be developed hierarchically from the corporate to the operational

level of the organisation. They should reflect organisational requirements and take into

account any organisational constraints, and they should ensure that consistency is

maintained at each level and throughout all levels. Security is the responsibility of all

levels of management within the organisation and occurs in all phases of a systems

life cycle. The objectives, strategies and policies should be maintained and updated

based on the results of periodic security reviews (e.g., risk analysis, security audits)

and changes in business objectives.

The corporate security policy essentially comprises the security principles and

directives for the organisation as a whole. Corporate security policies must reflect the

broader corporate policies, including those that address individual rights, legal

requirements and standards. The corporate IT security policy must reflect the essential

security principles and directives applicable to the corporate security policy, and the

general use of IT systems within the organisation. An IT system security policy must

reflect the security principles and directives contained within the corporate IT security

policy. It should also contain details of the particular security requirements and

safeguards to be implemented and how to use them correctly to ensure adequate

security. In all cases it is important that the approach taken is effective in relation to

the business needs of the organisation.

4.4 ISO 13335 PART 2 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – MANAGING AND PLANNING IT SECURITY

Part 2 describes management and planning aspects. It is relevant to managers with

responsibilities relating to an organisation’s IT systems. They may be IT managers who

are responsible for overseeing the design, implementation, testing, procurement, or

operation of IT systems, or managers who are responsible for activities that make

substantial use of IT systems as well as IT security personnel.

In order to fulfil these management responsibilities for IT systems, security must be an

integral part of an organisation’s overall management plan and be integrated into all

functional processes of the organisation.

Overview of Planning and Management Process

IT security planning and management is the overall process of establishing and

maintaining an IT security programme within an organisation. Because management

styles and organisational sizes and structures differ, this process should be tailored to

the environment in which it is used. It is implicit that management reviews are conducted

as part of all these activities and functions.

174

Overview of Risk Management

Risk Management includes four distinct activities:

• determination of the overall risk management strategy appropriate to the organisation

within the context of the corporate;

• IT security policy;

• selection of safeguards for individual IT systems as a result of risk analysis activities

or according to baseline controls;

• formulation of IT system security policies from the security recommendations, and

as necessary the update of the corporate IT security policy (and where appropriate

the departmental IT security policy), and

• construction of IT security plans to implement the safeguards, based on the approved

IT system security policies.

Implementation Overview

The implementation of the necessary safeguards for each IT system should be done

according to the IT security plan. The improvement of general IT security awareness,

although very often neglected, is an important aspect for the effectiveness of safeguards.

Integrating IT Security

All IT security activities are most effective if they occur uniformly throughout the

organisation and from the beginning of any IT system’s life cycle. The IT security process

is itself a major cycle of activities and should be integrated into all phases of the IT

system life cycle. Whilst security is most effective if it is integrated into new systems

from the beginning, legacy systems and business activities benefit from the integration

of security at any point in time.

An IT system life cycle can be sub-divided into three basic phases. Each of these

phases relates to IT security in the following way:

• Planning: IT security needs should be addressed during all planning and decision

making activities;

• Acquisition: IT security requirements should be integrated into the processes by

which systems are designed, developed, purchased, upgraded or otherwise

constructed; and

• Operations: IT security should be integrated into the operational environment. As

an IT system is used to perform its intended mission, it typically undergoes a

series of upgrades, which includes the purchase of new hardware components or

the modification or addition of software.

175

Corporate IT Security Policy

Objectives (what is to be achieved), strategies (how to achieve these objectives), and

policies (the rules for achieving the objectives) may be defined for each level of an

organisation and for each business unit or department. In order to achieve effective IT

security it is necessary to align the various objectives, strategies and policies for each

organisational level and business unit.

Management Commitment

The commitment of top management to IT security is important and should result in a

formally agreed and documented corporate IT security policy. The corporate IT security

policy should be derived from the corporate security policy.

Policy Relationship

The corporate IT security policy may be included in the range of corporate technical

and management policies that together build a basis for a corporate IT strategy statement.

This statement should include some persuasive words on the importance of security.

Corporate IT Security Policy Elements

The corporate IT security policy should at least cover the following topics:

• IT security requirements, e.g., in terms of confidentiality, integrity, availability,

authenticity, accountability and reliability, particularly with regard to the views of the

asset owners,

• organisational infrastructure and assignment of responsibilities,

• integration of security into system development and procurement,

• directives and procedures,

• definition of classes for information classification,

• risk management strategies,

• contingency planning,

• personnel issues,

• awareness and training,

• legal and regulatory obligations,

• outsourcing management, and

• incident handling.

Organisational Aspects of IT Security

Roles and Responsibilities

IT security is an inter-disciplinary topic and relevant to every IT project and system and

all IT users within an organisation. Appropriate assignment and demarcation of

responsibilities should ensure that all important tasks are accomplished and that they

are performed in an efficient way.

176

Corporate IT Security Officer

The corporate IT security officer should act as the focus for all IT security aspects

within the organisation. The chief responsibilities are:

• oversight of the implementation of the IT security programme,

• liaison with and reporting to the IT security forum and the corporate security officer,

• maintaining the corporate IT security policy and directives,

• co-ordinating incident investigations,

• managing the corporate-wide security awareness programme, and

• determining the terms of reference for IT project and system security officers (and

where relevant, department IT security officers).

IT Project Security Officer and IT System Security Officer

Individual projects or systems should have someone responsible for security, usually

called the IT security officer. The functional management of these officers will be the

responsibility of the corporate IT security officer. The security officer acts as the focal

point for all security aspects of a project, a system or a group of systems. The chief

responsibilities of the post are:

• liaison with and reporting to the corporate IT security officer,

• issuing and maintaining the IT project or system security policy,

• developing and implementing of the security plan,

• day-to-day monitoring of implementation and use of the IT safeguards, and

• initiating and assisting in incident investigations.

Corporate Risk Analysis Strategy Option

Any organisation that wants to enhance security should put in place a strategy for risk

management that is suitable for its environment. An approach provides a balance

involves conducting high level reviews to determine the IT security needs of systems

with analyses to a depth consistent with these needs. The security needs of any

organisation will depend on its size, type of business it is doing, and its environment

and culture.

4.5 ISO 13335 PART 3 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – TECHNIQUES FOR MANAGEMENT OF IT SECURITY

The purpose of the ISO 13335 Part 3 is to provide techniques for the management

of IT security. The techniques are based on the general guidelines laid out in ISO

13335 Part 1 and ISO 13335 Part 2. These guidelines are designed to assist the

implementation of IT security. Familiarity with the concepts and models introduced in

ISO 13335 Part 1 and the material concerning the management and planning of IT

security in ISO 13335 Part 2 is important for a complete understanding. The aim of

this part is to recommend techniques for the successful management of IT security.

These techniques can be used to assess security requirements and risks, and help

to establish and maintain the appropriate security safeguards.

177

The management of IT security includes the analysis of the requirements for security,

the establishment of a plan for satisfying these requirements, the implementation of

this plan, as well as maintenance and administration of the implemented security. This

process starts with establishing the organisation’s IT security objectives and strategy,

and the development of a corporate IT security policy. An important part of the IT

security management process is the assessment of risks, and how they can be

reduced to an acceptable level. The implementation should be supported by an

awareness and training programme, which is important for the effectiveness of the

safeguards. Furthermore, the management of IT security includes the ongoing task of

dealing with various follow up activities which include maintenance, security compliance

checking, change management, monitoring, and incident handling.

Security Elements

Assets

The proper management of assets is vital to the success of the organisation, and is

a major responsibility of all management levels. The assets of an organisation include:

• physical assets,

• information/data,

• software,

• the ability to produce some product or provide a service,

• people, and

• intangibles (e.g., goodwill, image).

Most or all of these assets may be considered valuable enough to warrant some

degree of protection. An assessment of the risks being accepted is necessary if the

assets are not protected. From a security perspective, it is not possible to implement

and maintain a successful security programme if the assets of the organisation are not

identified. Asset attributes to be considered include their value and/or sensitivity and

any inherent safeguards. The protection requirements of assets are influenced by their

vulnerabilities in the presence of particular threats.

Threats

Assets are subject to many kinds of threats. A threat has the potential to cause an

unwanted incident, which may result in harm to a system or organisation and its

assets. Threats may be of natural or human origin and can be accidental or deliberate.

Both accidental and deliberate threats should be identified and their level and

likelihood assessed.

Vulnerabilities

Vulnerabilities associated with assets include weaknesses in physical layout,

organisation, procedures, personnel, management, administration, hardware,

software or information. Vulnerability in itself does not cause harm; vulnerability is

merely a condition or set of conditions that may allow a threat to affect an asset.

178

Vulnerabilities may remain unless the asset itself changes such that the vulnerability

no longer applies. Vulnerability analysis is the examination of weaknesses, which may

be exploited by identified threats. This analysis must take into account the environment

and existing safeguards.

Impact

Impact is the consequence of an unwanted incident caused either deliberately or

accidentally, which affects the assets. The consequences could be the destruction of

certain assets, damage to the IT system, and loss of confidentiality, integrity, availability,

accountability, authenticity or reliability. Possible indirect consequences include

financial losses, and the loss of market share or company image. The assessment of

impacts is an important element in the assessment of risks and the selection of

safeguards.

Risk

Risk is the potential that a given threat will exploit vulnerabilities to cause loss or

damage to an asset or group of assets, and hence directly or indirectly to the

organisation. The risk is characterised by a combination of two factors: the probability

of the unwanted incident occurring and its impact. Any change to assets, threats,

vulnerabilities and safeguards may have significant effects on risks. Early detection or

knowledge of changes in the environment or system increases the opportunity for

appropriate actions to be taken to reduce the risk.

Safeguards

Safeguards are practices, procedures or mechanisms which may protect against a

threat, reduce vulnerability, limit the impact of an unwanted incident, detect unwanted

incidents and facilitate recovery. Effective security usually requires a combination of

different safeguards to provide layers of security for assets. Safeguards may be

considered to perform one or more of the following functions: detection, deterrence,

prevention, limitation, correction, recovery, monitoring, and awareness. An

appropriate selection of safeguards is essential for a properly implemented security

programme.

Residual Risk

Risks are usually only mitigated partially by safeguards. A partial mitigation is all that is

usually possible to achieve and the more that is to be achieved the greater the cost.

This implies that there are usually residual risks. Part of judging whether the security

is appropriate to the needs of the organisation is the acceptance of the residual risk.

Management should be made aware of all residual risks in terms of impact and the

likelihood of an event occurring.

Constraints

Constraints are normally set or recognised by the organisation’s management and

influenced by the environments within which the organisation operates.

179

Processes for the Management of IT Security

The management of IT security is an ongoing process consisting of a number of other

processes. Some processes such as configuration management and change

management have applicability to disciplines other than security. One process that

experience has shown to be very useful in the management of IT security is risk

management. Several aspects of the management of IT security, including risk

management, risk analysis, change management, and configuration management.

Configuration management is the process of keeping track of changes to the system

and can be done formally or informally. The primary security goal of configuration

management is to ensure that changes to the system do not reduce the effectiveness

of safeguards and the overall security of the organisation. The security goal of

configuration management is to know what changes have occurred, not to use

security as a means of preventing changes to IT systems.

Change management is the process used to help identify new security requirements

when IT systems changes occur. IT systems and the environment in which they

operate are constantly changing. These changes are a result of the availability of new

IT features and services, or the discovery of new threats and vulnerabilities.

Risk management activities are most effective if they occur throughout the system’s

life cycle. The risk management process is itself a major cycle of activities. While the

entire cycle can be followed for new systems, in the case of legacy systems it can be

initiated at any point in the system’s life cycle. The strategy may dictate that a review

is carried out at certain points in a system’s life cycle, or at pre-defined times. There

may be a requirement to carry out risk management during the design and

development of systems, thus ensuring that security is designed and implemented at

the most cost effective time. Risk management is the process of comparing assessed

risks with the benefits and/or costs of safeguards, and deriving an implementation

strategy and system security policy consistent with the corporate IT security policy

and business objectives.

Risk analysis identifies risks that need to be controlled or accepted. In the context of

IT security, risk analysis for IT systems involves the analysis of asset values, threats and

vulnerabilities. Risks are assessed in terms of potential impact that would be caused

by a breach of confidentiality, integrity, availability, accountability, authenticity or

reliability. The result of a risk analysis review is a statement of the likely risks to assets.

Risk analysis is part of risk management and can be accomplished without an

unnecessary investment in time and resources by conducting an initial brief analysis

on all systems. This will determine which systems can be adequately protected by a

code of practice or baseline controls, and those systems which will benefit from a

detailed risk analysis review.

180

Effective security requires accountability and the explicit assignment and

acknowledgement of security responsibilities. Responsibilities and accountabilities

need to be assigned to asset owners, providers and users of IT systems.

Security awareness is an essential element for effective security. The lack of security

awareness and poor security practices by personnel within an organisation can

significantly reduce the effectiveness of safeguards. In order to ensure that an

adequate level of security awareness exists within an organisation it is important to

establish and maintain an effective security awareness programme.

The use of safeguards should be monitored to ensure they function appropriately; that

changes in the environment have not rendered them ineffective and that

accountability is enforced. Automated review and analysis of system logs is an

effective tool for helping to ensure the intended performance.

Contingency plans contain information about how to operate a business when the

support processes, including IT systems, are degraded or unavailable. These plans

should address the possible compounding of a number of scenarios. Disaster

recovery plans describe how to restore to operation IT systems affected by an

unwanted incident.

Models of the Management of IT Security

The models presented provide the concepts for an understanding of the IT security

management issues. The following models are:

• security element relationships,

• risk management relationships, and

• the management of IT security process.

The concepts introduced and the business objectives of the organisation come

together to form plans, strategies and policies for the IT security of the organisation.

The overriding aim is to ensure that an organisation retains the ability to carry out its

business with risks limited to an acceptable level. No security can be totally effective

and it is important to plan for recovery from an unwanted incident and to structure the

security to limit the extent of the damage.

4.6 ISO 13335 PART 4 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – SELECTION OF SAFEGUARDS

Part 4 provides guidance for the selection of safeguards and how this can be

supported by the use of baseline models and controls. It also describes how these

complements the security techniques described in Part 3 and how additional

assessment methods can be used for the selection of safeguards.

181

This part provides guidance on the selection of safeguards. It describes a process for

the selection of safeguards according to security risks and concerns and the specific

environment of an organisation. It shows how to achieve appropriate protection, and

how this can be supported by the application of baseline security.

There are two main approaches to safeguard selection, i.e. using a baseline

approach and carrying out detailed risk analyses. Conducting a detailed risk

analysis has the advantage that a comprehensive view of the risks is achieved.

This can be used to select safeguards, which are justified by the risks, and

thus should be implemented.

Basic Assessment

The process of safeguard selection requires some knowledge of the type and

characteristic of the IT system. In addition, the selection of safeguards is the assessment

of existing and/or planned safeguards. When selecting safeguards, business

requirements should be taken into account. Finally, it is necessary to determine whether

these assessments provide enough information for the selection of baseline safeguards,

or whether a more detailed assessment or a detailed risk analysis is necessary.

Identification of the Type of IT System

For the assessment of an existing or planned IT system, the IT system considered

should be compared with the following components, and the components representing

the system should be identified. Components to choose from are:

• standalone workstation;

• workstation (client without shared resources) connected to a network; and

• server or workstation with shared resources connected to a network.

Identification of Physical/Environment Conditions

The assessment of the environment includes the identification of the physical

infrastructure supporting the existing and planned IT system, as well as related existing

and/or planned safeguards.

Assessment of Existing/Planned Safeguards

After assessing the physical environment conditions and the components of the IT

system, all other safeguards already in place or planned for should be identified. This

is necessary to avoid an already existing or planned safeguard being reselected, and

the knowledge of the safeguards implemented or planned helps to select further

safeguards acting in combination with them.

182

Safeguard

Organisational and Physical Safeguards

This safeguard category contains all those safeguards dealing with the management

of IT security, the planning of what should be done, assignment of responsibilities for

these processes, and all other relevant activities. The aim of these safeguards is to

achieve an appropriate and consistent level of security throughout an organisation.

Safeguards in this area are listed below.

• Corporate IT Security Policy;

• IT System Security Policy;

• IT Security Management;

• Allocation of Responsibilities;

• Organisation of IT Security;

• Asset Identification and Valuation; and

• Approval of IT Systems.

Security Compliance Checking

It is important that compliance is maintained with all required safeguards, and relevant

laws, regulations and policies, since any safeguard, regulation or policy can only be

working as long as users comply, and systems conform.

Safeguards in this area are:

• Compliance with IT Security Policies and Safeguards; and

• Compliance with Legal and Regulatory Requirements.

Incident Handling

Every employee in the organisation should be aware of the need to report security

incidents, including software malfunctions and identified weaknesses. The organisation

should provide a reporting scheme, which makes that possible. Incident handling

includes:

• Reporting of Security Incidents;

• Reporting of Security Weaknesses;

• Reporting of Software Malfunctions; and

• Incident Management.

Personnel

Safeguards in this category should reduce the security risks resulting from errors or

intentional or unintentional breaking of security rules by personnel. Safeguards in this

area are listed below.

• Safeguards for Permanent and Temporary Staff;

• Safeguards for Contracted Personnel;

• Security Awareness and Training; and

• Disciplinary Process.

183

Operational Issues

Safeguards aim at all procedures maintaining the secure, correct and reliable functioning

of the IT equipment and related system(s) used. Most of these safeguards can be

realized by implementing organisational procedures. Safeguards in the area of operational

issues are listed below.

• Configuration and Change Management;

• Capacity Management;

• Documentation;

• Maintenance;

• Monitoring Security Relevant Changes;

• Audit Trails and Logging;

• Security Testing;

• Media Controls;

• Assured Storage Deletion;

• Segregation of Duties;

• Correct Software Use; and

• Software Change Control.

Business Continuity Planning

In order to protect business, especially critical business processes, from the effects

of major failures or disasters and to minimize the damage caused by such events,

effective business continuity, including contingency planning/disaster recovery, strategy

and plan(s) should be in place. This includes the following safeguards:

• Business Continuity Strategy;

• Business Continuity Plan;

• Testing and Updating the Business Continuity Plan; and

• Back-ups.

Physical Security

Safeguards in this area deal with physical protection. Several of the following items

apply to buildings, secure areas, computer rooms and offices. The safeguard

selection depends on which part of the building is considered. Safeguards in this area

are listed below.

• Material Protection;

• Fire Protection;

• Water/Liquid Protection;

• Natural Disaster Protection;

• Protection against Theft;

• Power and Air-conditioning; and

• Cabling.

184

IT System Specific Safeguards

Identification and Authentication (I&A)

Identification is the means by which a user provides a claimed identity to a system.

Authentication is the means of establishing the validity of this claim. The following ways

are examples of how to achieve I&A:

• I&A Based on Something the User Knows Passwords;

• I&A Based on Something the User Possesses; and

• I&A Based on Something the User Is.

Logical Access Control and Audit

Safeguards are implemented to restrict access to information, computers, networks,

applications, system resources, files and programmes, and record details of error and

user actions in audit trails and analyse the details recorded, in order to detect and

handle security breaches in an appropriate manner. Safeguards in the area of logical

access control and audit are listed below.

• Access Control Policy;

• User Access to Computers;

• User Access to Data, Services and Applications;

• Reviewing and Updating Access Rights; and

• Audit Logs.

Protection against Malicious Code

Malicious code may be introduced into systems through external connections and

through files and software introduced from portable disks. Malicious code may not be

detected before damage is done unless suitable safeguards are implemented.

Malicious code may be introduced as a result of a deliberate action by a user, or by

system level interactions that may not be visible to users.

Protection against malicious code can be achieved by the use of the safeguards listed

below.

• Scanners;

• Integrity Checkers;

• Removable Media Circulation Control; and

• Procedural Safeguards.

185

Network Management

This area includes topics of planning, operation and administration of networks. The

proper configuration and administration of networks is an effective means to reduce

risks. Safeguards in the area of network management are listed below.

• Operational Procedures;

• System Planning;

• Network Configuration;

• Network Segregation;

• Network Monitoring; and

• Intrusion Detection.

Cryptography

Cryptography is a mathematical means of transforming data to provide security. It can

be used for many different purposes in IT security. The different ways of using cryptography

are discussed below.

• Data Confidentiality Protection;

• Data Integrity Protection;

• Non-Repudiation;

• Data Authenticity; and

• Key Management.

Generally Applicable Safeguards

The categories are:

• IT Security Management and Policies;

• Security Compliance Checking;

• Incident Handling;

• Personnel;

• Operational Issues;

• Business Continuity Planning; and

• Physical Security.

Selection of Safeguards According to Security Concerns and Threats

The selection of safeguards according to security concerns and threats described in

this clause can be used in the following way:

• The first step is to identify and assess the security concerns.

• Second, for each of the security concerns, typical threats are listed and for each

threat, safeguards are suggested according to the IT system considered.

186

In order to select appropriate safeguards in an effective way, it is necessary to have

an understanding of the security concerns of the business operations. It includes:

• loss of confidentiality,

• loss of integrity,

• loss of availability,

• loss of accountability,

• loss of authenticity, and

• loss of reliability.

The threat types, which might endanger confidentiality, with safeguards to protect

against these threats suggested. If relevant for the safeguard selection, the type and

characteristics of the IT system should be taken into account. Hence, their effect is

not to be underestimated and they should be implemented for an overall effective

protection.

If relevant for the safeguard selection, the type and characteristics of the IT system

should be taken into account. If relevant for the safeguard selection, the type and

characteristics of the IT system should be taken into account. The availability

demands can range from not time-critical data or IT systems to highly time-critical data

or IT systems. The former can be protected against by back-ups whereas the latter

may require some resilience system to be present.

These differences mean that a lot of different safeguards may be applicable. The

safeguards provide a more ‘general’ protection, i.e. they are aimed at a range of

threats and provide protection by supporting an overall effective IT security management.

Hence, their effect is not to be underestimated and they should be implemented for

an overall effective protection.

Selection of Safeguards for According to Detailed Assessment

The selection of safeguards according to detailed assessments follows the same

principles that are applied in the previous clauses. The performance of a detailed risk

analysis allows the special requirements and circumstances of the IT system and its

assets to be taken into account. The difference from use of the previous clauses is

the level of effort, and the detail gathered during the assessment process.

5. CONCLUSIONWhile organisations are beginning to take information security more seriously, there is still a lot

of work to be done. This work should not focus merely on the technology aspects of the

solutions they require, but rather should also ensure that they understand the cultural and

human aspects related to information security, and that they put the proper policies and

procedures in place to ensure that technology is implemented and maintained correctly. Your

people can be your weakest link, but they can also be your best defence. Ultimately you must

build an appropriate measurement system – what is measured is managed.

187

Information security is important, challenging, and multi-faceted. It involves organisational

safeguards as well as technical safeguards. It cannot be approached using naive military ideas

about ‘absolute security’. Instead a ‘risk-managed’ approach has to be adopted, and costs

and inconvenience traded-off against security. And it requires vigilance, because security

schemes suffer from entropy, i.e. they run down very quickly unless they are maintained.

Reviewing against the standards can be very time consuming. However, implementation is

worthwhile. Information Security is an ongoing battle.

REFERENCES

ISO 17799:2000 Information Security Management StandardBS 7799-2:2002 Information Security Management SystemISO 13335 Part 1– 4 Guidelines for the Management of IT SecurityJune 2001 – Special ReportMay 1998 – Special ReportCentre for Information Security Technology, Columbia, MarylandUniversity of California, March 1998 Version 0.3 Information Technology Services, Griffith University, AUSTRALIAApril 1, 2002, London, SW112JEUnited Kingdom

OPEN SOURCE

AND SECURITY

190

Nah Soo Hoe has been in the ICT industry for over 16 years and is experienced in networking

protocols, Internetworking and information security issues. He participates actively in the

activities of local ICT organisations, in particular MNCC (Malaysian National Computer

Confederation) and PIKOM (Association of the Computer and Multimedia Industry of Malaysia).

He has been involved in numerous MNCC and PIKOM events and initiatives and has

represented both bodies in various Government committees and in working groups at both the

national and international levels on the Internet, ICT security and open source.

He is the current Chairperson of the SIRIM Technical Committee on Information Security

Standards and is also the list owner of two popular OSS mailing lists in the country –

the MYOSS (http://www.my-opensource.org/lists/myoss/) and the MNCC OSSIG

(http://www.mncc.com.my/ossig/lists/general/ossig/) lists.

He currently works as an independent consultant in the areas of:

• Open-source software deployment

• Information systems security

When he is not working or hacking away, he enjoys going for walks in hill resorts with his better

half and sharing a bowl of milk with the numerous alley cats in his backyard.

DR. NAH SOO HOESIRIM BERHAD

191

ABSTRACTThis paper serves to introduce the reader to what open-source software (OSS) is and its

development model and tries to address some of the more common misconceptions and

myths on OSS with respect to security. Common quality and security practices in OSS

development and distribution are also discussed and it rounds off with brief descriptions of

some popular OSS security tools and applications.

INTRODUCTIONThe current interest in open-source software (OSS), both in its model of software development

and as a possible replacement for proprietary or close-source software, has led to intense

debates on the suitability of OSS deployment and usage in many areas. One important area

which has garnered much attention is security. In this chapter on “Open Source and Security”

we shall look at OSS from the security point of view. In particular, we shall be discussing the

following:

1. What is open-source software?

2. The Open Source model of software development

3. Common misconceptions about security and quality in OSS

4. OSS software quality and security practices

5. Some popular OSS security tools and applications

WHAT IS OPEN-SOURCE SOFTWARE?Open-source software is not new. It has its roots in free software and the movement surrounding

it and is derived from it. To understand the history behind OSS we need to understand what

free software is and how it came about. [1]

Free Software

When we refer to the term “free software” we mean “free” as in “freedom” and “liberty” and not

the monetary meaning of “free”. As defined by the Free Software Foundation (FSF), free software

refers to software in which the user has the freedom to run the software, study how it works

as well as re-distribute it in an unmodified or modified form [2]. Note that in order to achieve

this freedom of usage and modification, the source code to the software has to be available.

The concept and practice of free software is not anything new. From the early days of computing,

software has been freely exchanged with source code by researchers and academics. The

technologies that run the Internet were developed in this way. The Internet started with the US

Department of Defence contracting US universities and research organisations to develop a

wide area computer network with no single point of failure. During those days of the

DARPANET (as the research network was then called), software which implemented the

networking protocols and services was freely exchanged among the researchers.

OPEN SOURCE AND SECURITY

DR. NAH SOO HOE

192

The basic networking protocol of the Internet, TCP/IP, was developed in this fashion. Many of

the basic Internet services run on free software; e.g. Apache (the most widely-used web server

on the Internet), BIND (the software that powers most of the Internet's domain name-to-IP

resolution service) and Sendmail (used by most of the Internet backbone mail transport

agents). It is no exaggeration if we were to say that the Internet runs on free software and owes

its success to it and free software powers the Internet to this day!!

OPEN-SOURCE SOFTWARE (OSS)With the success of the Internet, the technical people tried to introduce free software used on

the Internet to the business organisations where they work. However, very often they were met

with negative sentiments about using free software by the business and corporate users. To

these people, who were used to paying thousands of dollars for the software sold by

proprietary vendors, the term "free software" is perceived as software of poor quality and

unreliable. In addition to this, some businesses were concerned with the seemingly

uncompromising attitude of the Free Software Foundation with its publicly stated agenda that

it wants all software to be free (as in freedom) and that any form of proprietariness in software

should not be tolerated.

To try and overcome these problems associated with the perception and attitude towards free

software by the corporate and business world, in February 1998, some free software developers

and practitioners put together a “free software” definition and image less confrontational to

businesses [3]. The term open-source software was coined as an alternative to free software

and the case for open source was made based on pragmatic and business grounds.

This was the start of the Open Source movement. It can be viewed as an attempt by some

people in the free software community to take a less confrontational approach towards working

with proprietary software and the business community. They were willing to take on a pragmatic

approach in trying to engage the management and business communities to get them to

understand and appreciate the software that were developed by the free software community.

They realised that this can be a more effective way to get managerial and business buy-in and

hence lead to more adoption of free software in corporations and business establishments.

The actual definition of the term Open Source Software is available from the website of the

Open Source Initiative (OSI) [4]. The original ideals of free software as envisioned by the FSF

– the freedom to run, copy, distribute, study, change and improve the software are still covered

by OSS.

The Open Source Model

Much has been written about the community-style mode of development, maintenance and

distribution of many open source projects [5, 6, 7, 8, 9]. The one thing that makes it very

different from a traditional proprietary software model of development is its degree of openness

and transparency in the development, distribution and maintenance of a product. Extensive use

is made of the Internet and its online collaborative and communication services to achieve this.

193

In OSS projects, while there is always a team which develops, manages, steers and directs

the project towards its objectives, other people usually can and are encouraged to contribute

code and ideas to the project. The project’s aims, development and progress are transparent

and available to anyone who wants to know. For a major project, its website usually will have

the project's guidelines. These may include information on roles and responsibilities, communication,

decision making, source repositories, project management, new project proposals etc.

Discussions about the project both concerning development and end-user issues take place

usually via mailing lists and online forums and again, anyone interested can partake in these

discussions. Some projects actively solicit developers to be active and to become part of the

core team but other projects may keep its core team relatively selective and closed.

Similar to the development process, the distribution and maintenance processes are also very

transparent. Stable and unstable (development) versions of the software are available for

downloads via the Internet. For the more popular projects, apart from the project’s own site

there are mirror download sites. The main form of distribution is source code but pre-compiled

versions for various popular platforms are usually available either from the project site or third

party sites.

Feedback from the users are actively solicited, both for the stable and development versions

of the product. Some projects even have nightly builds for their development versions and so

even an ordinary end-user can get the very latest version (with their associated bugs of course!)

of the product. In many cases, some of the key developers are at hand to monitor these

discussions and feedback. In this way, the product is well exposed and tested by the users

and other developers even while it is still under development. This is a useful model as user

preferences and bugs are recognised and known early. Again, the Internet is utilised extensively

for these activities.

Major OSS projects have well established code control and version systems in place as well

as bug reporting and tracking processes. These features will be covered in more detail later.

COMMON MISCONCEPTIONS ABOUT SECURITY IN OSSIn this section we shall highlight some of the more common misconceptions as well as fears,

uncertainties and doubts (FUDs) about security in OSS. These include:

• OSS has no owner and no party is accountable or responsible for it

• OSS has no proper quality and security control

• OSS is insecure as the software can be examined for security vulnerabilities and exploited

easily due to the availability of source code

• OSS is infested with backdoors and viruses/worms as anyone can plant these in the

source code

194

Note that in the discussion below it is assumed that we are talking about mainstream major

OSS projects i.e. those that are popular and enjoy at least fairly wide usage. It is difficult to

generalise about small obscure OSS projects. The situation is the same for proprietary

software products, but at least for OSS, the source code is always there for one to check and

fall back on. This cannot be said for proprietary software.

No Accountability and Ownership

One of the common misconceptions about OSS is that a project is carried out by hobbyists

and enthusiasts in their spare time, hence everything, including security controls and issues,

is done on a best-effort basis only. On the other hand, it is usually perceived by many people

that proprietary commercial software is maintained by full-time paid staff and therefore they are

accountable and responsive.

The reality could not be more different than the above. All major OSS projects are owned or

supported either by a commercial company or a non-profit formally registered foundation.

Examples of this are:

• Apache – Apache Software Foundation

• MySQL – MySQL AB

• FreeBSD – FreeBSD Foundation

• Red Hat Linux – Red Hat Corporation

• SuSE Linux – SuSE Corporation (now a division of Novel Corp.)

• Zope – Zope Corporation

An OSS project has owner(s) and people accountable for it. As noted in an earlier section, an

OSS project is owned or managed by one or more core people or developers. In some big

ones (e.g. OpenOffice.org), there are even regional/local marketing representatives.

There will be people responsible for bug or security issues and co-ordinate fixes/responses.

Generally these maintainers are responsive to security issues brought to their attention. In the

unlikely event that the OSS maintainers do not respond, the open source community can help

fix the problem as the source is available. With proprietary software, this is not possible.

On the other hand, there is no guarantee that a proprietary software vendor or company will

be responsive or accountable for their product. Experience has borne this out. This is

especially true as far as responses to reported bugs and security vulnerabilities go; it is not

uncommon for several months to pass after a report is made to it before a vendor patches up

its software. (This issue used to be much worse several years ago.) Lately due largely to the

availability of full disclosure forums [10, 11], commercial vendors have improved on the

timeliness of their patches.

However, one just has to look at the timelines between reported vulnerabilities and patch

releases from the major software vendors to see that this point is still an issue.

195

No Proper Quality and Security Control

There is a common misconception that OSS development is done by hodge-podge of hackers

from all over and that there is no proper processes for quality assurance and security control.

The fact of the matter is that major OSS projects have tight control over their developers. Only

certain developers have “commit” privileges to change the source code. These developers are

usually those who have shown that they have the necessary expertise and experience in

software engineering and programming. To become a member of the core development team,

one has to earn one's place by demonstrating a high degree of expertise and commitment.

Quality control, checks and testing are carried out on the software [15, 16]. This ensures good

quality and not chaos even if the community development model is used. The same software

engineering and quality assurance methodologies and models used in developing software are

deployed irrespective of whether it is open or close source. In fact for open source, if one

suspects that the software is of poor quality one can always resort to scrutinizing the source.

Again this is not possible for close source.

OSS quality and security practices will be discussed in greater detail in a later section.

Source Code Examined for Vulnerabilities and Exploited

The fear for open source is the ready availability of source code will enable the “bad guys” to

scrutinise and examine the code as well as the design for possible bugs and security vulnerabilities

and exploit them. With close source, it is more difficult to do so as source is not available. This

point has some element of truth in it but there are also other considerations which we should

bear in mind before succumbing to this fear.

With the aid of modern debuggers and software development tools, it is possible to reverse-

engineer and also subject a piece of binary close-source software to detailed probing for

common vulnerabilities and coding errors, e.g. buffer overflows, incomplete or inappropriate

checks on user input etc. Infamous vulnerabilities found by third parties on widely used

Microsoft products and on Oracle’s database software bear testimony to this. While the

commercial software licenses may forbid one to perform any reverse-engineering on the

software, the writer doubts that any of the “bad guys” out there will take much notice of this!

It is interesting to note that vulnerabilities for Microsoft products are still being found by outside

parties rather than Microsoft itself in spite of their publicly stated objective to give priority to

security rather than features in their software development.

The availability of source code may not necessarily be a bad thing because it can be argued that:

• For OSS, because the source code can and is scrutinised by many people most of the

major security bugs, vulnerabilities or weaknesses (both in design and coding) will probably

be caught and fixed so that over a period of time the software will evolve into a stable and

secure one. As a counter argument to this, it has been suggested that the many eyeballs

claim may not be accurate as far as checking for secure code is concerned since checking

196

for security flaws in code can be a tedious process (and not too exciting so many do not do

so) and also many people do not know how to check code for security problems properly.

• Close-source software is proprietary and only the vendor knows whether it is well written

or designed. There can be no independent check on it. An independent audit of the source

code is only possible with OSS. So for applications or environments where security is of

utmost importance, e.g. national security, a comprehensive security audit of the code

needs to be done and only open source can provide that. It is for this reason that many

countries now are looking at OSS as a possible means to be less reliant on software from

US companies to ensure that the software that is powering their critical national infrastructures

and security can be independently audited.

• The lack of public scrutiny can also lead to poor security and complacency by the close-

source developers. Only when an exploit comes out will the problem ever be found out.

For example in 2002, James Allchin, group vice president for platforms at Microsoft Corp.

has admitted to a US Federal court that some Microsoft code was so flawed it could not

be safely disclosed!!! [12]

Source Code Injected with Backdoors, Trojans, Worms/Viruses

Some detractors of OSS have suggested that since the source code is available, anyone can

put backdoors and viruses/worms in the source to gain control of your system. Again this type

of sweeping statement has to be considered in its proper perspective.

This fear is certainly possible if you get or download your OSS from unknown and untrustworthy

sites. Users should either purchase their software CDs or download them from trustworthy and

well known open source sites and ensure that the software's security checksum corresponds

with the one published. Users also have a choice of downloading the source, checking it for

backdoors and compiling it themselves to further mitigate this sort of attack.

In connection with this, it is interesting to note that there have been examples of software from

major commercial proprietary software vendors which have been shipped with viruses in them.

This shows that there is no guarantee that just because you purchase your software from a

well known commercial vendor, it will be free from backdoors etc. In fact without the source

code to verify, it will be almost impossible to have an independent check on this. A good

example is the database software Interbase from Borland, which upon being converted from

close source to open source, was quickly found to contain a backdoor! [13].

Even Microsoft itself had been guilty of shipping software having a backdoor inserted into it [14].

Source Availability Enhances Security

Creating secure software depends a lot on the people designing and developing the software

and the quality assurance processes involved. This applies equally to both open and close

source. However there are certain advantages if the source is available:

197

• Security bugs/vulnerabilities may possibly be caught and fixed by the many eyeballs

approach. For close source, only the vendor knows whether it is well written or designed

• Lack of public scrutiny can also lead to poor security and complacency

• For OSS, there is no reliance on vendor and so a security fix and/or workaround can be

obtained quickly. Close source usually depends on the vendor to come up with a fix and

as noted earlier many vendors are slow to respond.

• A software or a version of a particular software may become unsupported by its developers.

If it is not open source, you are really stuck for bug and security fixes and will be forced to

either abandon or upgrade the software. However if it is open source, you can if you want

maintain and support it yourself.

• There is no reliable independent way of verifying the security of proprietary software.

Independent checks and audits of source is possible only with OSS.

OSS SOFTWARE QUALITY AND SECURITY PRACTICESOSS development makes extensive use of online collaboration tools. This is expected since

very often the developers are all not in the same physical location. In fact they can be spread

out all over the globe. The Internet makes this possible.

Project Website

Information about a project including how it is set up and managed is usually available from its

website. Relevant guidelines on how the project is run may also be present; these include

information on the decision making process, how communications may be carried out and

how one may get involved etc.

The project website will also contain information on where to download the software/

patches/updates (including mirror sites, if any), documentation, news, security alerts and

announcements, bug reporting/submission etc.

Security News, Announcements and Updates

All major OSS projects have a security contact where you can submit information regarding a

vulnerability. They also will have a security announcement/news section whereby security-

related news and issues about the product will be posted. This is usually a section on its

website. In addition, many also have security announcement mailing lists whereby the information

is sent to the subscribers via e-mail.

The project website will have a download area where the latest updates to the software can

be downloaded. In this way the latest patched version can be obtained by a user the moment

they are available. Auto-updates are supported by some projects too, especially the operating

system projects like Linux distributions.

198

Some popular OSS, especially those undergoing rapid development, have nightly builds

resulting in frequent testing by many users and the rapid submission of feedback and bug

reports. This means that by the time the product is considered as stable and goes into

production distribution, it will have undergone extensive debugging and user testing resulting

in a very stable and reliable product.

Documentation regarding proper and/or secure configuration and setup for the product is

available for many OSS. This is very useful as often, improper configuration of software may

result in security problems.

The moment a security fix comes out it is announced on various resources on the Internet

including the project website, the software’s own mailing lists and major outside security

mailing lists like Full-disclosure [10] and Bugtraq [11].

Version Control

Some form of version control system is used in all major OSS projects. Popular version control

system software used include Concurrent Version System (CVS) [17] and Subversion [18].

Using version control enables developers to work on different portions of the code as well as

different versions simultaneously. It also allows remote development to take place, a developer

can “check-out” a code file, work on it remotely, and then later “commit” the changes. The

version control system will handle concurrency and synchronisation issues to enable multiple

developers to work on the same code file. Without some form of version control, it will be

almost impossible for the developers to work remotely on a large project.

Version control also has the ability to track when a piece of code has been added/modified:

what was changed and who made the change. In this way a detailed trail can be constructed

to trace how a piece of code came about; this is a very useful feature and can be used for

example in cases concerning code copying/plagiarisation accusations.

The source code tree is available for supported versions and so it is possible to reproduce the

source for any supported version.

Anonymous CVS access is available for many of the major OSS projects. This allows any user

(i.e. not just the developers) to “check-out” the latest source code. Of course not anyone can

commit back changes. Commit privileges are given to some developers only, usually they will

have to earn this privilege by showing their commitment and coding capabilities.

Bug Reporting and Tracking

All software, open or close source, have bugs. These are design, logic or programming errors.

Some of these bugs can give rise to serious security consequences especially if they can be

exploited remotely. It is therefore vital that a proper process and problem/defect tracking

system is in place for bug reporting and tracking. Again OSS relies extensively on the use of

199

software to manage this thereby enabling systematic bug reporting by the users, filing and

tracking by the developers. The common ones used include Bugzilla [19], GNATS [20] and

Scarab [21].

Users are able to send in bug reports online. The status of a bug can be viewed and tracked

online too by anyone. Internally the developers can use the system to track bugs and

associated code changes, communicate with other developers in the team and submit and

review patches. The use of a problem/defect tracking system to manage bugs is vital to the

quality assurance of the software in question.

SOME POPULAR OSS SECURITY TOOLS AND APPLICATIONSTraditionally, OSS security tools have been used mainly by knowledgeable security experts.

This is mainly due to their features and the fact that the source code is available to ensure that

the tools actually perform what they are supposed to be doing. These tools are chosen over

proprietary close source tools also because they can be modified by the security expert to add

in certain customised features and functionalities. Of course on the other side of the fence,

these tools may also be utilised to great effect by the crackers and “bad guys”.

However, over the last few years, more and more people including businesses and corporations

have discovered that these OSS security tools/applications have equivalent or sometimes

even better functionalities than expensive commercial security tools and so they are gaining in

popularity for corporate use by their security departments. In addition, there is also no reason

why some of them cannot be deployed by personal users or in a normal business/office

environment. In fact many of them have user-friendly GUI front-ends which makes them more

suitable for deployment by non-security specialists.

In this section we shall briefly look at some examples of OSS in the categories of:

• Standard system tools/utilities useful for security

• Anti-virus, anti-spam

• Base secure operating system platform

• File system integrity checker

• Firewall system

• Network intrusion detection system (NIDS)

• Port scanner

• Vulnerability scanner

• Network protocol analyser

200

Standard System Tools/Utilities

The standard OSS operating systems and environments like FreeBSD or Linux come with a

wide variety of useful utilities which, if used properly, can assist the user in checking and

maintaining the security of his system and network. Many of these tools are standard Unix tools

and are present in these OSS platforms due to their Unix-heritage.

In this section we shall briefly discuss some of the more common ones. Note that this list is

by no means exhaustive. These utilities, useful by themselves, can be made to work co-

operatively as filters using the Unix file “piping” and I/O redirection facilities. This provides a very

powerful method to perform quick analysis and checking of the file system and resources for

signs of security breaches etc.

Although we are showing the utilities here as command line commands, many of these now

can also be activated from the desktop windowing GUI and so may be less intimidating for

some users.

ls: This is the classic command for directory and file listing. It has various options allowing

a user to display the properties of a file or directory. It is normally used to check a file/directory

for its size, owners, permissions, dates and times of creation, modification and access, etc.

find: The “find” utility is a very versatile one for the searching of files in a directory hierarchy.

It has many options, allowing searching based on a wide variety of criteria, e.g. time,

permissions etc. For example the command,

find / -type f \( -perm -04000 -o -perm -02000 \)

will find all files with SUID/SGID permissions. Files with these attributes can be a potential

security risk and generally, unless there is a real need to, these permissions should not be

set in normal files. The use of the find command in this case is useful in an audit of the file

system to look for suspicious files with these attributes enabled.

grep: This utility will print lines matching a pattern from a source usually a file or the output

from a pipe filter. This may be used to filter the output from other utilities, e.g. log files to

look for some pattern or strings.

chmod: This utility allows you to control and change file and directory access permissions.

ssh, sftp, scp: The family of ssh programmes allows secure remote logins and file transfers.

ps: This tool will display the status of processes running on the system. This will provide

very useful information with regard to security since the user can examine and look out for

unusual and/or unknown running processes which can be a sign of security breaches.

top: Display processes using up CPU resources. This will aid the user or administrator in

looking out for “runaway” or denial of service processes.

lsof: This utility will list open files in use by processes. This is used often in conjunction with

the ps command to check on which files are in use by specific processes.

201

fuser: This will display the processes using the specified files.

rpm -V: On Linux systems that make use of the rpm package manager tool, the “-V”

option can be used to verify that the files of a package have not been modified or changed

since installation. This feature can be used as a simple file integrity checker to ensure that

no backdoors have been planted since installation of the package in question.

procmail: This tool is a very versatile mail processor where it can be run to process an

e-mail as it arrives either into the system or before being delivered to the user’s mail.

“Recipes” or regular expression matching rules can be set up to customise the delivery

options based on these rules. It is a very useful tool for setting up customised e-mail filters

to filter off unwanted e-mail.

Standard Network System Security Tools

Standard OSS systems come with several useful network tools which can be utilised for

security purposes.

ping: This is the ubiquitous network tool to quickly check for the accessibility of a

computer on a TCP/IP network or Internet. If a remote computer is connected to a network

and is reachable from your system, running ping against it should result in a reply from the

remote host. (This assumes that the remote host is configured to allow ping messages to

reach it and to reply, and that the route in between the remote host and your computer

does not filter off ping messages.)

traceroute: This is another popular utility to trace the route taken by a data packet from the

user’s computer to a remote host. It will show the intermediate nodes passed through by

the data packet. A typical traceroute output is displayed below.

traceroute to www.jaring.my (61.6.32.105), 30 hops max, 38 byte packets

1 211.24.251.1 (211.24.251.1) 79.328 ms 108.476 ms 139.916 ms

2 211.24.248.41 (211.24.248.41) 829.850 ms 119.087 ms 119.936 ms

3 fe-0-1-1.GLSFB-MBONE-001.time.net.my (203.121.20.1) 119.936 ms 109.685 ms

99.959 ms

4 211.24.210.1 (211.24.210.1) 109.551 ms 89.771 ms 111.459 ms

5 203.121.17.6 (203.121.17.6) 339.971 ms 99.444 ms 89.955 ms

6 vlan600.msfc2.glsfb.time.net.my (203.121.16.36) 99.918 ms 346.794 ms

103.596 ms

7 Fe0-1-0.gw02.glsfb.time.net.my (203.121.16.21) 90.169 ms 116.041 ms

102.869 ms

8 s1-0-3.bkj18.jaring.my (161.142.155.25) 150.021 ms 119.691 ms 119.500 ms

9 ge2-0.jsr3.jaring.my (161.142.173.8) 150.215 ms 119.816 ms 462.267 ms10

l4-bkj.jaring.my (61.6.32.7) 138.285 ms 109.071 ms 119.937 ms

202

netstat: This utility enables a user to check network connections on the system and the

availability of open ports. The processes and programmes that are responsible for the

network connections may be displayed too. Suspicious connections or unknown open

listening connections should be investigated further. A simplified sample output from

netstat is given below.

$ netstat -nap

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6818/httpd

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 592/sshd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 654/sendmail: accep

tcp 0 0 192.168.1.22:80 192.168.1.20:1096 ESTABLISHED 6824/httpd

tcp 0 0 192.168.1.22:80 192.168.1.20:1095 ESTABLISHED 6822/httpd

tcpdump: This network tool is a network packet sniffer. It can be used to monitor (sniff)

packets flowing on the network to which the system is attached. It is compact and

portable, and the network traffic can be captured to a file for viewing and/or analysis later.

Some basic knowledge of TCP/IP is required to read and interpret the packet captures as

can be seen below.

#tcpdump -n -x -vv

18:26:47.842986 < 192.168.0.22.1046 > 192.168.0.20.pop3: . 1:1(0) ack 1 win

5840 (DF) (ttl 64, id 26680)

4500 0028 6838 4000 4006 511d c0a8 0016

c0a8 0014 0416 006e 06cb 48d2 0d07 6bfc

5010 16d0 4a65 0000

18:26:47.882986 < 192.168.0.20.pop3 > 192.168.0.22.1046: P 1:55(54) ack 1 win

32736 (DF) (ttl 64, id 151)

4500 005e 0097 4000 4006 b888 c0a8 0014

c0a8 0016 006e 0416 0d07 6bfc 06cb 48d2

5018 7fe0 aee5 0000 2b4f 4b20 5150 4f50

iptables, ipfw, pf: All the major OSS operating systems come with at least one firewall

package software. On most Linux distributions this is netfilter/iptables, on FreeBSD

systems it is ipfw while on OpenBSD platforms it is pf. These firewalls enable you to monitor

and control packets coming into and going out of the system. Simple controls are easily

set up by specifying port numbers, IP address and/or type of services in the packets.

These simple controls will enable the firewall to function as a personal firewall to protect

the system. If the system is to be utilised as a full-fledged firewall or gateway to protect

some internal network, more complex controls and rules can be set up, but the user

should have some knowledge of firewall and networking basics before attempting such a

venture in order to prevent the accidental configuration of incorrect rules which may leave

the system open to attacks.

203

It is possible to install a GUI front-end to these standard firewalls so that it is easier for a user

to interact with them. An example of this is given later.

Anti-virus, Anti-spam

There are several OSS anti-virus and anti-spam products that are in popular use. We shall

examine two of them, Clam AntiVirus and Spamassasin.

Clam AntiVirus

The simplest use of Clam AntiVirus (ClamAV) [22] is as a command line virus scanner.

However, the main feature about ClamAV is that it comes with an anti-virus toolkit and library

which enables users and third parties to incorporate ClamAV features and functionalities into

their own software. It also enables a user to create his own virus signature from a virus file

which makes it possible to produce a customised virus signature database in addition to t he

one produced by ClamAV.

It is possible to integrate ClamAV with mail servers (content scanners) for attachment scanning

and several popular mail servers support this.

The ClamAV virus signature database is updated very often and auto update for users via the

Internet is available.

An MS-Windows port named ClamWin is also available [23].

SpamAssassin

SpamAssassin [24] is an extensible e-mail filter which is used to identify spam. It uses a variety

of standard and novel means to perform this. They include header analysis, text analysis,

blacklists, learning classifier and use of distributed hash databases. Once identified,

the mail can then be optionally tagged as spam for later filtering using the user's own e-mail

client application.

SpamAssassin does not require much configuration as there is no need to continually update

it with details of your mail accounts, mailing list memberships, etc. It accomplishes filtering

without this knowledge, as much as possible.

Rules in SpamAssasin are easy to extend and modify as they are stored in text configuration

files mainly which the user or administrator can edit to modify or add new rules.

SpamAssassin support is available for a variety of mail systems including Qmail, Sendmail,

Postfix and others.

Secure Operating System Platform

While nowadays almost all OSS operating system platforms come with good security tools and

reasonably secure default security configuration and policies, there are some which are

developed and put together with security in mind. One of the most popular and well known

operating system that falls into this category is OpenBSD [25].

204

OpenBSD

OpenBSD is a free multi-platform 4.4BSD-based Unix-like operating system with proactive

security and integrated cryptography. As an indication of its confidence in its security features,

it claims proudly on its website:

“Only one remote hole in the default install, in more than 8 years!”

It is used as the base operating system for many commercial security products. It achieves its

high standards of security by having a comprehensive file-by-file audit/analysis of every critical

software component in its distribution. It also takes great pains to ensure that it has a secure

default configuration and that all non-essential services are disabled. Furthermore as it is an

OSS project based in Canada, it is possible to integrate strong cryptography into it since it is

not bound by the infamous draconian USA restriction which specifies that the export of strong

crypto products can be made only to certain countries.

Bastille Linux

It is also possible to harden a vanilla OSS operating system by checking it for common security

problems and insecure configurations. There are tools and scripts available which can assist

a user to do this. A script which does this for many Linux distributions as well as some versions

of Unix is Bastille Linux [26].

Bastille Linux offers simplified, automated security administration setup and configuration for

Linux/Unix systems. The distributions of Linux it currently supports are Red Hat, Mandrake,

Debian, SuSE and TurboLinux. In addition, HP-UX and Mac OS X are supported too.

When the Bastille Linux script is run, in the process of securing the system it tries to educate

the installing administrator about the security issues involved in each of the script's tasks.

Some of the tasks that Bastille Linux takes the administrator through are:

• Apply a firewall (packet filter) to prevent access to possibly vulnerable services

• Apply system patches for all known security holes

• Perform a SUID – root Audit

• Deactivate or restrict unnecessary services

At each stage of the hardening, the administrator has the option to install the suggested

hardening. In this way the degree of hardening can be controlled as desired by the administrator.

File System Integrity Checker

One of the things which a cracker does upon compromising a system is to change the

configuration of certain system files and also possibly to put in backdoors and trojans. As such

after the discovery of a compromise, it is safest to wipe off the hard drive and perform a fresh

installation of the system software and applications. However, sometimes one may not be able

to do so or may not be able to do this immediately. It will help then if there is someway where

we can check to see whether certain critical system files or data have been tampered with.

205

Also, one of the ways in which the administrator may be alerted to the possibility of a

compromise is the detection of unexpected changes or modifications to system files. Again it

will be very useful from the security standpoint if there is someway to ascertain the integrity of

certain files on the file system. A popular OSS software that allows an administrator to do this

is Tripwire [27].

Tripwire

The programme monitors key attributes of files that should not change, including binary

signature, size, expected change of size, etc. It establishes a “digital inventory” of files and their

attributes in a known, good state, stores it in its database and uses it as a baseline for

monitoring changes. What this means is that it is able to run through the file system, construct

a signature of certain specified files and store it in its database.

At a later stage, tripwire can be invoked to perform the same signature process on a file, and

a comparison made between the signature derived and the signature of the file in question

stored in Tripwire's database. If they are not identical, then the file had been modified.

Tripwire is usually run after a clean installation and configuration, to include in its database the

signatures of earmarked important system files and configuration files. Each time the marked

files are changed, the administrator is notified. It is good security practice to store the tripwire

database on a different file system or better still, on a physically different machine or physical

medium than the one that is being checked.

Firewall System

All systems which are connected to an untrusted public network like the Internet should have

a firewall protecting it. Firewalls act as a gatekeeper, sitting between the internal computer or

network and the outside world (the public network) and controlling the network traffic passing

through using its prescribed policies and rules. OSS has numerous firewall software which a

user can run in his computer. It is possible using OSS firewall software to implement a wide

variety of firewall services ranging from simple personal firewall policies that protect a home

user from the Internet to full-fledged enterprise-wide firewall services that protect large

corporations and businesses. In this section we shall take a brief look at a popular firewall for

Linux – Netfilter/IPTables [28].

Netfilter/IPTables

Netfilter is a stateful packet filtering firewall system for Linux. It is capable of all kinds of network

address and port translations, and has a flexible and extensible infrastructure. With Netfilter

and a hardened Linux system (for example hardened with Bastille Linux), the Internet and

intranet firewalls can be built for the home, office or even company. Typically such an

environment will utilise network address translation (NAT) for sharing an Internet access and

also for implementing transparent proxies. In this manner, the Internet and network access can

be controlled and monitored to the degree desired by the management.

206

A nice GUI front-end for Netfilter is Firewall Builder [29]. This allows the administrator to build

firewall policies and rules using a graphical interface.

Network IDS

A network intrusion detection system (IDS) basically sits passively monitoring and examining the

network traffic passing through the network that the IDS is connected to. When it detects

some network traffic that it has been programmed to react to, it will log it and possibly send

out an alert to the administrator. This may be an indication that there is possibly a network

intrusion attempt. Normal IDSes are passive processes in that they just record (log) down the

noted anomalous network traffic behaviour. Reaction and actions to be taken based on the

network traffic observed are left to other processes and/or devices.

(However, in recent times, there is a tendency to combine the intrusion detection with intrusion

prevention functionalities into a single device.) A very popular OSS network IDS that is widely

used is Snort [30]. There are also available many commercial products using or based on Snort.

Snort

Snort is a lightweight network intrusion detection system. It performs real-time traffic analysis,

packet logging and performs protocol analysis, content searching/ matching. It is able to

detect a variety of attacks and probes, and possesses a flexible rules language to describe

traffic that it should collect or pass. In this way Snort signature database for suspicious network

traffic can be updated and customised by a user easily. The detection engine has a modular

plugin architecture and so third-party enhancements can be put in. These include tools for

data and log analysis, front-ends etc.

Fig. FWBuilder Interface for Netfilter/IPTables

207

Port Scanner

In a network environment servers are the software which provides services. A client refers to

the software which accesses the service(s) provided by one or more servers. The client and

server can be both local on the same computer or connected remotely via the network using

some networking protocol. The ubiquitous TCP/IP networking protocol is used mainly today

both in internal networks and on the Internet.

In a typical TCP/IP network, a server process running on a computer system will, after start-

up, listen on the host's network IP address at a particular internal address within the host

networking process for incoming client connections. This internal address is known as a “port”.

Port addresses range from 0 to 65535. Thus in order to connect to a service offered by a

server, in addition to the IP address of the host running the server, the port address that the

server is listening on has to be known too.

These server port addresses can be well known (i.e. agreed and specified by the Internet and

TCP/IP networking standards), or they can be arbitrarily configured for use by the server. In view

of this, one of the most important security considerations in a network is to know what ports are

in use by server processes or “open” on a host. This is because attackers will try to attack the

programmes (processes) servicing these open ports to try and remotely compromise the host.

A tool called a port scanner, which can check or scan for ports available on a computer system

over a network will be very useful for both the attacker and defender.

Nmap

Nmap [31] is easily the most well known and popular port scanner in use today. It can run on

many types of computers and operating environments. It is designed to rapidly scan large

networks and it is able to determine what hosts are available on the network in addition to the

services (ports) they are offering. It is also able to guess with a relatively high degree of

accuracy the operating system (and version) that the hosts

are running as well as what type of firewalls (if any) are in

use. Nmap is a command line tool which is compact, fast

to start up and easy to use. There is a graphical front-end

to it called Nmapfe for users who want a GUI tool.

Vulnerability Scanner

A vulnerability scanner is a software which will audit

remotely a given network and determine whether the hosts

on it are susceptible to vulnerabilities recorded in its

database. There are several well known vulnerability

scanners which are open source but the most popular one

is easily Nessus [32].

Fig. Nmapfe

208

Nessus

Nessus is very fast and has a modular architecture. Each security or vulnerability test is written

as an external plugin and so you can easily add your own tests. A scripting language (NASL

– Nessus Attack Scripting Language) is used to write a security test easily and quickly, and the

Nessus project website contains an up-to-date security vulnerability database that is updated

on a daily basis.

The Nessus Security Scanner is made up of two parts: a server which performs the attacks

and a client which is the front-end and with which the user interacts with. The server and the

client can be run on the same computer or on different systems connected via a network.

Clients are available for various platforms including

a Java version and one for MSWindows. On the

other hand, the server has to run on an Unix or

Linux system.

Network Protocol Analyser

A network protocol analyser enables a user to

peep into and look at the data that is flowing on

the network. It understands many types of

networking and networking services protocols

and hence using a network protocol analyser, one

is able to “snoop” on the network as client and

server processes communicate. This is very useful

in troubleshooting problems and understanding the

technical details in networking as well as network

applications. This capability to tap and capture

data flowing on the network may of course also

be put to use by the “bad guys” to sniff out

confidential and sensitive data like unencrypted

passwords and account information etc. Again as

with most of the security tools described here, its

use can be both for good or bad, it is up to the

user. There are several well known OSS network

protocol analysers, and one of the most popular is

Ethereal [33].

Fig. Nessus Plugins

209

Ethereal

It claims to be the world’s most popular network protocol analyser and there is some

justification to this claim as it is very widely used by security professionals, network engineers

as well as home users and PC support personnel. It is available for all major OSS platforms as

well as for MSWindows.

Ethereal allows the examination of network traffic data from a live network or from a capture

file. It comes with a nice graphical interface for the packet capture, examination and analysis.

It can interactively browse the capture data, viewing summary and detail information for each

packet and there is a rich display filter language to assist the user to focus on the packets of

interest. One useful ability is the ability to view the reconstructed stream of a TCP session, so

a user does not have to understand the TCP protocol in question to be able to view the

information being transmitted.

210

Ethereal can read capture files from many packet sniffers e.g. tcpdump (libpcap), NAI’s Sniffer

and Sniffer Pro, Sun’s snoop and atmsnoop, AIX's iptrace, Microsoft’s Network Monitor, etc.

The physical network interfaces supported include Ethernet, FDDI, PPP, Token-Ring, IEEE

802.11 and Classical IP over ATM. Over 500 protocols can currently be dissected, these

include TCP/IP, IPX, SMB and many more.

SUMMARYThis document has shown that there are many unfounded fears about insecurity of OSS. In

fact OSS can offer many advantages from the security viewpoint. Mainstream OSS projects

generally have good quality and security control. OSS is not inherently more or less secure

than proprietary software. Irrespective of what type of software is deployed, what is more

important is for an organisation to implement security best practices and to have security

personnel who understand the security processes involved.

Fig. Ethereal Network Traffic Capture

211

There are available today many powerful and useful open source security tools and applications.

These tools have many useful features comparable and in some cases surpassing those of

commercial proprietary products and they can be used to implement cost-effective security

measures.

REFERENCES1. Nah Soo Hoe, “Free and Open Source Software – Origins, Benefits, Myths and Realities”,

http://opensource.mimos.my/fosscon2003cd/paper/paper_nah_soo_hoe.html2. “The Free Software Definition”, http://www.fsf.org/philosophy/free-sw.html3. “History of the OSI”, http://www.opensource.org/docs/history.php4. “The Open Source Definition”, http://www.opensource.org/docs/definition.php5. Eric Raymond,“The Cathedral and the Bazaar”, http://www.catb.org/~esr/writings/cathedral-

bazaar/cathedral-bazaar/6. “Open Sources: Voices from the Open Source Revolution”,

http://www.oreilly.com/catalog/opensources/book/toc.html7. Davor Cubranic, “Open-Source Software Development”,

http://sern.ucalgary.ca/~maurer/ICSE99WS/Submissions/Cubranic/Cubranic.html8. Siobhan O’Mahony, “Guarding the Commons: How Community Managed Software Projects

Protect Their Work.”, http://www.people.hbs.edu/somahony/Research Policy article.pdf9. Siobhan O’Mahony, “Non-Profit Foundations and Their Role in Community-Firm Software

Collaboration.”, http://www.people.hbs.edu/somahony/Non Profit Foundations paper.pdf10. Full Disclosure security mailing list, http://lists.netsys.com/mailman/listinfo/full-disclosure11. Bugtraq security mailing list, http://archives.neohapsis.com/archives/bugtraq/12. Caron Carlson, “Allchin: Disclosure May Endanger U.S.”, May 13 2002,

http://www.eweek.com/article2/0,3959,5264,00.asp13. Kevin Poulsen, “Borland Interbase backdoor exposed”,

http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed/14. Joe Wilcox, “Microsoft secret file could allow access to Web sites”, http://news.com.com/2100-

1001-239273.html?legacy=cnet15. T. J. Halloran and William L. Scherlis, “High Quality and Open Source Software Practices”,

http://opensource.ucc.ie/icse2002/HalloranScherlis.pdf16. Jason E. Robbins, “Adopting Open Source Software Engineering (OSSE) Practices by Adopting

OSSE Tools”, http://www.ics.uci.edu/~wscacchi/Papers/New/Robbins-msotb-OSSE-Aug03.pdf17. CVS website, http://www.cvshome.org/18. Subversion website, http://subversion.tigris.org/19. Bugzilla website, http://www.bugzilla.org/20. GNATS website, http://www.gnu.org/software/gnats/21. Scarab website, http://scarab.tigris.org/22. Clam Antivirus website, http://www.clamav.net/23. ClamWin website, http://clamwin.sourceforge.net/24. Spamassasin website, http://spamassassin.apache.org/25. OpenBSD website, http://www.openbsd.org/26. Bastille Linux website, http://bastille-linux.org/27. Tripwire website, http://www.tripwire.org/28. Netfilter website, http://www.netfilter.org/29. Firewall Builder website, http://www.fwbuilder.org/30. Snort website, http://www.snort.org/31. Nmap website, http://www.insecure.org/nmap/32. Nessus website, http://www.nessus.org/33. Ethereal website, http://www.ethereal.com/

Note:This work is licensed under the Creative Commons Attribution License. To view a copy of thislicense, visit http://creativecommons.org/licenses/by/2.0/ or send a letter to Creative Commons,559 Nathan Abbott Way, Stanford, California 94305, USA.

ADVANCINGSECURITY –

BUILDING TRUST IN COMPUTING

214

Based in Singapore, Meng-Chow is the regional Chief Security & Privacy Advisor for Microsoft

Asia Pacific region. His current responsibilities include developing and implementing the

Microsoft’s trustworthy computing strategy in the region, and providing advice and guidance

to customers and IT professionals on security best practices and solutions for implementing

and managing information security in their organisations.

Meng-Chow has been a practicing information security professional for more than 17 years,

with experiences spanning from technical to management in the various security and risk

management roles that he has held in the Singapore government, major financial institutions,

and security technology provider. His last position prior to Microsoft was Vice President and

Regional Information Risk Officer of JPMorganChase.

Meng-Chow has recently been appointed as a board member of the Asia Advisory Board for

the International Information Systems Security Certification Consortium (ISC2). Since 1998,

Meng-Chow has also been concurrently chairing the Singapore’s IT Security and Privacy

Standards Technical Committee (SPSTC).

Meng-Chow received his MSc degree in Information Security from the Royal Holloway and

Bedford New College, University of London, has been a Certified Information Systems

Auditor (CISA) since 1997, and a Certified Information Systems Security Professional

(CISSP) since 1998.

MENG-CHOW KANG CISSP, CISA

REGIONAL CHIEF SECURITY & PRIVACY ADVISORMICROSOFT ASIA PACIFIC

215

ABSTRACTSWith the emergence of Nimda and Code Red viruses, we have entered a new era where cyber

security has become a critical issue, where identities can be stolen, breaches occur, and

where malicious hackers can wreak far more havoc than ever before, making computing seem

less productive, more frustrating, and a lot less pleasant. In addition to causing short term

financial losses and users’ inconveniences, they dilute businesses and users’ confidence and

trust of technology over time.

To address the challenges of cyber security, in January 2002, Microsoft launched a

companywide Trustworthy Computing Initiative to help ensure a safe and reliable computing

experience that is both expected and taken for granted. Microsoft’s Trustworthy Computing is

designed to deliver the level of trust and responsibility that people expect from the computing

industry: Security, Privacy, Reliability, and Business Integrity.

This article describes the security initiatives and approaches taken to address both short and

long term security challenges faced by businesses and users, the progress to date, and the

roadmap ahead covering people, process, and technology involved in building trust in computing.

NEEDS FOR TRUSTWORTHY COMPUTINGProliferation of the Internet since the early 1990s and the evolution of technology over the past

three decades have brought many benefits to both businesses and computer users around

the world. Beside closing geographical distances, enabling online communications and

collaboration across the globe in near real-time, vast volumes of digitized information could

now be stored, searched and retrieved efficiently over the Internet, through both wired and

wireless connectivity at various end points. Online banking, electronic bill payments, auctions,

shopping, and the usual e-mail and instant messaging are but just few examples. At the user’s

ends, this could take place seamlessly through not only PC systems, but also Personal Digital

Assistant (PDA), and mobile phone devices.

Along with these advancements in information technology and global connectivity, we saw a

similar development in malicious software. With the Nimda and Code Red viruses, which

caused fast and massive slow down of the Internet (more than 250,000 systems within nine

hours, up to 40% degradation, according to some news reports), denial of services to many

businesses online, and incurring substantial financial losses (which some research firms

estimated it to be over US$ 3 billions), we have entered a new era where cyber security has

become a critical issue. It is an era where identities can be stolen, breaches occur, and where

malicious hackers can wreak far more havoc than ever before, making computing seem less

productive, more frustrating, and a lot less pleasant.

Such malicious software exploits weaknesses not just in computer systems and software, but

also those relating to the social aspects of human beings. In addition to causing short term

financial losses and users’ inconveniences, they dilute businesses and users’ confidence and

trust of technology over time. To address the challenges of cyber security, in January 2002,

ADVANCING SECURITY – BUILDING TRUST IN COMPUTING

MENG-CHOW KANG CISSP, CISA

216

Microsoft launched a companywide Trustworthy Computing Initiative to help ensure a safe and

reliable computing experience that is both expected and taken for granted.

The goals Microsoft set for Trustworthy Computing are designed to deliver the level of trust and

responsibility that people expect from the computing industry: Security, Privacy, Reliability, and

Business Integrity.

• Security means resilient to attack, and capable of

maintaining the confidentiality, integrity, and availability

of system and data, amid increasingly frequent and

sophisticated network attacks.

• Privacy means people can expect and demand control

over access to and use of their personal information,

when they use computers to manage information

important to their everyday lives.

• Reliability means people can look forward to a

consistently trouble-free computing experience, as

computers become increasingly central to how they

work and live.

• Business integrity relates to the way the industry behaves

in terms of addressing issues and finding solutions to challenges. Belief in technology is

stronger when the industry is responsive, responsible, and respectful.

Success with Trustworthy Computing (TwC) is not an easy task. It will take many years, before

technology is trusted.

Security is a core tenant in Trustworthy Computing, critical for building trust in computing. It is

also a key concern of our customers today. This paper describes the security initiatives that

Microsoft has taken and is implementing to address both short and long term security

challenges faced by our customers and the industry in general, our progress to date, and the

roadmap ahead. Similar initiatives have also been launched in the other three pillars of

Trustworthy Computing, which can be found in Microsoft Trustworthy Computing web site at

http://www.microsoft.com/twc/.

SECURITY ENABLED BUSINESSSecurity is about the management of risk, balanced with the business value of our

interconnected systems. We want to move from a reactive posture with regards to security to

one that is more planned and proactive. We call this a “Security Enabled Business”.

Fundamentally, we start with the goal of reducing unacceptable risk through a combination of

three things – assessment, improving the isolation and resiliency of software in the presence

of malicious code, and by developing and implementing controls in environments to manage risk.

Complementing this, we can increase business value by investing and developing capabilities

based on new security technologies that enable automation of key business scenarios that

217

would not have been possible before. This can allow connections with customers, integration

with partners and empowering employees in totally new ways.

Security sometimes seems too simple a term for the many aspects of business and information

technology that it touches. Even just looking at security from an IT viewpoint, we want to

protect networks, systems, data, processes and users. For each of those areas, people,

processes and technology are necessary to manage the security business risk.

In technology, we’re focused on:

• Building greater isolation and resiliency into the computing platform

• Providing customers with the latest and most effective advanced updating methods

• Enabling new business scenarios through integrated authentication, authorization

and access control options

• Improving quality by enabling engineering excellence

Spanning across the efforts in these four technological categories is our underlying commitment

to delivering customer guidance and engagement: prescriptive security guidance,

supportive tools and responsiveness. This involves helping both business customers and

consumers to be both aware and empowered to help make their IT environments, their PCs –

and by extension the Internet at large – more secure.

ISOLATION AND RESILIENCYIn 2001, when the Nimda virus was released by its creator, it was after 331 days since the

security patch was available to remedy the security vulnerability that Nimda exploited. When it

comes to the SQL Slammer virus in early 2003, the period between the availability of patch

and the release of Slammer reduced to 180 days. In August 2003, the author of the Blaster

worm took just 25 days to reverse engineer the security patch involved in the vulnerabilities

that it exploited.

Today, on average, it takes about nine days for a perpetrator to reverse engineer a patch to

create an exploit and package it as a worm or virus. This is clearly a significant concern to all

of us, including Microsoft.

While implementing an effective and responsive patch management process to ensure critical

security updates are duly applied as an important step to manage this growing security

concern, it is clear that relying on patch management solution alone is insufficient. Firstly, it

takes time for security patches to be developed. Next, when the patch is available, business

needs to test it with its own applications to ensure that the application services are not affected

by the patch.

Finally, it takes another finite period for the patch to be installed before they could protect the

system from harm. While these activities are taking place, we need our computer systems to

be able to be protected against any potential exploit that could have been released before the

218

patch is available or deployed. In other words, we need computer systems to be resilient in

the presence of worms and viruses, and at the same time able to isolate themselves from

unsafe networks. Greater computer resiliency will enable customers to communicate and

collaborate in a more secure manner. Microsoft is focusing on the development of security

technologies designed to make this vision a reality.

This vision begins with new security enhancements in Windows XP Service Pack 2 including

technologies to address threats from port-based attacks, malicious e-mail attachments,

malicious web content, and buffer overruns. Following are a summary of the key isolation and

resiliency capability that is delivered in Windows XP Service Pack 2.

• Network protection: Windows Firewall will be enhanced with more granular policy controls

and turned on by default to help stop network-based attacks by closing unnecessary ports.

• Safer e-mail and instant messaging: Default settings have enhanced security, improved

attachment control using the Attachment Execution Service (AES) API. Potentially unsafe

attachments that are sent through e-mail and instant messages are isolated so that they

cannot affect other parts of the system. This results in security and reliability enhancements

for applications such as Microsoft Outlook, Outlook Express and Windows Messenger.

• Attachment Manager: Stronger default protection against viruses spread through

Outlook® Express, Windows Messenger and Internet Explorer by isolating potentially unsafe

attachments during the opening process.

• Safer web browsing: Installs code-level changes in Internet Explorer that help protect

against certain types of exploits.

– Restricts script-initiated windows that are used to fool users by hiding Internet Explorer

controls and concealing malicious activity.

– Limits a hacker’s ability to attack a PC by restricting HTML in the local machine zone

from running with elevated system privileges; and warns customers about potentially

harmful downloads and helps them block unwanted software.

• Centralized management of Windows Firewall

and Internet Explorer, which provides system

administrators with more configuration options

for Windows Firewall and Internet Explorer, such

as Group Policy, command line, multicast support

and unattended setup. Windows XP SP2

also enables administrators to better manage

applications and increase compatibility with

Windows Firewall by allowing only ports needed

by an application to be open.

• Internet Explorer Add-on Manager, which

allows administrators to easily manage and enforce

a list of add-ons to Internet Explorer that are either

permitted or disabled to enhance security and

reduce the potential for crashes.

219

• Internet Explorer Pop-up Blocker, which is enabled by default, makes browsing the

Internet more enjoyable by enabling people to reduce unwanted ads and content.

• Internet Explorer Information Bar, which is a new toolbar provides better information

about Internet Explorer settings and alerts customers to unsigned controls and downloads.

• Internet Explorer download monitoring, a new feature that identifies and warns

customers about potentially harmful downloads and helps them block unwanted and

unauthorized code.

• Enhanced memory protection: This will reduce the threat of buffer overruns through

compiler check improvements. Buffer overruns result from adding more information to a

buffer than it was designed to hold. An attacker may exploit this vulnerability to take over a

system.

• Windows Security Center, which provide the ability to automatically check the status of

crucial security functionality such as firewall, automatic update and anti-virus. The feature

will tell a customer whether key security capabilities are turned on and up-to-date. When a

problem is detected, they will receive a notification and recommended actions to help

protect their computer.

These security capabilities in Windows XP Service Pack 2 is the first step towards a new vision

for active protection technology that will proactively adjust computer defenses based on state

changes or security readiness, contain the impact and spread of viruses and worms, and

greatly reduce the risk from attacks from compromising the system. This protection technology

will be designed to run on clients and servers and will have the following capabilities:

• Dynamic system protection to proactively adjust defenses on each computer based on

changes in state, reducing the likelihood of a successful attack.

• Behavioral blocking to limit the ability of viruses and worms to cause damage once on

a computer, containing attacks and acting as a last line of defense.

• Application-aware firewall and intrusion prevention to identify malicious traffic and

stop it, helping to prevent infection.

Another important technology investment in the area of Isolation and Resiliency is client

inspection, sometimes also referred to as “quarantine.”

Many companies have been using Internet firewalls and have pretty good perimeter security

policies and procedures. However, we’ve found that even with good perimeter security, there

are several scenarios where machines either connect to or cross the perimeter and

dynamically move from an unsafe network into corporate networks – users connecting from

home, returning laptops, or vulnerable desktops that have been turned off, perhaps during an

employee vacation.

220

The concept for client inspection involves two steps:

1. Health checkup. A health check for the machine, to ensure that the system meets the

company policy for connecting to the network. The server at the point of connection could

check update level, check that anti-virus is on and up to date, and that there is no other

unprotected network connections bridging into the corporate network.

2. Advanced Isolation. Machines that do not pass the health check can be blocked and

isolated, completely or possible on a restricted network. Isolated clients can then be given

access to updates or restricted machines to get healthy.

The base capability of client inspection for Virtual Private Network (VPN) connections shipped

in Windows Server 2003 (WS2003) and is enabled with the WS2003 resource kit. Customers

can implement VPN client inspection using WS2003 and custom scripts.

We have a white paper at

http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

describing how to do VPN client inspection. Our research and development teams are looking

at other protocols, beyond VPN, to determine how to advance this concept further and deliver

it to customers.

ADVANCING UPDATESWhile isolation and resiliency would provide additional protection to computer systems and

networks against new attacks, they do not close the security vulnerability involved. Applying

security patches is still necessary to remove the vulnerability that is being exploited. It is

therefore critical that we continue to make improvements and advance the quality of our

updating technology and associated processes to make it simple for users and enterprises to

update efficiently, reducing downtime and improving manageability.

In October 2003, we moved to monthly releases of updates to improve predictability and

manageability, and to reduce the burden on IT administrators (although we will continue to

release updates out-of-cycle to protect customers in the case of an active threat).

We are making improvements in update packages in several ways based upon extensive

interaction with customers:

• Reduce Complexity – In the pursuit of innovation in the past, product teams developed and

were using eight different installation packages. We are in the process of converging all of

those down to two installers, one for operating systems and one for layered applications,

both providing a single update package experience with a single set of command line options.

• Reduce Risk – We continue to improve our quality assurance processes to reduce any

possibility of recall and further, as we move to the single patch experience, each package

will also have rollback capability.

• Reduce Size – As we move to new update package, we are also improving our backend

update infrastructure and update agents to implement “delta updating”, so that we only

221

have to send down DLL differences, rather than full DLLs. Our test shows that packages

will be reduced in size by 30% to 80%, saving both space and bandwidth during deployment.

This is a huge improvement for both business users as it should speed deployment especially

for dial-up users with lower connection speeds.

• Reduced Reboots – We understand that reboots are a disruptive issue for the enterprise

and have implemented standards to reduce any unnecessary reboots. Existing architecture

limits our ability to improve this beyond about 10–30%, but we are implementing architectural

changes in the longhorn wave of products that will take this progress significantly further in

reducing reboots.

• Extend Automation – Our update tools currently span Windows Update for home and SMB

users, SUS, an enterprise server that allows administrators to approve a patch for agents

to apply, and SMS our systems management product.

We are also improving testing processes to minimize update inconsistencies and recall rates,

and by the time this article goes to print, most of our updates will have full rollback capabilities.

On the back end, we currently have Office Update, Windows Update, the Download Center

and Visual Studio Update. On the front end for users, we have Windows Update, Software

Update Server (SUS) and System Management Server. In addition, assortments of tools like

the Office Inventory Tool and MS Baseline Security Analyzer – that are integrated with these

back-ends. But, with these multiple scan tools, and multiple back-ends, we increase our

chance for inconsistent experiences that are operationally expensive, or worse – inconsistent

results from multiple scan tools for the same patch. So, driving toward a common repository

in the sky, and a common scan tool is critically important to Microsoft and our customers.

By the end of the year, we will be rolling out a new common infrastructure based upon a “single

update experience”.

A new repository to contain all updates from Microsoft will be formed called Microsoft Update.

There will still be a Windows Update site where Windows systems are sent by default to stay

up to date, but MS Update will become a superset of all MS update content.

Secondly, we will consolidate to a single product scanner in this timeframe. The Windows Update

Services client will form the basis for all patch compliant scans from MS, and has a rich set of

API’s so that all vendors in this space can use it to determine compliance on Windows today.

SMS 2003 will move immediately to this new scan tool as a replacement for the MBSA it relies

upon today for enterprise compliance, and our MBSA tool will be rebuilt to use the output from

the WUS agent to ensure consistency for our customers in scanning Windows.

Finally, we will be releasing updates to our many solutions for corporations like Software

Update Services and SMS 2003. Windows Update Services (WUS) will be released as the

next version of SUS. This will allow WUS to retrieve updates for other products like SQL,

Exchange and Office from the MS update cloud, as well as add some extra functionality

necessary for many companies that just need simple updating to be successful.

222

SMS will continue to be our systems management tool of choice for large enterprises and

complex patching needs, and will integrate with the new WUS scanner for consistency across

update management from Microsoft. SMS 2003 will also continue to be updated with

improved vulnerability assessment, reporting and update deployment capabilities.

AUTHENTICATION, AUTHORIZATION, AND ACCESS CONTROLWhile addressing the issue of external attacks through exploitation of software vulnerabilities,

we should not lose sight of other security breaches that could take place if inadequate security

controls are implemented across the IT infrastructure, from network, platform, application, to

data. A strong mechanism for authentication, authorization, and access control is essential to

help ensure an organisation’s security in an era where there are many potential opportunities

for unauthorized individuals to gain. This is one of the most basic security needs in any given

business situation.

There are many enabling security features that are available today in products or product

updates, and upon which we are researching further advances for the future. Let’s discuss four

important scenarios for customers where security technology is enabling businesses and

users to do more:

• Network Security: Deep Windows integration of IPSec is helping provide capabilities for

easy-to-manage virtual network segmentation for secure, private projects. Microsoft uses

this technology internally to wall off the development and source code servers and only

allow access to project team members. Any other internal employee, even armed with a

network sniffer, would not be able to access or modify those servers. Similarly, investment

in SSL and RPC over HTTP are helping to enable secure access to specific common

applications, like e-mail or file systems, without opening up the rest of the network. Security

advances in Internet Security and Acceleration Server 2004 include much deeper

content inspection, which enables customers to better protect their Microsoft applications

and fortify remote VPN connections. An enhanced user interface and management tools

make it easier for customers to implement and manage security policies, reducing the

potential for misconfiguration – a common cause of network breaches.

• Secure Wireless: WPA, 802.1X and PEAP represent recent industry advancement of

standards to add strong security to wireless. Deep integration of these standards into

Windows helps make it easier to design and deploy practical security enhancements for

wireless networks.

• Access Control Management: Single sign on has been a security area of focus for a

number of years that continues to evolve as new credential types are introduced. Companies

typically have many different directories supporting identification and authentication to

different systems. With active directory and Microsoft Identity Information Server, we are

providing new capabilities for directory synchronization, and one-time provisioning for

multiple credential types. Augmenting that capability is advances in login replacements,

with both smartcards and biometrics, together providing improved single sign-on.

223

• Data Protection: Right Management Services (RMS), which is now part of Microsoft

Office 2003, represents a milestone in the area of controlling access to data, offering a new

kind of protection for vital information. Microsoft will continue to invest in this important field

and work to develop simple ways to help protect sensitive information. Microsoft envisions

strong business-to-business and business-to-consumer scenarios that will provide better

privacy, security and confidentiality for all customers.

Microsoft has additionally invested in several technologies representing a comprehensive

authorization and access control infrastructure including Active Directory, Encrypting file

systems (EFS), and Access control lists.

ENGINEERING EXCELLENCEWithout quality, there’s no security. Similarly, we cannot claim that a product is of quality if it is

not engineered with security. Part of the Trustworthy Computing initiative is to inculcate a new

security life cycle process and framework internally, mandating ongoing process changes to

improve the security and quality of our software.

Products go through our improved Trustworthy Computing release process, based upon the

concepts of secure by design, secure by default, secure in deployment and great

communications, commonly known within Microsoft as the SD3+C framework.

• Secure by Design. Implementing threat modeling and other key security considerations in

design and development stages. These considerations include: mandatory training in writing

secure code; code reviews and penetration testing; automated code diagnostic tools; and

redesigned architecture to maximize software resilience.

• Secure by Default. Maximizing security in default configurations of shipped software. To

reduce risk of attack, Microsoft has changed default configurations so that service settings

are not enabled at delivery.

• Secure in Deployment. Promoting more secure deployment and management of our

software. These efforts include scanning tools, services – including patch management

with configuration verification functions, and localized versions of security bulletins and

tools, such as Software Update Services and Baseline Security Analyzer.

• Communications. Keeping customers informed. These efforts include timely communication

about software update releases and our worldwide Security Response Process. In addition,

we are working with government, partners, and academia to deliver security education,

offer security certification programs for IT professionals, and conduct consumer protection

campaigns worldwide.

These processes have begun to pay off with measurable improvements in the security of

newer versions of its software. For examples:

• Exchange 2000 Server. Went from 7 bulletins rated critical or important prior to the

release of SP3 to just 1 in the 23 months following the release of SP3.

224

• SQL Server 2000. SP3 had 3 bulletins rated critical or important release in the 17 months

following SP3 release versus 13 prior to the release of SP3.

• Windows Server 2003. 13 bulletins rated critical or important in the 365 days followings

its release, compared for 42 for Windows 2000 Server in the year following its release.

While we are always our first test cases, we are also productizing our successful innovations

and deliver them to the development community. Some of the ways that we’ve been able to

do this so far include but not limited to the following:

• Secure Platform: We’ve delivered the .NET framework that encapsulates many fundamental

security mechanisms making it simpler for developers to add security to their applications.

Cryptographic APIs and integrated PKI round out the tools for building from a more secure

platform.

• Development Tools: Visual Studio .NET 2003, in conjunction with security tools like

FxCop help enable your ability to develop line of business applications with inherent security.

Work on the WS-I standards process and work to implement web services security

enhancements help developers as well.

• Developer Guidance: One of our best security websites is the Microsoft Security

Developer Center at msdn.microsoft.com/security, centralizing books, guidance, training

and articles to help the development community. Go there and check out the many

technical developer Webcasts.

CUSTOMER GUIDANCE AND ENGAGEMENTImproving our internal processes, and enhancing the security and quality of Microsoft’s technology

are insufficient as they only address one side of the security challenges that we are facing

today. Through our experiences in helping customers to resolve security issues from Nimda to

Blaster, and our work with law enforcements assisting them in various computer crime related

investigations, it is clear that many enterprises and IT professionals are still not ready to deal

with the current security challenges effectively. The main hurdles, besides the availability of

tools, are inadequate security processes, and insufficient security know-how and practices.

In October 2003, Microsoft therefore launched a worldwide security mobilization initiative

focusing on helping enterprises and IT professionals to close this gap. The initiative entails building

more security guidance, deliver more security training and seminars, engaging the security

partner community, improve and increase proactive security communications, and prepare our

staff, partners, and customers to response more reliably and effectively to security incidents.

Between October 2003 and June 2004, more than 500,000 IT professionals have attended

at least a security training provided by Microsoft.

In addition to a new Security Guidance Center web portal providing a centralized site for

locating security contents in Microsoft web site, a CD that includes much of the guidance that

are posted online, i.e., the Security Guidance Kit CD was also published. The CD provides

225

valuable security information and resources to help support IT administrators in small, medium

or large organizations.

Monthly security webcasts are also designed to inform participants about the latest developments

on the security front. They include monthly webcasts with Mike Nash, the Corporate Vice

President of the Security Business and Technology Unit and a monthly webcast to cover the

security bulletins.

For consumers, Microsoft is working on a worldwide education campaign with computer

manufacturers, retailers, ISPs and other partners to create broader awareness of best

practices to protect their PCs. This has three aspects:

• installing anti-virus software

• using an Internet firewall

• using the Automatic Update features in Windows to automatically download the latest

Microsoft security updates.

As part of Microsoft’s IT Showcase, white papers relating to how Microsoft secures Microsoft’s

internal IT environment, how Microsoft manages security vulnerabilities and incident responses,

and how Microsoft implements various business enablement technology, such as Wireless

LAN, securely are also published in the Security Guidance Center, and discussed in security

webcasts and seminars openly.

CONCLUSIONAs we progress towards the future, we will continue to face with new security challenges. Our

proactive steps taken insofar are to continue advancement of the isolation and resiliency

through Active Protection Technologies, and Network Access Protection. New security technology

will also continue to evolve in the area of advancing updates, and providing for enforcement of

information security policies and controls needs. This includes improvements and new

releases in Windows Update Services, Microsoft Update, Windows Rights Management,

Microsoft Operation Manager, Microsoft Identity Integration Server, and Internet Security and

Acceleration (ISA) Server. To help third parties and enterprise developers to develop more

secure applications, new and enhanced tools in threat modeling and code security review and

analysis have also been planned, including the next generation of Visual Studio.

Trustworthy Computing is our vision of technology of the new era, to provide safe, secure, and

reliable computing experiences as expected by the users. One of the goals of Trustworthy

Computing is to build the most secure software we can, while still building products that

customers will want and be able to use. Beyond that, we take steps to help protect our

customers in a world where vulnerabilities are inevitable and the threats are evolving. This

means investing in new technologies; investing in training, guidance and communications to

help our customers get the expertise they need; and partnering with industry leaders, customers,

governments, and law enforcement to address the challenge.

226

REFERENCES

Useful URL for consumers, IT professionals, enterprise IT managers, and security professionals:• Microsoft security portal – http://www.microsoft.com/security• Security portal dedicated to consumers’ needs – http://www.microsoft.com/protect• Security Guidance Center – http://www.microsoft.com/security/guidance• Security Tools – http://www.microsoft.com/technet/Security/tools• How Microsoft IT Secures Microsoft – http://www.microsoft.com/technet/itsolutions/msit• Security E-Learning Clinics – https://www.microsoftelearning.com/security• Security Events and Webcasts – http://www.microsoft.com/seminar/events/security.mspx

227

Information Network Security Department

Monitoring and Enforcement Division

Malaysian Communications and Multimedia Commission

Ronald Yap

Ixaris Sdn Bhd

Dhillon Andrew Kannabhiran

Hack In The Box Sdn Bhd

Info-Security SIG

PIKOM

Deepak Pillai

Rajes, Hisham Pillai and Gopal,

Advocates & Solicitors

Yvonne Oung

MSC Trustgate Sdn Bhd

Joshel Woo

Digicert Sdn Bhd

Mohamed Shafri Hatta

Madihah Mohd Saudi

NISER

Murari Kalyanaramani and James Tseng

PricewaterhouseCoopers

Basri Zainol

SIRIM Berhad

Dr. Nah Soo Hoe

Independent Consultant

Meng-Chow Kang

Regional Chief Security & Privacy Advisor

Microsoft Asia Pacific

LIST OF PARTICIPANTS

228

For further enquiries please contact:

Information Network Security DepartmentMonitoring and Enforcement DivisionMalaysian Communications & Multimedia Malaysia63000 CyberjayaSelangor Darul EhsanTel: 8688 8000Fax: 8688 1000www.mcmc.gov.my

FURTHER ENQUIRIES

C

M

Y

CM

MY

CY

CMY

K

138112mcmc B+cover new20-1b6.ai 63.25 lpi 71.57° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 63.25 lpi 71.57° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 63.25 lpi 18.43° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 63.25 lpi 18.43° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 66.67 lpi 0.00° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 66.67 lpi 0.00° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 70.71 lpi 45.00° 2/10/2006 12:09:40 PM138112mcmc B+cover new20-1b6.ai 70.71 lpi 45.00° 2/10/2006 12:09:40 PMProcess CyanProcess Cyan Process MagentaProcess Magenta Process YellowProcess Yellow Process BlackProcess Black