UITM Forum Questionaires Cybersecurity, Governance & Risk Management
UITM Forum Questionaires Cybersecurity, Governance & Risk Management
UITM Forum Questionaires Cybersecurity, Governance & Risk Management
Infrastructure
CYBERSECURITY
1. Based on vast experience of the panelist, which critical national infrastructure sector is
most vulnerable to a cyber-attack during the modern days? Why?
a. The answer shall be all. All types of cyberattacks will impact the critical national
infrastructures directly or indirectly. The difference is the attack surface, not by
sectors. Of course, it is determined by the attacker's interest. Whether a nation-
state sponsor actor, organized crime gang, or individual hacker, they all have
different interests in our critical infrastructure. It depends on the situation then.
We have to ensure all potential flaws and vulnerabilities of our hardware or
software be reviewed, studied, patched, and isolated to the best of our ability to
protect our nation's interest.
c. Personal Health Information (PHI) is more valuable on the black market than
credit card credentials or regular Personally Identifiable Information (PII).
Therefore, there is a higher incentive for cyber criminals to target medical
databases. They can sell the PHI and/or use it for their own personal gain. At the
time of this writing, over 15 million health records have been compromised by
data breaches, according to the health and human services breach report.
d. Personal Health Information (PHI) is more valuable on the black market than
credit card credentials or regular Personally Identifiable Information (PII).
Therefore, there is a higher incentive for cyber criminals to target medical
databases. They can sell the PHI and/or use it for their own personal gain. At the
time of this writing, over 15 million health records have been compromised by
data breaches, according to the health and human services breach report.
2. On your opinion, what poses the greatest cybersecurity threat to our nation's critical
infrastructure?
a. The short answer could be ransomware and phishing emails. Indeed, our talent
pools and technology are currently in place in our environment, which worries me
the most, and it poses the greatest threat to our defense. We are dealing with
much more sophisticated situation and actors at the defense prospect. First, we do
not have enough talent in place, and it is a fact. Secondly, we depend very much
on foreign technology to defend ourselves. A private company may deal with
individual hackers or an organized crime gang. We are dealing with espionage,
national security, and our nation's sovereignty. No doubt, we may not create our
technology. Still, we always look into innovative solutions, which specific talent on
0-day and N-day weaponization researcher can be helpful for us, at least, we know
in advance what will be our potential threat. We make way to avoid the negative
impact on us.
3. Based on your organization structure, does your organization have enough designated and
trained information security expert on staff or a third-party trusted information security
and risk advisor to protect the organization as one of the critical national infrastructures?
c. We are also working with 3rd party in strengthening our cyber security protection
such as technology principal, solution integrator, threat intel provider etc to
improve our cyber security protection.
4. Some advice on how do we manage and protect from zero-day threats (log4j for example)
to protect the organization especially on the critical national infrastructure industries?
a. Always be ready, and intelligence plays a significant role in the 0-Days and N-Days
exploit; as I mentioned initially, research on potential cyber weaponization on 0-
Day and N-Days. We only know what we know! And a good and well-trained
incident response and patching team will undoubtedly be helpful in this kind of
situation.
iii. Apply the related security patches for internal software/devices at your
earliest convenience
iv. If patching is not possible for whatever reason, we strongly recommend
isolating the system from the Internet and applying necessary mitigation
measures:
i. Technology
3. Understand and fully aware the residual risk after controls already
in place.
ii. People
3. Situational awareness & Intel – keep update with the latest threats
that’s happening in the world. If there is zero threat detected in
other parts of the world, ensure the security team aware about it
and quickly do the analysis on how the threats may impact the
organizations and its asset.
iii. Process
a. The Malaysia Cybersecurity Strategic 2020-2024 does serve the critical document
and provides all the Critical National Infrastructure agencies with an excellent and
clean guideline. Mandatory compliance, training, and the Secure Development
Lifecycle (SDL) are essential to measure and govern. The current document serves
as the core documentation for designing our framework, with the five (5) pillars
and focusing on the people, process, and technology approach.
b. Currently we are adopting & referring but no limited to NIST framework & MITRE
ATT&CK framework as a baseline. These are the most adopted cyber security
framework by worldwide organization in establishing an effective cyber security
controls over vital assets which covers proactive and reactive actions from cyber
security assessment up to incident handling.
c. We are also referring to a certain standard such as ISMS 27001 and ISO22301
(BCMS).
a. Technology is moving very fast, and regulators still lack the expertise to deal with
it. There is undoubtedly a gap in between. We are improving our force operational
and technical skillset to provide us more insight and actionable intelligence to
come with the measurement to improve our policy. Implementation is getting buy-
in from the user is always a challenging part. But we are a uniform organization. It
makes our life less stressful when it comes to implementation compared with the
private sector or other agencies.
b. To find a balance between cyber security and core business. For example, if the
security is too stringent, it may impact performance at certain level, introduce
high rate of false positive which may impact service availability. If the security
controls and policy are too loose, it may introduce high cyber security risk. So to
strike the balance is very challenging.
a. In any SIEM or logs data, we received not a thousand but hundred of thousand or
even million events logs per day. They are undoubtedly many fault positive and
fault negative. We need to perform analysis, and if the vulnerability does harm us,
it shall be reported and followed up by necessary action. And the person in charge
does need to ensure the top management gets the alert and is aware of the
situation. Our govern is very straightforward, and it is helpful because the chain of
command mindset is already sick into our forces when they begin their career in
the military.
RISK MANAGEMENT
a. The security team's unclear role and task are one of the significant risks within the
security team. Understanding each security team member's role and duty (task),
then providing them the right knowledge and training them for the right skillsets is
the only possible way to mitigate the risk. The scope of the forces needs to be
transparent to ensure every one of them is clear and understands their role when
it comes to incidents response. It involves placing the right talent and process at
every domain or level.
9. In today's environment, life-critical embedded systems—whether medical devices,
Internet-connected autos, Supervisory Control and Data Acquisition (SCADA), industrial
control systems (ICS), or other systems—play an essential role. As more of these devices
become connected to the Internet of Things, what is the best solution to reduce the cyber
security risks to effectively safeguard these systems?
a. There is no perfect solution to deal with the cyber attack. But putting in the
necessary measurements will be the key to reducing the risk. The five (5)basic key
controls as below,
i. Patch Management
b. Gaining actionable visibility into all the devices on your network. With that
information, we can then take steps to mitigate the risks those devices present
such as automate security policy enforcement and streamline the integration
across multiple cyber security solutions.
c. Minimize risk of expanding IoT attack surface by deploying right controls at right
place.
10. As infrastructure systems become more digital, and infrastructure expenditures become
more widespread, we have a chance to re-evaluate essential infrastructure policy in our
country. What role does government play in improving the resilience of vital
infrastructure?
i. To act as the coordination body for the industry, academia, civil societies,
and government agencies.