UITM Forum Questionaires Cybersecurity, Governance & Risk Management

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 6

UiTM Forum Title: Cybersecurity, Governance & Risk Management for Critical National

Infrastructure

Set of questionnaires for the forum panelist

CYBERSECURITY

1. Based on vast experience of the panelist, which critical national infrastructure sector is
most vulnerable to a cyber-attack during the modern days? Why?

a. The answer shall be all. All types of cyberattacks will impact the critical national
infrastructures directly or indirectly. The difference is the attack surface, not by
sectors. Of course, it is determined by the attacker's interest. Whether a nation-
state sponsor actor, organized crime gang, or individual hacker, they all have
different interests in our critical infrastructure. It depends on the situation then.
We have to ensure all potential flaws and vulnerabilities of our hardware or
software be reviewed, studied, patched, and isolated to the best of our ability to
protect our nation's interest.

b. Healthcare - Healthcare organizations continue to be the most exposed


industry to cyber-attacks this year. Data breaches and ransomware attacks
last year alone cost the industry an estimated $4 billion , with the industry
accounting for more than four in ten breaches as well. As experts note, it has
more to do with the value of healthcare data than the state of security in the
industry. Public healthcare institutions are particularly susceptible as criminals
target valuable personal data that healthcare providers store and process.

c. Personal Health Information (PHI) is more valuable on the black market than
credit card credentials or regular Personally Identifiable Information (PII).
Therefore, there is a higher incentive for cyber criminals to target medical
databases. They can sell the PHI and/or use it for their own personal gain. At the
time of this writing, over 15 million health records have been compromised by
data breaches, according to the health and human services breach report.

d. Personal Health Information (PHI) is more valuable on the black market than
credit card credentials or regular Personally Identifiable Information (PII).
Therefore, there is a higher incentive for cyber criminals to target medical
databases. They can sell the PHI and/or use it for their own personal gain. At the
time of this writing, over 15 million health records have been compromised by
data breaches, according to the health and human services breach report.

2. On your opinion, what poses the greatest cybersecurity threat to our nation's critical
infrastructure?

a. The short answer could be ransomware and phishing emails. Indeed, our talent
pools and technology are currently in place in our environment, which worries me
the most, and it poses the greatest threat to our defense. We are dealing with
much more sophisticated situation and actors at the defense prospect. First, we do
not have enough talent in place, and it is a fact. Secondly, we depend very much
on foreign technology to defend ourselves. A private company may deal with
individual hackers or an organized crime gang. We are dealing with espionage,
national security, and our nation's sovereignty. No doubt, we may not create our
technology. Still, we always look into innovative solutions, which specific talent on
0-day and N-day weaponization researcher can be helpful for us, at least, we know
in advance what will be our potential threat. We make way to avoid the negative
impact on us.

b. People – human is the weakest chain. Malaysia still lack of awareness in


cybersecurity except for people in certain regulated industries such as Defense
and Financial Institution. Malaysian always take for granted when in comes to
cybersecurity. For them, the impact is small or intangible until they become the
victims. Bak kata pepatah “sudah terhantuk, baru nak terngadah”. Some
organization even do not allocate budget or very small allocation for cyber
security, because for them it is not important compare to their core business. But
nowadays, cybersecurity is no longer an option. It must come by design.

3. Based on your organization structure, does your organization have enough designated and
trained information security expert on staff or a third-party trusted information security
and risk advisor to protect the organization as one of the critical national infrastructures?

a. Talent is limited in cybersecurity. It is a global issue. But most important is the


people who are willing to learn and relearn in this space are more important to us.
We send and enroll our staff in relevant courses and training while we are
constantly engaging with our strategic partner to ensure we are in good posture.
b. Currently we already have an adequate organization structure for cyber security,
however we are improving it from time to time from the perspective of technology,
people and process. We continuously evaluate if there is additional requirement
based on current cyber security challenges and asset the we need to protect.

c. We are also working with 3rd party in strengthening our cyber security protection
such as technology principal, solution integrator, threat intel provider etc to
improve our cyber security protection.

4. Some advice on how do we manage and protect from zero-day threats (log4j for example)
to protect the organization especially on the critical national infrastructure industries?

a. Always be ready, and intelligence plays a significant role in the 0-Days and N-Days
exploit; as I mentioned initially, research on potential cyber weaponization on 0-
Day and N-Days. We only know what we know! And a good and well-trained
incident response and patching team will undoubtedly be helpful in this kind of
situation.

b. The direct answer to log4j as below,

i. Get an overview of systems and software using log4j in your environment


(this can be a time-consuming task, so better start early).

ii. Apply the corresponding security patches for internet-facing


software/devices immediately

iii. Apply the related security patches for internal software/devices at your
earliest convenience
iv. If patching is not possible for whatever reason, we strongly recommend
isolating the system from the Internet and applying necessary mitigation
measures:

c. Technology – People – Process.

i. Technology

1. Identify vulnerable devices. The vulnerable software/devices can


be identified by:

a. Matching asset inventories with vendor/principal


advisories.

b. Analyzing software bill of materials (BOM) manifests

c. Searching the file systems of machines to identify class


files.

d. Analyzing log files

2. Keep technology updated – Patch, Right Controls, right security


rule been configured. Ensure the policy / rules of security devices
is correct and protect the asset in the environment and close the
gap.

3. Understand and fully aware the residual risk after controls already
in place.

ii. People

1. IT Personnel - keep gain knowledge and skills updated. Incident


handling etc.

2. User – ensure cyber security awareness is up to date. Aware


about cyber security risk.

3. Situational awareness & Intel – keep update with the latest threats
that’s happening in the world. If there is zero threat detected in
other parts of the world, ensure the security team aware about it
and quickly do the analysis on how the threats may impact the
organizations and its asset.

iii. Process

1. Revisit cyber security related process (incident handling,


awareness, BCM etc) that already in place from time to time.
Process that been develop 2 -3 years ago may no longer relevant.
It must be revisited and be tested to ensure the effectiveness.

2. Always monitor and know what type of asset connected to the


network/environment. Know how the new threats may introduce
risk and may impact the asset.
GOVERNANCE

5. In term of Critical National Infrastructure, is there any established comprehensive


programmes or a series of framework that will ensure the effectiveness of cyber security
controls over vital assets? If so, what is it?

a. The Malaysia Cybersecurity Strategic 2020-2024 does serve the critical document
and provides all the Critical National Infrastructure agencies with an excellent and
clean guideline. Mandatory compliance, training, and the Secure Development
Lifecycle (SDL) are essential to measure and govern. The current document serves
as the core documentation for designing our framework, with the five (5) pillars
and focusing on the people, process, and technology approach.

i. Pillar 1 – Effective Governance and Management

ii. Pillar 2 – Strengthening Legislative Framework and Enforcement

iii. Pillar 3 – Catalyzing World Class Innovation, Technology, R&D, and


Industry

iv. Pillar 4 – Enhancing Capacity & Capability Building, Awareness and


Education

v. Pillar 5 – Strengthening Global Collaboration

b. Currently we are adopting & referring but no limited to NIST framework & MITRE
ATT&CK framework as a baseline. These are the most adopted cyber security
framework by worldwide organization in establishing an effective cyber security
controls over vital assets which covers proactive and reactive actions from cyber
security assessment up to incident handling.

c. We are also referring to a certain standard such as ISMS 27001 and ISO22301
(BCMS).

6. As the increasing interdependencies and complexity of critical national infrastructure,


what are the challenges for policy design and implementation in your environment?

a. Technology is moving very fast, and regulators still lack the expertise to deal with
it. There is undoubtedly a gap in between. We are improving our force operational
and technical skillset to provide us more insight and actionable intelligence to
come with the measurement to improve our policy. Implementation is getting buy-
in from the user is always a challenging part. But we are a uniform organization. It
makes our life less stressful when it comes to implementation compared with the
private sector or other agencies.
b. To find a balance between cyber security and core business. For example, if the
security is too stringent, it may impact performance at certain level, introduce
high rate of false positive which may impact service availability. If the security
controls and policy are too loose, it may introduce high cyber security risk. So to
strike the balance is very challenging.

7. Although information-sharing presents many benefits for better understanding and


exchange of expertise to help the infrastructure, some sensitive information like
vulnerabilities maybe filtered out. Have you ever dealt with this kind of situation?

a. In any SIEM or logs data, we received not a thousand but hundred of thousand or
even million events logs per day. They are undoubtedly many fault positive and
fault negative. We need to perform analysis, and if the vulnerability does harm us,
it shall be reported and followed up by necessary action. And the person in charge
does need to ensure the top management gets the alert and is aware of the
situation. Our govern is very straightforward, and it is helpful because the chain of
command mindset is already sick into our forces when they begin their career in
the military.

RISK MANAGEMENT

8. Attacks targeting critical infrastructure continue to rise in frequency and effectiveness.


What are the most significant risks that security teams have to deal with?

a. The security team's unclear role and task are one of the significant risks within the
security team. Understanding each security team member's role and duty (task),
then providing them the right knowledge and training them for the right skillsets is
the only possible way to mitigate the risk. The scope of the forces needs to be
transparent to ensure every one of them is clear and understands their role when
it comes to incidents response. It involves placing the right talent and process at
every domain or level.
9. In today's environment, life-critical embedded systems—whether medical devices,
Internet-connected autos, Supervisory Control and Data Acquisition (SCADA), industrial
control systems (ICS), or other systems—play an essential role. As more of these devices
become connected to the Internet of Things, what is the best solution to reduce the cyber
security risks to effectively safeguard these systems?

a. There is no perfect solution to deal with the cyber attack. But putting in the
necessary measurements will be the key to reducing the risk. The five (5)basic key
controls as below,

i. Patch Management

ii. Malware Protection

iii. User Access Control

iv. Secure Configuration

v. Boundary Firewalls and Internet Gateways

b. Gaining actionable visibility into all the devices on your network. With that
information, we can then take steps to mitigate the risks those devices present
such as automate security policy enforcement and streamline the integration
across multiple cyber security solutions.

c. Minimize risk of expanding IoT attack surface by deploying right controls at right
place.

10. As infrastructure systems become more digital, and infrastructure expenditures become
more widespread, we have a chance to re-evaluate essential infrastructure policy in our
country. What role does government play in improving the resilience of vital
infrastructure?

a. The government, as the First Mover in Cybersecurity, allocate the resources


required for success, including,

i. To act as the coordination body for the industry, academia, civil societies,
and government agencies.

ii. To ensure a sufficient budget to build and grow.

iii. To have the proper infrastructure to support industry growth, Research,


Development, and Innovation (RDI), operational performance.

iv. To provide workforce and skills development to ensure talent pipeline.

You might also like