138112 mcmc B+cover13-12b6.

indd 1 1/5/2006 11:21:19 AM

Process Cyan Process Magenta Process Yellow Process Black
© Malaysian Communications and Multimedia Commission 2005
The information or material in this publication is protected under copyright and, save where otherwise stated,
may be reproduced for non-commercial use provided it is reproduced accurately and not used in a misleading
context. Where any material is reproduced, MCMC as the source of the material must be identified and the
copyright status acknowledged.

The permission to reproduce does not extend to any information or material the copyright of which belongs to
any other person, organisation or third party. Authorisation or permission to reproduce such information or
material must be obtained from the copyright holders concerned.

Malaysian Communications and Multimedia Commission

63000 Cyberjaya, Selangor Darul Ehsan, Malaysia. Tel: 6 03 - 8688 8000 Fax: 6 03 - 8688 1000
Toll Free Numbers: 1-800-888030 http://www.mcmc.gov.my
TABLE OF
CONTENTS
ACKNOWLEDGEMENT

1 INTRODUCTION

2 GENERAL INFORMATION FOR CONSUMERS 1

2.1 Positive Use of the Internet – MCMC 3

2.2 General Information on Spam: Strategies and initiatives to curb it in
Malaysia – MCMC 9
2.3 Home and Business User Computer Security – Ronald Yap, Ixaris Sdn Bhd 17
2.4 Online/Cyber Threats to Home Users and Business Entities –
Dhillon Andrew Kannabhiran 27
2.5 Home Computer Security – How to safeguard your privacy and security
when utilizing the Internet – PIKOM Info-Security SIG 37
2.6 What you should know about Cyber Crime and the Malaysian Cyber
Laws – Deepak Pillai of Rajes, Hisham Pillai and Gopal, Advocates & Solicitors 43
2.7 What you should know about Digital Signature and the Digital Signature
Act 1997 – MCMC, MSC Trustgate Sdn Bhd and Digicert Sdn Bhd 53

E-SECURITY AWARENESS SURVEY 2003 & 2004 81

3 MORE SPECIFIC INFORMATION FOR BUSINESSES 117

3.1 Incidence Response and Handling for Everyone – NISER 117

3.2 Viruses, Worms, Trojan Horses 101 – NISER 127
3.3 The Importance of an Information Communication and Technology (ICT)
Security Audit for Business Organizations – Murari Kalyanaramani and
James Tseng, PricewaterhouseCoopers 153
3.4 The portrayal of applicable information technology (IT) Security Standards
in Malaysia – Basri Zainol, SIRIM Berhad 165
3.5 Open Source and Security – Dr. Nah Soo Hoe, Independent Consultant 191
3.6 Advancing Security – Building Trust in Computing – Meng-Chow Kang,
Regional Chief Security & Privacy Advisor for Microsoft Asia Pacific 215

LIST OF PARTICIPANTS 227

FURTHER ENQUIRIES 228

 ACKNOWLEDGEMENT
MCMC would like to express its gratitude to all those
who have contributed to the completion of this
Compendium. They have selflessly shared their
time, expertise and knowledge in the interest
of the general public in Malaysia.
 INTRODUCTION

Over the last decade, the public and private sectors have been increasingly reliant on the
computer network systems to support critical operations and infrastructure. The benefits have
been enormous in terms of facilitating communications, transactions and the way businesses
and government function. Info-communications has been increasingly a factor for the global
economy.

Most people and organizations believe that technology is the answer to securing the network’s
infrastructure. However the answer for ensuring cyber security does not only lie with technology
alone but more on processes and policies and for people to realize that they are an important
and crucial element in ensuring e-security.

However the pace of growth of the ICT industry that is dependant upon the network system
appears to outstrip the pace of ICT users educating and preparing themselves, in the maintenance
and tackling of issues pertaining to these systems. By empasising the education and
awareness on core skill set in information and network security, users will be able to tackle the
challenges therein.

ICT users whether ordinary consumers or from organizations such as the government or the
industry must be provided with the knowledge, tools and expertise to maintain a secure
information system and data communications. For businesses and government sector, the
education and awareness is paramount without exposing the government or the local industry
to expenditures in relation with incident recovery.

The Malaysian Communications and Multimedia Commission realising this need is very
committed to the development of education and awareness programmes on information and
network security in the face of rampant occurrences of defacement of websites, DOS attacks,
spamming, phishing, viruses and hacking.

As part of this initiative, the Commission, with the cooperation of local experts, has compiled a
compendium comprising a variety of subject matter concerning information and network security.

The main objective of the compendium is to contribute to the learning and educational experience
of ICT users and consumers. It is intended to complement other sources of information on the
subject of information and network security.

c
GENERAL INFORMATION
FOR CONSUMERS

POSITIVE
USE
OF THE
INTERNET
 INFORMATION NETWORK SECURITY DEPARTMENT
MALAYSIAN COMMUNICATIONS AND MULTIMEDIA COMMISSION

The Malaysian Communications and Multimedia Commission (MCMC) was established on

1 November 1998 and is charged with regulating the converging industries of broadcasting,
telecommunications and online services in accordance with the national policy objectives set
out in the Communications and Multimedia Act 1998.

The specific role of the Information and Network Security (INS) department is to ensure
information security and network reliability and integrity within the communications and
multimedia industry in particular the critical communications and multimedia infrastructure. Part
of the general scope of work of the department is the promotion of education and awareness
of best information and network security practices.

2
 POSITIVE USE OF THE INTERNET
MALAYSIAN COMMUNICATIONS & MULTIMEDIA COMMISSION

The Internet has revolutionized the computer and communications world like nothing before.

The Internet has a worldwide broadcasting capability, a mechanism for information dissemination
and a medium for collaboration and interaction between individuals and their computers
without regard for geographic location.

However, the Internet being an open media is susceptible to misuse. There has been rapid rise
in the number of unsuitable websites dedicated to harmful and undesirable content. There is
an urgent need therefore, to mitigate the misuse of Internet in the early stages and promote its
ethical use through awareness and educational programmes.

The Internet is a place where worldwide information and communication is constantly

expanding and evolving. Just as with any culture, there are customs that provide guidelines
and cohesiveness to the people involved.

In this article, some guidelines are provided that would assist “newbies” in their approach
towards working with electronic communication. These guidelines are meant to provide helpful
hints on some common and frequently asked questions or global “standards”, for the following:

Chat Room Ethics

E-Mails
How to Choose a Password
Internet Tips for Parents
Internet Abbrievations

The guidelines are to assist Internet users on what is considered abuse of available resources
and to help users to be responsible in accessing or transmitting information through the
Internet.

REFERENCES:
(1) Internet Society (ISOC) – A brief history of Internet
(2) Internet Guidelines and Culture – Arlene H. Rinaldi
(3) The APT Seminar on Network Security Management and the Positive Use of Internet:
Kuala Lumpur 18–20 August 2003

3
 CHAT ROOM ETHICS
The Internet has opened up a whole new world for us to meet online and converse in real time
about our hobbies, thoughts, and beliefs. However, as in face-to-face communication, there
are some common courtesies and protocols that must be observed while addressing others
online.

Use proper judgment when choosing a nickname that you will use in the chatroom. Avoid
using any rude or inappropriate names. Use a name that best describes yourself to others
i.e. using your first name, initials, or even a hobby or interest.

The best way to initiate a conversation is to use a simple and pleasant greeting, such as
“Hi Everyone” or “Good Morning”. If this fails to catch anyone’s attention, you could attempt
to address a particular member with a question.

When chatting, do not type in capital or boldface letters, as this is considered yelling in the
online world.

Many people in chat rooms tend to let their guard down and may insult or verbally abuse you.
You should either ignore the person, or use your chat software to block their messages. If
the verbal sparring is a result of a disagreement with another member, try to remedy the
situation by politely talking it over together. At the same time, if you find you are in the wrong,
be sure to promptly correct yourself and apologize to those you have offended.

Avoid asking personal questions such as their age, sex, and marital status, unless you know
the person very well, and you are both comfortable with sharing personal information.

Welcome and respect any newcomers that are entering for the first time. Offer advice when
asked. However try not to overload the room with constant advice or opinions, do give others
their chance to speak.

If your messages are long, try to type and send it in sections to avoid constant scrolling on
other members’ screens. If possible, send the lengthy message privately or to a couple of
members at a time.

Depending on the chat rooms that you frequent, watch your language and subject of
discussion. Parents should be aware of the type of discussion their child is engaged in.

Abusive chatters should be avoided. This includes attacks on chatter, constant and
unnecessary profanity and member stalking.

Finally, remember to treat others online in the same way you would want to be treated.
By observing these basic rules of etiquette, everyone can have a better online chat experience.

4
E-MAIL
Some do’s and don’ts in sending and replying e-mails:

When forwarding an e-mail, don’t include your entire address list in the “TO” field. Learn
to use Distribution Lists or send Blind Carbon Copies.

Don’t respond to any of the “Make Money Fast” postings as most are illegal.

Respect other people’s privacy. If someone sends you a personal e-mail, please don’t
forward it to a newsgroup or anywhere else.

E-mail is not private. It is highly unlikely that anyone but the recipient will ever read it but
it’s possible.

Use the subject field: Inappropriate subjects make it difficult to file, forward or provide
meaningful responses.

When responding to e-mail, don’t quote the entire original message in your reply. Only
quote the relevant parts.

DON’T TYPE IN ALL UPPER CASE, it’s considered SHOUTING.

If you want to unsubscribe from a public mailing list, please ensure that the
UNSUBSCRIBE command gets sent to the LIST SERVER and NOT the Mailing List Itself.
If you do this, you irritate every member of the list who gets your message, and you will
still be subscribed to the list.

Effective use of the Internet is not difficult; it merely requires practice, a bit of common sense,
and the ability to learn from other people’s mistakes.

HOW TO CHOOSE A PASSWORD

Access to an online computer service or Internet Applications Service Provider (IASP) requires
both a user name and password. As names are easy to guess, one must be very careful with
the password.

Tips on how to select a good password:

The minimum length of your password should be at least five (5) characters. Automatic
programmes can easily try all combinations of characters in a password of less than five
(5) characters.

In short passwords, use at least one upper-case letter, at least one lower-case letter, and
at least one digit, i.e. d4surF

To create a long password, use two words, each with at least five (5) characters,
perhaps separated by one digit (flower4daisy)

5
 Avoid obvious passwords
– your name
– anyone’s first name especially the name of family members or pets
– your nickname
– your home telephone
– your date of birth
– your astrological sign
– licence plate number of your car
– any other publicly available information

Once a password is chosen, do not write it down and do not tell anyone what it is. If you
have written it down, keep it in a safe place i.e. bank deposit box (for your personal
account) or in a safe in the corporate office (for the company’s computer).

When you get a new computer account, it will come with an initial password. Follow the
instructions from the system administrator for choosing your own password, and change
the password. The initial password may have been seen by someone who gave or
mailed it to you.

Use a different password at each website, service provider, or computer account.

Changing your password every few weeks is standard advice from computer security
experts. However this also makes it easier for you to forget your password. If you do
forget your password, you will need to contact a system administrator, prove that you
really are the official user and get a new initial password assigned.

INTERNET TIPS FOR PARENTS

1. Keep the computer in a common area within your home
Do not keep the computer in your child’s bedroom: it is not an inanimate tool like a desk
or an atlas. Keep the computer in the living room, family area or study or accompany your
child when they use computers at the public libraries or Internet cafes.
This way you, as a parent and any other adults in the house, can check in on your child
as he or she explores the Internet. If it is not possible to keep the computer in a common
area of the home, then it is even more important to check in on your child while they are
online and to spend time with your child while they are online.

2. Spend time with your child, online

Just as you teach your child about the real world by exploring it with them, guide them
through the online world. Learn about the services your child uses by taking the time to see
what they are doing online and where their interests lie. If you run into content that is
offensive to you, talk to your child about it. Explain why you believe the material is harmful
and what you intend to do.

USEFUL SITES:
Cyberpatrol : http://www.cyberpatrol.com
Net Nanny : http://www.netnanny.com

6
3. Report suspicious activity
Encourage your child to tell you when they run into content that they are unsure about, and
not to respond to it. Upon reviewing the questionable material, if you believe that someone
online is doing or about to do something illegal, then you should report it to the appropriate
authorities. Reports can be made to you Internet Access Service Providers, The Content
Forum of Malaysia, Malaysian Communications and Multimedia Commission or the police.
Make sure that you keep copies of all the email messages including the header information.
The authorities will need them.

4. Set reasonable rules and guidelines for your child, and decide whether or not to
use blocking or filtering software
Discuss your rules and guidelines with your child, post them near the computer and
monitor your child’s compliance. The rules should set reasonable limits on the amount of
time spent online.
If you decide to use a blocking software, then find one that is consistent with the set rules
and guidelines. Additionally, you should take the time to learn the strengths and limitations
of the package that you choose.

5. Monitor your credit card bills and your phone bills

A credit card number is required to gain access to many adult Internet sites, and a modem
can be used to dial phone numbers other than the phone number of your Internet Service
Provider

6. Tell your child not to give out personal information online

This is the Internet version of “never talk to strangers”. Teach your child to never give out
their name, address, phone number, school name or any personal information especially
in public places like chat rooms and bulletin boards.
Using a nickname or a pseudonym is common practice on the Internet and it is a way in
which your child can protect their personal information to a certain extent.

7. Know your children’s online friends

It is possible to form beneficial and lasting relationship online, but there are people who
misrepresent themselves and may take advantage of your child. Make sure that your child
knows not to arrange to meet their online friends without your permission. If you permit a
meeting with an online friend, then make sure of the following:
(i) you accompany your child; and
(ii) they meet in a public spot.

8. Learn more about the Internet

Take the time to learn more about the Internet. Ask your child to teach you what they know.
Look for courses being offered in your community.

USEFUL SITES:
http://www.safekids.com
http://www.safeteens.com
http://www.safekids.com/computers.htm
www.pagi.org.sg

7
 INTERNET ABBREVIATIONS
The Internet is full of cryptic shorthand that makes a point, without having to spell out every
word. This can be very useful in a chat channel that is fast moving; other chatters can see your
message in an instant. Some of the more common abbreviations are:

(a) LOL – Laughing Out Loud

Mild amusement at a remark by another user. You could also key in LOL at the end of a
remark to show that your remarks are in humor and not to be taken seriously.

(b) ROFL – Rolling On Floor Laughing

Strong amusement at a remark.

(c) BRB – Be right back

Indicates the user is away from the keyboard for a short period.

(d) BBL – Be back later

No set time period.

(e) AFK – Away from Keyboard

User is still online and in channel but is taking an extended break, maybe attending to a
phone call.

(f) CLICK – Used in Yahoo Chat and elsewhere

This means the user is ignoring someone who is offensive.

Some other abbreviations are as follows:

AFAICS – As Far As I Can See

AFAIK – As Far As I Know
BTW – By The Way
FWIW – For What It’s Worth
HTH – Hope That Helps
IIRC – If I Remember Correctly
IME – In My Experience
IMO – In My Opinion
IRL – In Real Life
IYKWIM – If You Know What I Mean

USEFUL SITE:
www.stateofmindgames.co.uk

8
 GENERAL
INFORMATION
ON SPAM:
STRATEGIES
AND
INITIATIVES TO
CURB IT IN
MALAYSIA
 GENERAL INFORMATION ON SPAM: STRATEGIES AND
INITIATIVES TO CURB IT IN MALAYSIA
MALAYSIAN COMMUNICATIONS & MULTIMEDIA COMMISSION

Introduction
Spam, which has increased rapidly with the development of the Internet and IT technology,
causes great harm to Internet users; interrupting work, spreading viruses and infringing upon
privacy, as well as wasting resources due to increased traffic.

In a worrying trend, Spam is flooding the Internet in an attempt to force messages on people
who would not otherwise choose to receive it. Most Spam is commercial advertising often for
dubious products, get-rich-quick schemes etc.

In order to prevent increased proliferation of Spam, the government as well as public

institutions, general users and providers must play their roles effectively to curb the increase of
spamming activities.

Definition of Spam
All around the world various definitions has been adopted by different stakeholders to define
Spam. Although all these definitions share some common points, there is still no standard
universal definition of spam.

A simple definition of Spam would be “all unsolicited bulk e-mails”. Whatever definition is
adopted, they all share the following common elements and they can be characterized as:1

Non consensual
Spam is transmitted to recipients without their explicit consent.

Indiscriminant
Spam is transmitted indiscriminately without any knowledge about the recipients apart from
their e-mail addresses.

Repetitious
The Spam messages are repetitious.

Illegal or unsound content

It is very common for Spam messages to contain fraudulent, unpleasant or offensive content
including obscene images.

Being forged and/or altered

In most cases, Spam contains false information of the sender. Spammers also forge/alter the
mail headers to hide or disguise their identities.

REFERENCES:
1. Guide to Best Practices for Blocking Spam, version 1.0. by Korean Information Security Agency.

10
Why is Spam such a problem?
Spam has increased to such an extent that it is having a significantly negative effect on users’
confidence in using e-mail. Receiving Spam is a nuisance to the recipients as they would have
to spend time shifting through and deleting unwanted e-mails.

Apart from the end users, the Internet and e-mail service providers would also incur additional
cost as Spam imposes storage, transmission and computing costs.

How does the Spammer get my e-mail address?

Spammers use various means to obtain e-mail addresses. Among the ways used are:
(i) Using automatic programmes or “harvesters” to scan Newsgroups, Webpages and
Forwarded e-mails.
(ii) Purchasing lists of e-mail addresses from third parties who compile such information.
(iii) Using “dictionary attacks” to try out all possible combinations of letters, common names
and words in e-mail addresses.

Distinguishing Spam from legitimate mail

The main distinguishing factor between a legitimate message and Spam is consent. Simply
put, if you asked for it, it’s not Spam. As an example, mass mailings of e-mails of a commercial
nature are legitimate if you invited the communication by signing up for “news” on certain topics
or for offers of a particular kind.

E-mail from friends is not Spam. Receiving forwarded mails from friends although annoying, is
not Spam. If the sender is known to you, the best way to put a stop to it is to politely ask them
to stop sending you such mails.

What should businesses sending commercial e-mails do?

The first rule is for the marketer to obtain permission/consent of the recipient before sending
out the marketing messages. The target audience should only be those who have expressed
an interest in a particular product or service being marketed by that sender.

The sender is also obligated to provide accurate sender information and functional unsubscribe
facility in the mail sent out.

Is sending Spam illegal in Malaysia?

The act of sending unsolicited bulk electronic messages is not illegal in Malaysia. However a
person who initiates a communication using any applications service, whether continuously,
repeatedly or otherwise, during which communication may or may not ensue, with or without
disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any
number or electronic address commits an offence.

11
 MCMC’s approach in tackling Spam
MCMC undertook a study in 2003 on Regulating Unsolicited Commercial Messages. A
discussion paper, which provided the salient findings from the study and the action plan to be
put in place by MCMC in dealing with the issues in a proactive manner, was issued for public
comments and feedback.

Among the salient issues discussed in the PC paper are:

• Suggesting a possible definition of Spam to be utilized by all service providers
• Identifying the scope of Spam and its use as a marketing tool
• The impact of Spam
• Identifying the need to regulate and monitor Spam via Internet e-mail and mobile short
messaging (sms)
• Identifying legal provisions in the Communications and Multimedia Act 1998 that deal with
this issue; and
• Developing and coordinating an action plan amongst the service providers, Content Forum,
Consumer Forum and the Commission in managing this issue.

Based on the feedback and comments received, MCMC had adopted a multi-pronged
approach in dealing with Spam:
(i) Self regulation by users through education and awareness initiatives;
(ii) Management by Service Providers; and
(iii) International cooperation

Further information on the implementation of the above measures are contained in the “Report
on a Public Consultation Exercise on Regulating Unsolicited Commercial Messages” dated
17 February 2004 which can be downloaded from www.mcmc.gov.my.

Management of Spam
MCMC is adopting a four-tiered approach in managing Spam.

First tier : Self management by users

Second tier : Forward complaint to Service providers
Third tier : If complaints remain unresolved, next recourse is to complain to the
Consumer Forum of Malaysia (CfM)
Fourth tier : Still unresolved, matter is escalated to MCMC

12
 FLOW CHART

To be addressed
by User Resolved

Escalated

To be addressed
by Service Provider Resolved

Escalated

To be addressed
by Forum Resolved

Escalated

To be addressed
by MCMC Resolved

Complaint procedures
Consumers who are plagued by Spams have the recourse of reporting it to their service
providers. In the event the complaints remain unresolved at the service provider end, the
complaint can be escalated to the Consumer Forum of Malaysia and thereafter can be further
escalated to MCMC.

• Guidelines for Complaints Handling

MCMC released a Guideline on Complaints Handling which provides information on
making, receipt and handling of complaints from consumers.

• Online Complaints Form

This form is created to facilitate complaints from consumers on issues relating to Spam.
This form is to be read in conjunction with the Guidelines for Complaints Handling.
Both the Guidelines and the online complaints form are available at www.mcmc.gov.my.

13
 Spam Laws
• Overview of Section 233(1)(b) of the CMA 1998

Section 233(1) (b) states:

“ A person who initiates a communication using any applications service, whether continuously,
repeatedly or otherwise, during which communication may or may not ensue, with or
without disclosing his identity and with intent to annoy, abuse, threaten or harass any
person at any number or electronic address, commits an offence.”

The intent underlying Section 233(1)(b) may be utilized to deal with unsolicited
communications and would be an appropriate section to deal with the problems faced by
spamming activities.

• Other relevant legislations from around the world

The MCMC continues to monitor the development of Spam laws and legislations in various
jurisdictions around the world i.e., United States of America, Australia, South Korea,
Singapore, etc.

Tips for reducing Spam

There are numerous tips to reduce or curb Spam; some of these common tips are shared
here:
• Never buy anything advertised in Spam
Spam is all about selling. Spammers would only require a small number of people to buy
something for every thousands of Spam that they send out. The Spammers exist because
there are people who purchase what they peddle. If people stop purchasing the products,
it would be pointless for them to send Spam.

• Don’t reply to Spam

Many Spammers ask for a reply as to whether you want to be taken off their list. By
responding, you are actually verifying that your e-mail account is active and as such
opening yourself for a deluge or Spam mails.

• Don’t open Spam

Some Spam messages are programmed to contain Web bugs, which notifies the senders
when an e-mail he or she has sent has been opened. The notification is a positive sign to
Spammers that your e-mail address is valid.

• Don’t publicly divulge your e-mail address

Only give out your e-mail address when there is a justifiable need. When someone asks you
for your e-mail address, ask them to explain why they require it. If they are unable to provide
a satisfactory explanation, decline to supply your address.

14
• Never use “remove” options in a Spam
Using the “remove” option is same as replying to a Spam.

• Use Spam filters

One of the most effective ways to control Spam is by using protective software known as
filters. Filters allow you to block any e-mail messages carrying specified address, domain,
subject or text from being deposited in your inbox.

A number of these filtering tools are available on the market and can be divided as follows:
– Server side Spam filtering
Prevents the Spam from reaching your mailbox.

– Client side Spam filtering

Removes the Spam from your mailbox before you have read it.

– DNS Black hole List

DNSBLs is a way to filter Spam by using Domain Name Service (DNS) records as a
database of policies relating to either an IP address or domain name, which can be used
to decide whether or not to accept (or label) e-mail.

– Blacklist
Blacklist or blocklists are lists of IP addresses, domain names, addresses or content of
the headers or the body or some combination of these different types that can be used
to identify Spam.

However the available blacklists can be unverified and their criteria for listing may not be
clear.

• Have two e-mail accounts

One should be your primary account that you give to family friends and colleagues. The
second one can be used for activities that have a higher likelihood of getting you into a
spam database i.e. shopping online and posting to newsgroups.

• Check privacy policies and consent forms when signing up for anything online
Check to see whether you are giving permission to use your details for other purposes.

• Ask your Internet Access Service Provider (IASP) what they are doing against Spam
Almost all the IASPs based in Malaysia are members of the Consumer Forum of Malaysia
(CfM) and are subject to the Internet Access Service Code of Practice.

• Improve your computer’s security

Your computer may be used by Spammers to send out Spam without your knowing it if it
is infiltrated by a virus. Download security patches from your service providers as a security
measure.

15
 USEFUL LINKS
Coalition Against Unsolicited Commercial E-mail (CAUCE)
http://www.cauce.org
Pursuing legislative solutions

SpamCon Foundation
http://www.spamcon.org/
General information and anti-spam tools

Mail Abuse Protection System (MAPS)

http://mail-abuse.org
Spam blacklist service

MAPS Transport Security Initiative

http://www.mail-abuse.org/tsi/
How to secure your SMTP servers

Fight Spam on the Internet

http://spam.abuse.net

Anti-Spam Research Group (ASRG)

http://asrg.sp.am
http://spamlinks.port5.com/

ENQUIRIES AND ASSISTANCE

For questions on ways to handle Spam, you may contact
the helpdesk or postmaster of your IASP.

For general enquiries about Spam, you may contact:

Malaysian Communications and Multimedia Commission

63000 Cyberjaya
Selangor Darul Ehsan

Telephone : 8688 8000

Fascimile : 8688 1000
E-mail : spam-ins@cmc.gov.my

16
HOME AND
BUSINESS
USER
COMPUTER
SECURITY
 RONALD YAP
IXARIS SDN BHD

Mr. Ronald Yap, BSc (Hons) Computerised Accountancy, Certified Information Systems Auditor
(CISA United States of America), Certified Information Systems Security Practitioner (CISSP –
ISC2 United States of America) member of the Project Management Institute (PMI) USA and
Local Chapter. Ronald has over 12 years of experience in Europe and Asia in the review,
design and implementation of trusted security systems with specialisation in trusted systems,
networking and telecommunications. He was involved in numerous IT security reviews and
systems implementations for banking, telecommunications, utilities, manufacturing and
government organisations. He is also a regular technical trainer for Institut Bank-Bank Malaysia
and has spoken at other conferences for the Information Systems Audit and Control Association
and the Asia Business Forum. Ronald was formerly a Managing Consultant and Manager in
the Technology Risk Services team, PricewaterhouseCoopers, Malaysia and London respectively.

Ronald is now an independent systems security advisor and Founder Director of IXARIS Sdn Bhd,
a technology services company that focuses on providing technical advisory services,
systems solutions, systems implementation and support, training and technology risk
management services for banking, telecoms, technology and manufacturing companies. He
can be reached at:

IXARIS SDN BHD

38-4 Jalan Bangsar Utama 1
Bangsar Utama
59000 Kuala Lumpur
Tel No. : +60 (0)3 22826010
Fax No. : +60 (0)3 22826086
Mobile : +60 (0)12 2107030
E-mail : ronald.yap@myixaris.net
Homepage : www.myixaris.net

18
 HOME AND BUSINESS USER COMPUTER SECURITY
RONALD YAP

COMPUTER SECURITY, WHY THE CONCERN?

There are many reasons for an increased awareness of IT security-related issues. Home and
recreational PC use has increased dramatically. Home PC owners are opting for higher speed
Internet access, such as ADSL broadband, which allows them easier access to resources
such as the World Wide Web, newsgroups, multimedia content, Internet messaging and e-mail.

As computer processing throughput doubles every 18 months, newer PCs perform

increasingly complex computations that enhance the user’s experience interacting with the
computer systems. This widespread availability and acceptance of computers has dramatically
increased the number of people with the ability to compromise data.

As computer prices continue to drop, and people become more comfortable with technology,
the reliance on computer-based resources will continue to increase. As this dependence
develops, security exposures may lead to disastrous results with possible financial and legal
ramifications. At a minimum, a security breach will result in lost time and decreased productivity
while a “clean-up” effort occurs. More than likely however, the results will be much worse.
Financial losses as well as non-monetary effects will occur. For example, if an insurance
company had confidentiality breached and client information was stolen, they would lose
credibility and no longer be able to attract clients. They might also suffer legal liability such as
fines and/or penalties imposed by the regulator.

SECURITY PRINCIPLES
There are three main aspects of effective IT security: Confidentiality, Integrity, and Availability.
These principles are further discussed throughout this paper.

Confidentiality
Maintaining confidentiality is the prevention of unauthorized disclosure of information. Strict
controls must be implemented to ensure that only those persons who need access to certain
information have that access. In some situations, such as those with confidential and secret
information, people should only have access to that data which is necessary to perform their
job functions. Many computer crimes involve compromising confidentiality and stealing
information. The concept of allowing access to information or resources only to those who
need it is called access control.

The most common form of access control is the use of passwords; and the most common
form of security breach is the compromising of these passwords. Requiring strong passwords,
smart cards or single-use-password devices (tokens) is the first step in preventing unauthorized
individuals from accessing sensitive information and is the first layer of defense in access
control. Protecting these passwords is one of the most fundamental principles of IT security.

19
 Imagine your business as a house. A system password can be likened to a front door key. No
one can enter the house without the key, but it can easily be lost, misplaced, or stolen.
Implementing a strong password policy is inexpensive, does not require technical skills and
should be taken extremely seriously. Businesses should create and implement an IT security
policy that educates employees on good password selection, use duration, and confidentiality.

Another aspect of access control is the limitation of resources available to an employee once
they have been authenticated in the corporate network. For example, the entire human
resources department might need access to employee information such as addresses and staff
ID numbers, but only certain individuals within the department need access to payroll information.

Perhaps you want to allow specific individuals to view, but not modify certain information.
This very specific, or granular, access control is another layer protecting computer-based
resources. Access control can be paralleled in our model house as well. The maid has a front
door key so she can come in and clean, but that key does not unlock the door to your home
office. Furthermore, the maid does not know the combination to the safe in the bedroom that
contains your personal and important documents.

Integrity
Integrity ensures that system information exists in the same state as that in the source
documents and has not been exposed to accidental or malicious alteration or destruction. The
consequences of using inaccurate information can be disastrous. If improperly modified, data
can become useless, or worse, dangerous. Efforts must be made to ensure the accuracy and
soundness of data at all times.

When the validity of information is critical, it is often helpful to design application controls and
checks to ensure accuracy. It may be important to ensure that information is useless if it is
stolen. This may be employed through the use of encryption software. Encryption is the
process that transforms information into some secret form to prevent unauthorized individuals
from using the data should they acquire it. This prevents interlopers from reading or modifying
the information. Encrypting hard disks is a good measure to prevent loss of confidential data
held on mobile laptop computers.

A good IT security policy will have complementary preventive and detective control processes.
The preventive controls involve the use of strong security controls, while the detective
approach includes auditing and monitoring those controls. In this approach, the preventive
control may be a properly configured system that prevents users not listed on a security
access list from entering the system and records all system access in a log. The network
administrator performs the detective component by reviewing those logs for suspicious activity
and investigating any deviations from the norm.

It is necessary to take both approaches in order to maintain effective security control. Suppose
that every time a door in our house opened, the time of the entrance and the name of the
person entering the room was recorded in a log book. Then, anytime something was missing
from a room, you could consult the book and see who was in that specific room and question them.

20
Availability
Availability is the property of being accessible and useable upon demand by an authorized
entity. This applies not only to information, but also to networked machines and other aspects
of the technology infrastructure. The inability to access those required resources is called a
“denial of service.” Intentional attacks against computer systems often aim to disable access
to data, occasionally the aim appears to be the theft of data. These attacks are launched for
a variety of reasons including both political and economic motivations. In some cases,
electronic mail accounts are flooded with unsolicited messages, known as Spam mail, to
protest or further a cause.

Additionally, these attacks could be an integral part of a coordinated effort such as bringing
down a home banking system. Ensuring the physical security of a network or system is one
way to cover availability. By limiting physical access to critical machines or data sources, the
incidence of inaccessibility will be reduced. If contact with these resources is restricted,
accidents as well as occurrences of internal mischief will also fall. Similarly, protecting the
network electronically is important if many entry points exist, especially from a public domain
like the Internet.

For example, a firewall is a computer that resides between an internal network, or intranet, and
an external network, such as the Internet. The firewall regulates and restricts what types of data
can flow between the two networks.

Imagine that at the front of your house there is a gate with a security guard. This guard acts as
a firewall, limiting those who can enter the grounds. So, if your child lost his or her key, the
intruder who finds it could not then unlock your front door because the guard would stop them
from approaching.

Another aspect of availability ensures that needed resources are usable when and where they
are needed. Providing system redundancy, in the form of backup data, machines, and power
sources will often ensure availability. Offsite storage of critical data will allow recovery if location
security is breached. Additionally, backup servers will allow normal workflow to continue if
primary network security is breached. While these forms of security will ensure availability, it is
important to protect them from intruders and maintain confidentiality of their data.

Referring to our example, suppose that we keep copies of our important documents (i.e. birth
certificate, family heirlooms, stock certificates, deed to your house, etc.) in a vault at the bank.
In the event of flood, hurricane, or other disaster, we still have access to these papers.
Depending on your business needs, various levels of emphasis should be placed on each
security principle. There is no “one answer that fits all” in determining it.

Application of Security Principles in Electronic Transactions

Although electronic commerce is like any other existing commercial activity, there lies a difference
in that existing legal theories may no longer be applicable or may be unsuitable to resolve
e-commerce disputes. You would therefore be prudent in reviewing the potential downside of
using electronic systems and revising your strategy to address the electronic risks posed.

21
 In all commercial transactions, communication is a key element for concluding a business
transaction (e.g. communication of offer and acceptance). Whereas, in the past, these
communications were verbally agreed, or written on paper, the state of current technology has
enabled faster and more efficient communications over larger distances in a paperless manner.
The evolution of communications from paper to faxes, telex, telephone and now the Internet
has evolved the way we communicate and do business.

The electronic systems and infrastructures that support electronic commerce are susceptible to
abuse, misuse and failure in many ways. Despite the change in the physical medium of
communication the underlying principles that enable trust in commercial transactions remains the
same. To address these risks, and ensure your protection as well as provide security assurance
to your customers, we must first understand the electronic commerce risks as outlined below:

a) Direct financial loss resulting from fraud: A fraudulent insider or external attacker may
illegally transfer funds from one account to another or add, delete, modify or destroy
financial records;

b) Theft of valuable confidential information: An intrusion may disclose sensitive, proprietary

information (e.g. credit card numbers held on behalf of customers) to unauthorized parties
resulting in significant damage to one or more victims;

c) Loss of business opportunity through disruption of service: Deliberate attacks or

accidental events may disrupt your Internet services for long or unacceptable periods;

d) Unauthorized use of system resources: Unauthorized users may use your system or
network as a staging point for attacks on other systems or networks;

e) Loss of customer confidence or respect: The business may suffer reputational

damage as a result of actual or perceived customer inconvenience or adverse publicity
resulting from an intrusion or failure, or by intruders who masquerade as a legitimate
member of the business;

f) Costs resulting from uncertainties: Interruptions to the transaction process caused by

electronic systems failure, external or internal intrusions or improper e-business practices
result in transactions being in stasis for long periods of time. The loss of business,
reputational damage and costs of dispute resolution brought about by such uncertainties
may be substantial.

To protect yourself and provide security assurances to your customers, the risks inherent in
offering commercial services over the Internet must be mitigated. This can only be done
through the use of appropriate security countermeasures in tandem with the establishment of
essential business and legal processes. The business, technical and legal considerations are
outlined in the general headings of Business and Information Privacy Risk Management,
Transaction Risk Management, and Technology Risk Management detailed on the next page.

22
Business and Information Privacy Risk Management
Disclose your business and information privacy practices for e-commerce transactions and
execute transactions in accordance with disclosed practices.

E-commerce often involves transactions between strangers. Appearances can be deceiving.

How can a consumer know whether a well-constructed Web page is a front to a reliable
business that will really fill its orders for goods and services as it claims? How can a consumer
know whether the business will allow the return of goods, or whether there are product
warranties? How are customer complaints regarding the accuracy, completeness and
distribution of private customer information resolved? The anonymity of e-commerce and the
ease with which the unscrupulous can establish – and abandon – electronic identities make it
crucial that people know that those entities with which they are doing business disclose and
follow certain business practices. Without such useful information and the assurance that the
entity has a history of following such practices, consumers could face an increased risk of
loss, fraud, inconvenience, or unsatisfied expectations.

There is a fine line to be tread in dealing with information privacy. On the one hand, you will
need certain information in order to process a customer order. On the other hand, the
customer does not want this information provided to others without customer permission. In
addition, errors can occur in your Internet customer database that the consumer should be
able rectify as needed. Without such a process in place, decisions can be made that could
negatively impact the consumer.

To enable customer trust in conducting e-commerce through your website, it is important that
the customer is informed of your business practices for e-commerce transactions. You should
properly disclose, and adhere to, your business practices for dealing with such matters as
orders, returns, and warranty claims. You should also disclose your practices for the protection
and maintenance of private customer information along with the site’s provisions for customer
complaints.

Transaction Risk Management

Your business should maintain effective controls to provide reasonable assurance that
customers’ transactions using e-commerce are completed and billed as agreed.

Without proper controls, electronic transactions and documents can be easily changed, lost,
duplicated, and incorrectly processed. These attributes may cause the integrity of electronic
transactions and documents to be questioned, causing disputes regarding the terms of a
transaction and the related billing. Potential participants in e-commerce may seek assurance
that the entity has effective transaction integrity controls and a history of processing its
transactions accurately, completely, and promptly, and billing its customers in accordance with
agreed-upon terms.

23
 The controls should address matters such as:
1. Transaction validation;
2. The accuracy, completeness, and timeliness of transaction processing and related billings;
3. The disclosure of terms and billing elements and, if applicable, electronic settlement; and
4. Appropriate transaction identification. Such controls are essential in helping to establish
consumer confidence in doing business electronically over the Internet.

Technology Risk Management

Your business should maintain effective controls to provide reasonable assurance that private
customer information obtained as a result of e-commerce is protected from uses not related
to your business.

Consumers need assurance that they are dealing with a genuine website offering bona-fide
products and services and one that will take appropriate actions to protect their private
information. Although it is relatively easy to establish a website on the Internet, the underlying
technology can be complex and can entail a multitude of operational resilience, information
protection and related security issues. To rationalize the security measures we find in the
real ‘physical world’ against the virtual ‘Internet view’ the following table may help draw
some analogies:

Physical Security View Internet View

Defense in Depth – Detection
Movement/Motion Detectors Network Intrusion Sensors
Infra red beams File Monitoring
Door switches System Logs
Defense in Depth – Providing Delay
Fences Firewalls
Locks Encryption
Defense in Depth – Responding to threats
Security Guard Automated alarming tool with quick dial to security
administrator or enforcement agent

The confidentiality of sensitive information transmitted over the Internet can be compromised.
For example, without the use of basic encryption techniques (e.g. Secure Socket Layer
Encryption-SSL, Transport Layer Security Encryption-TLS, Public Key Encryption-PKI etc.),
consumer credit card numbers can be intercepted and stolen during transmission. Without
appropriate firewalls and other security practices, confidential customer information residing on
an entity’s e-commerce computer system can be intentionally or unintentionally provided to
third parties not related to your business. Having a reliable security patch management system
is also important to ensure that your systems are up to date and secured against recently
discovered security vulnerabilities.

24
The type of tool used to update your system of missing patches will vary from system to
system and you should refer to your system documentation to find out where to get your
security patches (e.g. Microsoft Baseline Security Analyzer or Security Center in SP2,
PatchPro or Patch Manager Base for Solaris OS, Support Plus or Extension Software from
HPUX, AS400 Patch PTF files etc.). Be forewarned some of these patches may be larger than
2 MB in size and should not be downloaded over the Internet unless your Internet line capacity
is sufficiently large to match your reserves of patience.

Security breaches may also include unauthorized access to corporate networks, Internet/Web
servers, and even access to the consumer’s Internet connection (for example, his or her home
computer). Consequently you should consider investing in an intrusion detection system that
will enable you to prevent, detect, monitor and recover from any potential intrusions.

There remains many websites that have not implemented intrusion detection functionality and
therefore remain in the dark when their site has been compromised. Their first indication of a
problem is only when their site has been defaced or a customer in-the-know informs them of
the security breach.

Furthermore, as the Internet never sleeps, you are likely to have customers coming to your site
on a 24-hour basis throughout the year. It becomes increasingly critical that the operational
resilience of your systems and processes has been sized and dimensioned to cope with the
level of demand for services with recourse to backup and recovery measures in the event of
data loss through error or malicious attacks on the systems.

Potential participants in e-commerce may seek assurance that your business has effective
information protection controls, reliability from disruption and a history of protecting private
customer information. This may be provided through independent attestations of your websites
generally termed as web assurance. As a consumer of e-services, you would also want to look
out for independent security and privacy attestations of the websites you are transacting with.

The controls required in this area are those that address operational resilience, privacy and
security matters such as encryption or other protection of private customer information (such
as credit card numbers and personal and financial information). The information would have
been transmitted to your website over the Internet and measures to protect of such information
once it reach you and requesting permission of customers to use their information for purposes
other than those related to your business business. You should also obtain the customer’s
permission before storing, altering, or copying information on the customer’s computer (e.g.
Internet cookie or applet information stored on the customer PC).

Further to safeguarding this private information, consumers are concerned about being able to
correct or update information provided to a site. The process by which a site allows this
process to occur can greatly enhance its e-commerce activity. Consumer concern about the
safeguarding of private information traditionally has been one of the most significant deterrents
to undertaking e-commerce transactions.

25
 CONCLUSION
Very much like Heisenberg’s theory of the atom, security is an ever changing dynamic. Every
time a new security vulnerability is exposed, or when a new business process or even a new
product is introduced, the system of security and control measures must adapt and evolve to
deal with new security threats. The law of diminishing returns also dictates that the return on
security investment (ROSI) diminishes, the greater the investment. In such a situation, the user
or enterprise needs to carefully balance their security and cost requirements and find the
balance that is right for them.

Once that is achieved, the focus on the security management processes is to quickly return
the system security and control back to its preferred protection profile to ensure a sense of
equilibrium. Only through a continuous iterative quality process can systems security be
improved and enhanced further. I would like to leave you with four thoughts that will help you
on the way to better systems security and control:
a) Have you determined what information you wish to protect, its value and who you want to
protect it from?
b) Have you determined the form in which the protection will take?
c) Is the cost of security less than the return on security investment?
d) Can your security measures be easily monitored, reported and maintained?

REFERENCES:
How much is enough? A Risk Management Approach to Computer Security, Kevin J Soo Hoo, CRISP,
Stanford University June 2000
Computer Security, Dieter Gollmann, John Wiley & Sons 1999

Note:
All material from the above article is copyrighted by IXARIS SDN BHD. All rights reserved. Except for personal use, no
part of the article may be reproduced by any mechanical, photographic or electronic process, or in the form of an audio
recording, nor may it be stored in a retrieval system, transmitted or otherwise copied for public or private use without
written permission of the publisher and author. For information regarding permissions, send e-mail to infosec@myixaris.net

We can grant permission for any original article (not a reprint) to be photocopied for training or educational purposes. This
permission is granted with the understanding that no more than 1000 copies will be made, the material is distributed free
of charge, and that the following credit line appears on each manufactured copy.

“Used by permission of IXARIS SDN BHD, 38-4 Bangsar Utama 1, 59000 Kuala Lumpur, Malaysia.”

For any other use, advance permission must be obtained from the author at ronald.yap@myixaris.net

26
ONLINE/CYBER
THREATS TO
HOME USERS
AND BUSINESS
ENTITIES
 DHILLON ANDREW KANNABHIRAN
CEO, HACK IN THE BOX

Dhillon Andrew Kannabhiran is Founder and Chief Executive Officer for Hack in the Box
(http://www.hackinthebox.org) a Malaysian-based network security consultancy firm.

Dhillon is also responsible for HITB’s mainsite portal and forum, collectively holding a
membership base of over 60,000 members and consuming over 35GB a month of traffic.

In 2003, Dhillon was responsible for kick-starting the Hack in the Box Security Conference
series, an International level event that sees the gathering of the best and brightest researchers
and network security specialists from around the world. Held in Kuala Lumpur, Malaysia, the
event comprises two days of deep-knowledge security discussions and presentations and
two days of hands on technical training sessions. In 2005, HITB will for the first time ever, be
expanding their conference series beyond Malaysia and adding a date in Bahrain to cater to
the Middle East region.

Dhillon has been involved with computers and network security for over 10 years and has
previously written for various technical publications including CNet, ZDNet, MIS Asia and PC
World to name a few. He was most recently employed by a Malayian Tier 2 telco as their Chief
IT Officer. However, he left in June 2004 to run and manage HITB on a full-time basis.

28
 ONLINE/CYBER THREATS TO HOME USERS
AND BUSINESS ENTITIES
DHILLON ANDREW KANNABHIRAN

The Internet has certainly grown by leaps and bounds over the last couple of years. Where
once there was only a collection of web pages and a handful of servers, there now sits a vast
and immersive world. Today, the Internet not only serves as an information resource but also
a transport agent for rich media, streaming movies, Internet banking, e-commerce, and a slew
of new technologies promising a better connected tomorrow. Along with this advancement,
the threats of attacks to businesses and individual users have also been increasing at a rather
alarming rate.

In today’s digital age, computers are not the only devices connected to the Internet. Personal
Digital Assistants (PDAs), cellular telephones, and even household items and kitchen appliances
are becoming ‘Internet aware’. In the past it was enough to have a ‘good password’ protecting
your computer (at least 6 characters in length consisting of both numbers, letters and special
characters), today the length of your password or how complex the permutation may be
serves as little protection for one simple reason – there are ‘easier’ methods to break into a
computer than brute forcing a password.

Home users have not always been targets of the cracker. It is only in the recent years that
home users have come under increasing risk, stemming mainly from the fact that in the past,
most home users were using dial-up Internet connections. As we all know, this is a narrow-
band technology while not only being extremely slow, also employed what is known as
‘dynamic IP address allocation’. This meant that computer users connected to their Internet
Service Provider (ISP) were ‘moving targets’ being assigned a different IP each time they
connected.

Today, on the other hand, most users have high-speed Internet connections at home, either
employing cable technology or a variant of DSL. The connections in addition to boasting higher
bandwidths also tout ‘24x7, always-on connections’. As such, users are keeping their
computers on for longer, and of course connected for longer, thus increasing their chances of
being ‘probed’ by an attacker or facing an actual attack.

In many cases, these home machines are then used by intruders to launch attacks against
other organizations or are used as launching pads for Spam and other associated nasties.
Home users in particular have generally been the least prepared to defend against attacks.
Many do not employ personal firewalls, keep their machines up to date with security patches
and workarounds, do not run current anti-virus software, and do not exercise caution when
handling e-mail attachments. That being said, corporate organizations are certainly not free of
blame either. Many believe attacks and viruses are something that happens to ‘other people’.
With this false sense of security, they choose instead to take a reactive approach rather than
a proactive one when it comes to the security of their computer networks.

29
 Although high-profile news items about computer security breaches tend to focus on sexy
external attacks, according to the FBI, about 80% of all attacks or security breaches come from
within the organization. Some are malicious, perhaps from disgruntled employees, but more often
than not, they are inadvertent, caused by well-meaning employees who fail to observe security
policies; most commonly due to not being adequately educated on the threats.

As organizations deploy extranets and accommodate home and mobile workers, they open a
series of security holes. Many a time a company will focus on putting up the best intrusion
detection systems and firewalls on their perimeter or border networks, but forget about the
security of their servers from within their network and organization believing that traffic behind
the firewall is ‘safe’.

In general, computer and information security is concerned with three main areas:

• Confidentiality – Information should be available only to those who rightfully have access
to it.

• Integrity – Information should be modified only by those who are authorized to do so.

• Availability – Information should be accessible to those who need it when they need it.

These are general concepts applied to both the home users as well as corporate users alike.
Just as you wouldn’t share your personal banking details with a stranger, you certainly wouldn’t
be agreeable to someone connecting to your computer and looking through your documents
at will. The tasks performed by you on your computer should remain confidential – regardless
of whether you’re checking your Internet bank balance or sending an e-mail message to your
loved ones, you are entitled to your privacy.

The good news about computer and network security is that there’s always a solution. The bad
news on the other hand is that it is next to impossible to be protected 100%.

Below are some of the general attacks home and business users face from day to day.

Viruses and Trojan horse programmes

The text book definition of a Trojan horse is “an apparently useful and innocent programme
containing additional hidden code which allows the unauthorized collection, exploitation,
falsification, or destruction of data.” Coupled with what has been termed as ‘social engineering’,
an attacker would attempt to trick you into running the Trojan horse which in turn would
install a ‘backdoor’ on your computer through which the attacker could enter and exit as he or
she pleases.

30
These backdoors can allow intruders easy access to your computer without your knowledge,
allowing them full, more often than not, Administrator level access over your machine. On its
own, a Trojan horse facilitates the installation of backdoor or remote control software, however
it is when a virus writer combines the functionality of a Trojan horse with that of virus duplication
and propagation when Trojans are referred to as viruses.

In the past, viruses were spread through the swapping of documents and applications on
floppy disks. Today, they spread most commonly through e-mail as an attachment. In addition
to updating your anti-virus protection, it is always better to be sure you know the source of the
attachment. It is NEVER enough that the mail originated from an address you recognize. The
ILOVEYOU virus and several of its predecessors spread precisely because it originated from
a familiar address. It is also common to find malicious code distributed in amusing or enticing
programs. The Anna Kornikova virus promised naked pictures of the young tennis star, but
instead installed a Trojan horse on unsuspecting victims that were duped into clicking on the
attached file.

Backdoors and Remote Administration Tools (RATs)

In the past, the three most commonly used ‘attack tools’ to gain remote access to your
computer were Back Orifice (or sometimes referred to as BO), Netbus, and SubSeven. These
backdoors or remote administration programmes, once installed, allow other people to access
and control your computer remotely.

It is somewhat interesting to note that while commercial Remote Administration Tools (like
Symantec’s PCAnywhere) which provide for stealth installation (i.e. installation without the
users’ knowledge or interaction) are not listed as a threat or a ‘backdoor’, however, their ‘free’
and non-commercial counterparts are.

Denial of Service (DoS) Attacks

Another form of attack is called a denial-of-service (DoS) attack. A DoS typically involves
overloading a remote computer with large amounts of superfluous data. The remote machine
having to process each and every request ends up crashing upon itself thus resulting in a ‘denial
of service’ or in short, the inability of the system to serve its purpose.

It is important to note that in addition to being the target of a DoS attack, it is possible for your
computer to be used as a participant in a denial-of-service attack on another target. Attackers
will frequently use compromised computers as launching pads for attacking other systems and
networks. A DoS of this sort is called a Distributed Denial of Service Attack or DDoS.

A DDoS involves an attacker installing a ‘zombie’ or an ‘agent’ (frequently through a Trojan horse
programme) which runs on the compromised computer awaiting further instructions. Then, when
a number of zombie machines are running, a single “master” can instruct all of them to launch a
denial-of-service attack on another system. As such, the victim of the attack is not your own
computer, but someone else’s – your computer is merely a pawn in a game.

31
 Cross Site Scripting Attacks and Attacks Through the Web Browser
As more websites employ dynamic content and move towards database driven systems, the
humble web browser has also undergone several changes.

One increasingly common attack vector is through the use of message boards or other sites
that have been poorly designed allowing a malicious user to attach a script or embed
instructions into a URL or an element form.

When your web browser calls up this page, not only is the legitimate code of the site you’re
visiting executed, but so too is the attackers’ script. Attacks of this sort can be used to not
only steal the login information you use for other sites (usually contained within what is known
as a browser cookie), but may also enable an attacker to gain remote control of your machine
by installing a backdoor as outlined earlier.

The potential to exposure is not only limited to the websites you visit within your web browser,
but malicious code can also be embedded into e-mail messages, newsgroup postings and
instant messages.

There have also been numerous reports of problems with client side code that adds further
functionality to a web user’s ‘experience’. The most common of this client side code is Java
or JavaScript, and ActiveX. Although the code is generally useful, having the ActiveX or
JavaScript functionality turned-on or enabled within your browser can facilitate an intruder in
gathering information (such as which websites you visit) or to run other malicious code on your
computer. It is possible to disable Java, JavaScript, and ActiveX in your web browser, however
many choose not to as several legitimate sites make use of this. To turn it off would be to
cripple the full experience of the site.

Phishing Attacks & E-mail Spoofing

E-mail spoofing may occur in different forms, but all have a similar result: a user receives e-
mail that appears to have originated from one source when it actually was sent from another
source. Spoofing is often used in addition to a social engineering attack in order to trick a user
to reveal potentially sensitive information (such as usernames and passwords). Attacks of this
nature have since come to be termed as ‘Phishing Attacks’ (a play on the word fishing
indicative of how an attacker would ‘bait’ potential targets).

These so-called ‘Phishing’ attacks begin with an e-mail. Appearing to come from for example
a bank, it leads the recipient to a convincing web page, at which point he is tricked into entering
his username and password. Of course the web page has been set up by the attacker and
does not belong to the bank at all. Once obtained, these details are used by the attacker to
log-in to the user’s account and drain it of funds.

As the e-mail is sent to hundreds, if not thousands, of potential victims, only a very small
percentage of users need to fall for the scam for it to be worthwhile. The current industry trend to
counter this threat is the introduction of stronger user authentication or two-step authentication
as opposed to a single username and password.

32
For reasons of cost, mobility, ease of deployment and user acceptance, password-generating
tokens are the most commonly adopted technology used to thwart Phishing. These tokens supply
the user with a one-time password that is valid only for a single use. The idea is that the attacker
is thwarted since the one-time password, once obtained, has already been used or has expired.

Attacks via Instant Messaging & IRC clients

Internet chat applications, such as instant messaging applications and Internet Relay Chat
(IRC) networks, provides a mechanism for groups of individuals with the means to exchange
dialogue, web URLs, and in many cases, files of any type. As a result, instant messengers can
transfer worms and other malware.

Instant messaging can also provide an access point for backdoor Trojan horses. Hackers can
use instant messaging to gain backdoor access to computers without opening a listening port,
effectively bypassing desktop and perimeter firewall implementations. Furthermore, finding
victims doesn’t require scanning unknown IP addresses.

Because of the almost immediate two-way nature of communication, many users feel that the
use of instant messaging in the workplace leads to more effective and efficient workplace
communications and, therefore, to higher productivity. As a result, instant messenging is increasing
in popularity in both professional and personal applications. However, as with most things
Internet-based, the increasing use of instant messaging has led to an associated increase in
the number of security risks.

Securing instant messaging is not an easy task. One of the best ways to secure the information
being transmitted along an instant messaging network is to encrypt it. That being said,
encryption only helps in preventing information disclosure by an attacker ‘sniffing’ on a network.

How to Stay Protected

There’s no such thing as 100% security, however there are steps you can take in order to limit
your exposure to attack. These are general guidelines for both the home and business users.

1. Install a personal firewall

Unlike a full-fledged firewall, a personal firewall on the other hand is an application installed
on your desktop which provides for firewall like functionality. There are several to choose
from and most offer a ‘free’ or shareware based edition providing for the most basic of
firewalling capabilities.

While most corporate users do not bother with installation of personal firewall software,
believing it to be redundant, however it never hurts to be a little bit more paranoid.

2. Keep your anti-virus definitions up to date

Most anti-virus software allows for the automatic update of its virus definition files. If this
setting has not been enabled, you should turn it on immediately. If however you prefer to
do a manual update, simply use the Task Scheduler to set up a scheduled update for the
virus definitions.

33
 3. Do not execute attachments that arrive via e-mail or instant messaging unless you
are expecting them
This is a simple rule to follow, but many times even knowledgeable users end up getting
fooled into launching an attachment, only to find they’ve infected their machines. While
most corporations are choosing to block file transfers via instant messaging clients, it is
generally not a good idea to accept files or even to click on URLs sent to you. If you do
choose to transfer files in this manner, ensure that each file is scanned by your anti-virus
software prior to being executed.

4. Encrypt and password protect all files and other important documents
There are several free encryption software you can use to protect your sensitive information
from prying eyes. The most popular choice is Pretty Good Privacy (PGP) which employs a
method of data-encryption that allows people to communicate on the Internet without fear
of their private messages being read by high-tech eavesdroppers. All important documents
on a system should be encrypted and password protected for added protection.

5. Encrypt all e-mails sent

PGP also supports the encrypting of e-mails. To exchange encrypted mail with another
person, you and that person must each have created two keys: a public key and a private
key. You keep your private key a secret, but you let any or everyone know what your public
key is. You must obtain the other party's public key. When you send a message to that
person, you encrypt your message with his or her public key. When your message is
received, your recipient decrypts it with his or her secret key. As such, only someone in
possession of the secret key which is paired with a given public key will be able to decrypt
the message.

6. Keep up to date with patches for your Operating System

Ensuring your computer is always patched and up to date is absolutely vital to the security
of system. Windows users have the option of having their system detect for updates
and download them automatically. To check for updates automatically, users can go to
http://windowsupdate.microsoft.com.

7. Develop a security policy

Establish a corporate security policy that details your company practices and procedures
when it comes to its network security. The policy should include information relating to
password choices, validity period of passwords (in general, passwords should be
changed every 60 to 90 days) and other associated guidelines. When an employee is no
longer with the company, a policy on account removal should be drawn up to ensure
access to the network with redundant and old accounts is denied. The policy should also
outline consequences for current and former employees found tampering with or entering
the network without authorization.

34
8. Don’t run unnecessary services
The default installations for most operating systems leave a system vulnerable by turning
on services which the user may or may not require. As such, every network service that
isn't in use should be disabled. For example, File and Print Sharing should never be turned
on for a machine connected DIRECTLY to the Internet. Corporate system administrators
should ensure that only the tools required by employees to get their job done should be
allowed on the company machines. If, for example, they do not require instant messaging
or file sharing applications, access controls should be placed at the border firewall level to
block outgoing connections from these applications. By limiting the network and excluding
non-essential services, security risks can be greatly reduced.

9. Conduct your own vulnerability tests

There’s no better way to know how susceptible you are to an attack unless you conduct
your own penetration tests or vulnerability assessment. While it may sound daunting, there
are several easy to use and free security tools which can help identify key vulnerabilities
or problems within your network/computer. These are precisely the same tools attackers
would employ to find computers to compromise.

10. Read up and Learn

There are numerous books, magazines, journals and online resources offering current
insights and information relating to the latest prevention methods as well as new and
upcoming technologies. Business users should also subscribe to vulnerability and exploit
newsgroups such as Bugtraq and Full Disclosure. Just as there are new exploits and
bugs discovered in software every other day, the technology to thwart attacks is also
being actively developed. Keeping abreast of the latest threats will put you in the best
position to act on them.

Note:
To outline ALL the possible threats to home and business users in this article would simply
be impossible. As such this document should serve as more of a ‘general guide’ to bring
the reader to speed on the overall risks inherent of being connected to the Internet.

35
 HOME
COMPUTER
SECURITY –
HOW TO
SAFEGUARD YOUR
PRIVACY AND
SECURITY WHEN
UTILIZING THE
INTERNET
 INFO-SECURITY SPECIAL INTEREST GROUP PIKOM

PIKOM Special Interest Group (SIG) on Info-Security was formed in 2002 to provide a platform
for the industry to interact and exchange information on computer information security and
related issues. The SIG formulates plans and activities that would advance the interest of this
sector and the ICT industry.

The PIKOM Info-Security SIG’s key objectives are:

• To identify issues in Info-Security
• To identify opportunities in Info-Security

This would help promote growth of the security industry in Malaysia and at the same time
support good security practices, develop codes of practice & certification and promote users’
awareness education of info-security.

The Info-Security SIG, besides looking into the industry’s development and promotion, will also
focus on national positioning and thought leadership. It will create end-user awareness, facilitate
linkages with other bodies both locally and internationally, and study international standards for
local adoption.

Membership of PIKOM Info-Security SIG is open to users and providers of security-related

products and services.

Contact Information:

PIKOM Info-Security SIG

c/o PIKOM Secretariat
1107, Block B, Phileo Damansara II
15, Jalan 16/11
46350 Petaling Jaya
Tel: 03-7955 2922
Fax: 03-7955 2933
E-mail: info@pikom.org.my
URL: www.pikom.org.my

38
HOME COMPUTER SECURITY – HOW TO SAFEGUARD YOUR
PRIVACY AND SECURITY WHEN UTILIZING THE INTERNET
PIKOM

ABSTRACT
While corporations spend millions every year securing their Internet-related network securities,
many home users make the mistake of thinking that they do not need to be concerned with
securing or protecting their computers. Consequently, home computers are typically not very
secure and easy to break in. This document looks into the general aspects of home computer
security and measures you can take to improve the security of your home computer system.

INTRODUCTION
The Internet is a public network of millions of computers, all sharing information. On the
Internet, communications move back and forth across public lines and through numerous
connections. As with any public lines, eavesdropping is possible.

Online activities most common to home users are e-mails and web browsing. There are also
several things you personally can do to safeguard your home computer security and your
personal privacy, when you are on the Internet.

POSSIBLE MEASURES FOR HOME COMPUTER SECURITY

Securing your home computer is not a trivial task. The following areas should be considered
in securing home computers.

1. Use anti-virus software and keep it up to date

Anti-virus software is designed to protect your computer against known viruses, so make
sure you have it on your computer! Be sure to update your anti-virus software regularly.
Regularly download security protection update “patches”. Check your software vendors’
websites on regular basis for new security patches or use the new automated patching
features that some companies offer.

2. Secure your e-mail

Your e-mail address is a lot like your phone number. Unless you share it with others or have
it listed in a public directory, it will not be available to unknown people. Anyone you send
your e-mail to, will know your e-mail address. Spammers, who send junk e-mail, often pick
up e-mail addresses from newsgroups or mailing lists, therefore, if you participate in
newsgroups, you should be aware that you may be sharing your e-mail address with
Spammers.

In general, try not to respond to Spam as this will let the sender know that you have an
active, valid e-mail address. Simply reading an e-mail message cannot cause a virus to
infect your computer. However, infected attachments can. Your computer could become
infected if you download an infected attachment and then open the attachment. Therefore,
do not open suspicious attachments.

39
 3. Secure your passwords
Choose a good password. Where possible, do not use personal information that could be
guessed such as your name, phone number, names of family etc. Do use special
characters (*!$+) mixed with letters and numbers and mixed upper- and lower-case letters
– putting capitals in random locations throughout a password. Change passwords regularly
and do not give out your password to anyone.

Keep in mind that ISPs and most server administrators never ask for your password. If you
receive an e-mail that asks you for your password, even if they appear to be from someone
in authority, ignore or delete it.

4. Get the most out of your anti-virus programme

The best way to protect your computer is to install an anti-virus programme. There are
several good virus protection programmes for your considerations. Get the most out of
your anti-virus programme by running it as recommended by the provider. If it has an
automatic virus scanning feature, keep it turned on. Heed all warnings that your anti-virus
software provides. Always install the latest version of your anti-virus programme; updates
often contain information about new viruses.

5. Secure your identity

The Internet is a public ‘place’. When someone asks you for your name, phone number,
address, and other information, you should assume that they may share that information
with others. Therefore, the best way to keep your information private is to be cautious in
providing it to others.

When you visit a website, the site can tell who and where your ISP is, what site you last
visited, what browser you are using, and what pages you visit at this site. The site has no
way of knowing your name, e-mail address, postal address, or other information about you
– unless you provide that information.

A site does know your IP address – the Internet address you are currently using. This
address is normally assigned to you, temporarily, by your ISP when you connect to the
Internet. It has nothing to do with your e-mail address, and it cannot be used to locate you later.

6. Use ‘firewalls’
Firewalls create a protective wall between your computer and the outside world. They
come in two forms; software firewalls that run on your personal computer and hardware
firewalls that protect a number of computers at the same time.

They work by filtering out unauthorized or potentially dangerous types of data from the
Internet, while still allowing other (good) data to reach your computer. Firewalls also ensure
unauthorized persons cannot gain access to your computer while you are connected to
the Internet.

40
7. Make Backups of Important Files and Folders
As you computerize the routine aspects of your daily life, making backup copies of
important files and folders becomes critical. Backup small amounts of data on floppy disks
and larger amounts on CDs. Most people make weekly backups of all their important data.
This will prevent you from the pain of losing data in the future.

CONCLUSIONS
Whether your computer runs Microsoft® Windows®, Apple’s Mac OS, LINUX, the security
issues are the same and will remain so as new versions of your system are released. The key
is to be aware of security-related aspects and measures that could be taken in order to protect
users and computers when accessing the Internet.

REFERENCES:
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.computerworld.com/
http://netsecurity.about.com/
www.infosecnews.com

41
 WHAT YOU
SHOULD
KNOW ABOUT
CYBER CRIME
AND THE
MALAYSIAN
CYBER LAWS
 DEEPAK PILLAI
PARTNER, RAJES HISHAM PILLAI & GOPAL

Deepak Pillai is an Advocate & Solicitor of the High Court of Malaya and a partner at Rajes
Hisham Pillai & Gopal, a law firm in Kuala Lumpur. He is also a registered trademark agent.

Deepak obtained his BA(Law) from the University of Durham in 1990. He was admitted as an
Advocate and Solicitor before the High Court of Malaya in February 1994.

He heads the Information Technology & Intellectual Property law practice at Rajes Hisham Pillai
& Gopal (rhpg), where he primarily advises financial institutions, telecommunications companies
and IT companies on the structuring, drafting and negotiation of contracts related to their IT &
Internet projects as well as on the impact of new regulations relating to online content, personal
data protection and online financial services, amongst others.

Deepak was appointed by NISER (National ICT Security and Emergency Response Centre) to
serve on its Panel of Experts from 2001 to 2002. He is currently a panellist of the Kuala Lumpur
Regional Centre for Arbitration for hearing domain name disputes.

He is a member of the Society of Computers and Law (SCL) in the UK, the Computer Law
Association (CLA) in the USA, the Licensing Executives Society of Malaysia (LESM) and the
Malaysian Intellectual Property Association (MIPA). He is also a member of the Information
Technology and Cyberlaws Committee of the Malaysian Bar.

Deepak speaks frequently on legal issues pertaining to the ICT industry and has presented
papers, including on Malaysia’s proposed data protection legislation and drafting IT contracts
at the Second MSC Cyberlaw Conference, Open Source legal issues at the Third MSC
Cyberlaw Conference, on the legal issues pertinent to setting up Internet Banking at the Law
School on Internet Banking jointly organised by BNM, IBBM and the Bar Council, and on
e-commerce transactions at the 11th Malaysian Law Conference, amongst others.

44
WHAT YOU SHOULD KNOW ABOUT CYBER CRIME AND
THE MALAYSIAN CYBER LAWS
DEEPAK PILLAI

1. WHAT IS THE LEGAL DEFINITION OF CYBER CRIME?

There is no fixed definition of what may amount to cyber crime. As was noted by the
National ICT Security and Emergency Response Centre (‘NISER’)1, the Oxford Reference
Online defines cyber crime as crime committed over the Internet. The Encyclopaedia
Britannica defines cyber crimes as any crime that is committed by means of special
knowledge or expert use of computer technology. It also appears that the word ‘cyber
crime’ is used interchangeably with the words ‘computer crime’.2

The United Nations in its ‘Manual on the Prevention and Control of Computer-Related
Crime’ 3 have noted activities such as fraud by computer manipulation, computer forgery,
damage to or modification of computer data or programmes, unauthorised access to
computer systems and services and unauthorised reproduction of legally protected
computer programmes, may amount to computer crime. The Australian Government have
also identified other activities that may amount to cyber crime, which includes, offences
against computer data and systems, computer-related offences, content offences and
copyright offences.4

In Malaysia, the Computer Crimes Act 1997 (CCA) together with other acts such as the
Communications and Multimedia Act 1998, the Digital Signature Act 1997 and the
Penal Code (Act 574) provides for computer crime offences. This act was modelled after the
Computer Misuse Act 1990 of the United Kingdom and came into force on 1 June 2000.

2. INCIDENTS THAT MAY AMOUNT TO CYBER CRIME

Cyber crime may occur in different ways. Viruses, worms and trojans are the more popular
computer programmes that are used to commit crimes by using computers. The following
is a non-exhaustive list of incidents which may amount to be a cyber crime in Malaysia:
i) virus;
ii) trojan;
iii) adware and spyware;
iv) cookies;
v) worms;
vi) mailbombs;
vii) e-mail forgery; and
viii) spoofing.

1 Is Cyber Crime Reigning on a no man’s land?, National ICT Security and Emergency Response Centre (NISER)
2 ibid and The State of the Law on Cyberjurisdiction and Cybercrime on the Internet by Gabriole Zeviar-Geese, California Pacific School of Law
3 Both the above definition are quoted by NISER in (Is cyber crime reigning on a no man’s land?)
4 Cybercrime definitions, Australian Government, Australian Institute of criminology, http://www.aic.gov.au/topics/cybercrime/definitions.html

45
 It should be noted that cyber crime is not limited to remote attacks on computers. It also
very much includes gaining unauthorised access to computers and the data stored on
them by physical means, e.g. by gaining unauthorised access to a computer and copying
information from that computer’s hard drive onto a floppy disk or a zip drive without
authorisation.

3. MALAYSIAN COMPUTER CRIMES ACT 1997

3.1 Introduction
The CCA provides for the different offences that may be committed with a computer.
The offences are:
i) accessing computer material without authorisation;
ii) accessing a computer without authorisation with the intent to commit or facilitate
the commission of further offences;
iii) modifying contents of any computer without authorisation;
iv) wrongfully communicating a number, code, password or other means of access
to a computer or person whom one is not duly authorised to communicate to; and
v) abetting in a computer crime.

3.2 Accessing computer material without authorisation

This offence is provided by Section 3 of the CCA. A person may be guilty of such
an offence if the person knowingly and without authorisation causes a computer to
perform any function to secure access to any programme or data held in any
computer. The person need not intend to direct these acts to any particular
programme or data.

If found to be guilty of such an offence, the person may be liable to a fine not
exceeding fifty thousand ringgit (RM50,000) or to imprisonment for a term not
exceeding five (5) years or to both.

For example a person that uses viruses, trojans and spywares to gain access to
computers or programmes of strangers may have committed an offence as provided
by Section 3 of the CCA above. The hackers, when using such malicious
programmes, are gaining access to computers or programmes that may belong to
strangers, without authorisation from the owners of the computers or programmes.

3.3 Accessing a computer without authorisation with the intent to commit or

facilitate the commission of further offences

This offence is provided by Section 4 of the CCA. A person may be guilty of such
an offence if in the event a person commits an offence as stated in paragraph 3.2
above and with the intent to either commit or facilitate the commission of such offence
whether by himself or other person, involving fraud or dishonesty, thereby causing
harm to any person, in body, mind, reputation or property. The further offences may
not have to be committed at the same time as the offence for unauthorised access.

46
 If found to be guilty of such an offence, the person may be liable to a fine not
exceeding one hundred and fifty thousand ringgit (RM150,000) or to imprisonment for
a term not exceeding ten (10) years or to both.

A person may be liable for an offence as provided by this section if the person uses
a virus, trojan, worm or spyware to commit fraud over the Internet. As such, these
malicious programmes are used to facilitate the commission of another offence that
may either involve fraud or dishonesty.

3.4 Modifying contents of any computer without authorisation

This offence is provided by Section 5 of the CCA. A person may be guilty of such
an offence if in the event a person does an act that he knows will cause unauthorised
modification of the contents of any computer. The person need not direct his act at
any programme or data. The unauthorised modification may be permanent or temporary.

If found to be guilty of such an offence, the person may be liable to a fine not
exceeding one hundred thousand ringgit (RM100,000) or to imprisonment for a term
not exceeding seven (7) years or to both. However, a person may be liable for a fine
not exceeding one hundred and fifty thousand ringgit (RM150,000) or to
imprisonment for a term not exceeding ten (10) years or to both if in the event such
unauthorised modification is done with the intention to cause any harm to any person,
in body, mind, reputation or unto the person’s property.

A person may be liable for an offence as provided by this section if the person infects
other computers with malicious programmes that modifies the contents of the
infected computer without the consent of the owner of the said computer. Such
malicious programmes may be viruses, spyware or worms. These programmes alter
or modify the working mechanisms of the infected computers.

3.5 Wrongfully communicating a number, code, password or other means of

access to an unauthorised computer or unauthorised person
This offence is provided by Section 6 of the CCA. A person may be guilty of such
an offence if in the event a person communicates a number, a code, a password or
other means of access to a computer to any person not authorised to receive such
information.

If found to be guilty of such an offence, the person may be liable to a fine not
exceeding twenty five thousand ringgit (RM25,000) or to imprisonment for a term not
exceeding three (3) years or to both.

A person may be liable for an offence as provided by this section if, for example, he is
an employee of a web-based e-mail company and he forwards customers’ passwords
to rogues intending to steal information from the e-mail company’s customers.

47
 3.6 Abetting a computer crime
This is provided by Section 7 of the CCA. A person may be guilty of an offence if in the
event a person abets another person in the commission of any offence within the CCA.

If found to be guilty of abetting the commission of an offence, the person may be liable
to the sentence as provided for in the specific section that provides for the relevant
offence.

Following that, a person who does any act in preparation of or in furtherance to the
commission of any offence within the CCA may also be guilty of that offence within
the CCA.

3.7 Other matters provided by the CCA

The CCA also provides for other matters such as:
i) presumption;
ii) the territorial scope of the CCA;
iii) the scope of the power of the police in relation to search, seizure and arrest within
the ambit of the CCA; and
iv) obstructing a search exercise by the police.

3.7.1 Presumption
The CCA also provides the presumption that any person who has in his custody or
control any programme, data or other information held in a computer or retrieved
from any computer which he is not authorised to have in his custody or control shall
be deemed to have obtained unauthorised access to such programme, data or
information unless the contrary is proved.

Therefore, any person who is caught possessing a computer with information that
he is not authorised to have, may be guilty of an offence as stated in paragraph 3.2
above. Furthermore, any fraudster if caught with information that he is not authorised
to have may be guilty of an offence as stated in paragraph 3.3 above.

3.7.2 The territorial scope of the CCA

Section 9 of the CCA provides Malaysia with jurisdiction over any offence as
stated in the said act if in the event the affected computer, data or programme was
in Malaysia or is capable of being connected to or sent to or used with a computer
in Malaysia at the time of the commission of the offences.

The scope of this section is wide. Perpetrators of different nationalities may also be
subjected to the provisions of the CCA. Offences committed by foreign nationals
will be dealt with as if the offence was committed in Malaysia.

48
 Therefore, if in the event a foreigner is to unleash a virus unto Malaysian computer
systems, he may be guilty of committing an offence within the CCA. This is
notwithstanding that he was not physically in Malaysia when he committed the
relevant offence.

3.7.3 The power of the police in relation to search, seizure and arrest within the
ambit of the CCA
Section 10 of the CCA provides a police officer above the rank of Inspector with
a warrant, the power to enter, search, seize and detain any evidence such as
computer peripherals, diskettes or other related materials that are of assistance to
the suspected offence that is being investigated. Such police officer may also have
the power to enter, search and seize without a warrant if in the event he has
reasonable grounds for believing that the delay caused by waiting for the issuance
of a warrant may frustrate the object of the search and seizure exercise. The said
section also provides that such police officer may arrest any suspected perpetrator
without any warrant.

3.7.4 Obstructing a search exercise by the police

Section 11 of the CCA provides that a person may also be guilty of an offence if
in the event he assaults, obstructs, hinders or delays any police officer from entering
into any premises in the execution of their duties under the CCA. If in the event a
person is guilty of such an offence, he may be liable to a fine not exceeding twenty
five thousand ringgit (RM25,000) or to imprisonment for a term not exceeding three
(3) years or to both.

4. OTHER STATUTES APPLICABLE IN COMPUTER CRIMES

Cyber crime is regulated in Malaysia by other acts in tandem with the CCA. These acts are
the Communication and Multimedia Act 1998 (CMA), the Digital Signature Act 1997
(DSA) and the Penal Code (Act 574) of Malaysia (PC). The following are certain examples
of the different types of cyber crime that are governed by the respective sections in the
different acts:
i) Section 415 PC which is for the offence of cheating;
ii) Section 467 PC which is for the offence of forgery of a valuable security or will;
iii) Section 471 PC which is for the offence of using as genuine a forged document;
iv) Section 472 PC which is for the offence of making or possessing a counterfeit seal,
plate, etc., with intent to commit a forgery punishable under section 467;
v) Section 234 CMA which is for the offence of interception and disclosure of
communications;
vi) Section 236 CMA which is for the offence of fraud and related activity in connection
with access devices, etc.;
vii) Section 72 DSA for the which is for the offence of providing false information; and
viii) Section 74 DSA for offences committed by corporate bodies.

49
 4.1 Section 415 PC which is for the offence of cheating
This offence may be applicable if in the event a person is to use a stolen credit card
to purchase goods online.

4.2 Section 471 PC which is for the offence of using as genuine a forged document
This section may be used in tandem with Section 4 of the CCA as stated in
paragraph 3.3 in relation to incidences wherein a person hacks into an online merchant’s
website by using a trojan to obtain credit card particulars. These particulars are then
used to manufacture forged credit cards. Such cards are then used by the person to
purchase goods.

4.3 Section 233 CMA which is for the offence of improper use of network facilities
or network services, etc.
A person who is caught performing a denial of service attack upon a website may be
liable under this section. The person, by sending a death of pings, during the denial
of service attacks or other types of programmes have initiated a communication to the
targeted website with the intention to annoy.

4.4 Section 234 CMA which is for the offence of interception and disclosure of
communications
A person who is caught conducting a wire-tap upon any part of the telecommunications
infrastructure of Malaysia may be liable under this offence.

4.5 Section 72 DSA for the which is for the offence of providing false information
A person that manages to hack into the system of a repository thereby having access
to confidential details of persons or companies using digital signatures may be liable
under this section if in the event the person discloses any such information to another
person or publishes it in a website.

4.6 Section 74 DSA for offences committed by corporate bodies

If in the event the employee had committed any offence within the DSA, during the
course of his employment, his employer, i.e., a company may be liable to the same
punishment or penalty as that of the employee’s.

5. POWERS OF THE AUTHORITIES AND COMPUTER FORENSICS

5.1 Powers of search and seizure
The scope of the power of search and seizure of the relevant authorities in relation to
the different computer crimes are dependent upon the respective statutes that
provide for the specific offences. For example, if in the event a search is required to

50
 be conducted in relation to an offence within the CMA, the CMA provides for the
scope and the power of enforcement of the authorities. The CMA provides that a
police officer not below the rank of an Inspector, an officer of the MCMC or a public
officer authorised by the Minister of Energy, Water and Communications of Malaysia
(‘the Minister’).

The DSA too has certain sections dedicated to the scope and power of the
authorities when conducting search and seizure exercises. The DSA empowers the
Minister to authorise any public officer to exercise the powers of enforcement under
this Act. Following that, any police officer not below the rank of Inspector may exercise
the powers of enforcement conferred by this Act.

As in relation to offences within the PC, the scope and the powers of the enforcement
officers are governed by the Criminal Procedure Code (F.M.S. Cap.6) (CPC). Any
police officer of any rank may conduct a search within the CPC, unless a search is
to be conducted to locate an object that may be concealed upon the person (for
example, to search for a microchip). In such an instance, a body search may only be
conducted upon persons found within the premises of the search location in the
presence of a magistrate, a Justice of Peace or a police officer not below the rank of
Inspector.

5.2 Computer Forensics

During the search, authorised officers are to collect information and evidence so as
to produce the same during the prosecution of the perpetrators. There are certain
guidelines that the authorised officers may adhere to in the collection and preservation
of the evidence.

For example, during the search exercise, photographs will be taken of the crime
scene. The suspect’s computer will not be switched off in the usual way. The power
plug is to be removed from the computer so as not to lose any information during the
process of switching off the computer. The crime scene will also be dusted for
fingerprints. When dusting for fingerprints, the authorised officer must be careful as to
not polarise storage devices as the fingerprint powder is magnetic in nature. This may
cause the data stored in the storage device to be irretrievable.

Evidence must be collected from the scene of crime to be stored in a special place
by the authorised officers. When collecting such evidence, the authorised officers
must be careful when packing and transporting the same. Generally, evidence are
packed into labelled bags that will be sealed and labelled. A checklist of all evidence
collected and details of the handling and management of the evidence after the
collection exercise should be kept to avoid any questioning of the authenticity of the
evidence.

51
 6. CCA FOR CONSUMERS AND ORGANISATIONS
The CCA and other statutes such as the DSA, CMA and PC have provided a framework
to deal with the basic cybercrime offences as stated in the above paragraphs. It is
recommended that security or risk management systems take into account the
requirements of the CCA and the other stated acts so as to be effective in:

i) the providing assistance to the authorised officers in the collection of forensic evidence;
and

ii) the management of risk from any cyber crime;

The CCA, including the other abovementioned acts are tools to be used in curbing the
occurrence of computer crime. However, these tools will be more effective if used in
tandem with other tools such as good security systems and risk management systems. It
is suggested that given the rate of advancement in today’s technologies, a synergy of such
tools may be more effective as compared to the use of only one of the mentioned tools in
protecting oneself from being a victim of any cybercrime.

52
 WHAT YOU
SHOULD KNOW
ABOUT DIGITAL
SIGNATURE
AND THE DIGITAL
SIGNATURE
ACT 1997
 THE DIGITAL SIGNATURE ACT 1997
MCMC

A. WHY THE DIGITAL SIGNATURE ACT 1997 (DSA)?

Enforced on the 1st of October 1998, DSA is an enabling law that allows for the development
of amongst others, E-Commerce by providing an avenue for secure online transactions through
the use of digital signatures. The Act provides a framework for the licensing and regulation of
Certification Authorities and the recognition of digital signatures.

One of the issues with the conduct of electronic commerce through a non-physical medium
is the problem with verification of the identity of the parties and DSA addresses this issue.

In using encryption technology, it enables a body to designate a digital signature to a party so

that it is unique to that party only.

B. WHAT IS DIGITAL SIGNATURE AS DEFINED BY THE ACT?

Digital Signature is defined by the Act as a transformation of a message using an asymmetric
cryptosystem such that a person having the initial message and the signer’s public key can
accurately determine whether the transformation was created using the private key that
corresponds to the signer’s public key and whether the message has been altered since the
transformation was made.

Digital signature is basically an electronic version of a conventional signature. It is a pair of keys

created with the use of asymmetric cryptosystem and involves the use of algorithm or a
specific series of algorithm.

The pair of keys is made up of a private key as well as a public key. The private key is used to
create the digital signature while the public key is used to verify the digital signature.

C. BACKGROUND OF THE TECHNOLOGY INVOLVED

The "Keys" are strings of binary codes or data which bear a complex mathematical relationship
to each other, the longer the strings of data are, the more secure the key will be.

The private key is secret and is kept by the party generating the message (the Author) while
the public key can be distributed openly to any person. The private key must be well guarded
so as to preclude the possibility of unauthorized abuse by any third party.

D. STRUCTURE OF DSA
Under the DSA, a licensed certification authority will only issue certificate to a subscriber upon
verification of the identity of the subscriber and upon satisfaction of requirements under
Section 29 and 30 of the DSA.

The certificate will state the identity of the subscriber and his public key. The certificate,
together with the public key, is then published in a recognized repository where the public key
can be accessed by the relevant parties and upon receipt of a message from the subscriber,
the recipient can then verify the digital signature with the repository.

54
E. THE EFFECT OF A DIGITAL SIGNATURE
The effect of the digital signature created in accordance with the DSA is the same as any other
handwritten signature, thumbprint or mark. It is legally binding. A digitally signed document will
be treated as a written document and copies of a digitally signed document are also
enforceable as an original.

F. SUBSCRIBER’S DUTIES AND LIABILITIES

The subscriber’s has a duty to exercise reasonable care in keeping the private key secure and
preventing its disclosure to any unauthorized person.

Upon acceptance of a certificate issued by a licensed certification authority (CA), the subscriber
is subject to the following implied representations:-

• Subscriber rightfully holds the private key that corresponds to the public key listed in the certificate

• all representations made to the CA and information listed in the certificate are true; and

• all material representations made to the CA or in the certificate, even though not confirmed
by the CA, are true.

G. CA’S DUTIES AND LIABILITIES

The following prerequisites as per Section 29 DSA must be satisfied before the issuance of a
certificate to the subscriber:
• identity of the prospective subscriber;

• if an agent is involved, the authority of the agent to request for the issuance and to hold
custody of the private key;

• the information on the certificate is accurate;

• the prospective subscriber is the rightful holder of the private key;

• the prospective subscriber holds the private key that is capable of creating a digital signature;
and

• the public key to be listed in the certificate is capable of verifying a digital signature affixed
by the private key held by the prospective subscriber.

The CA has a duty to publish a signed copy of the certificate in a recognized repository upon
acceptance by the subscriber unless there is a contract between the CA and the subscriber
stipulating otherwise.

By issuing the certificate, the CA warrants to the subscriber that there is no information in the
certificate that is known to the CA as false, the certificate satisfies all requirements of the DSA
and the CA has authority to issue the certificate.

55
 The CA has a responsibility to the subscriber to act promptly when suspending or revoking a
certificate and to notify the subscriber within a reasonable time of any facts known to the CA
which significantly affect the validity or reliability of the certificate once its issued.

H. LIMITATION OF LIABILITIES
The CA, the subscriber and the repository are only responsible for damages or loss that is
suffered by those who reasonably rely on the certificate.

The CA is to specify a recommended reliance limit beyond which it will not be responsible.
The CA is not liable for the following:-

• loss caused by reliance on a false or forged digital signature if the CA has complied with
the requirements of the Act;

• loss in excess of the recommended reliance limit for misrepresentation in the certificate of
a fact to be confirmed by the CA or its failure to adhere to the prerequisites for the issuance
of the certificate;

• punitive or exemplary damages; or

• pain or suffering.

CONCLUSION
The DSA is an important foundation in the conduct of electronic commerce. It does resolve,
to a large extent, the problem with the identification of the parties.
Digital Signatures if properly implemented and utilized can provide the following benefits:-

• Reliable authentication of messages;

• Retain a high degree of information security, even for information sent over open or insecure
communication channels;

• Minimize the risk of tampering or altering of messages; and

• Minimize the risk of dealing with impostors

56
JOSHEL WOO
DIGICERT SDN BHD

Digicert Sdn Bhd is a Malaysian Licensed Certification Authority offering ubiquitous trust
solutions and certification services. Digicert is a joint venture company between Pos Malaysia
Berhad and Mimos Berhad. Our mission is to materialise trusted and secured online electronic
transaction as recognized under the Digital Signature Act (DSA 1997).

Contact Details:

Digicert Sdn Bhd

Contact: customercare@digicert.com.my
Website: www.digicert.com.my
Tel: 03-8996 1600

57
 PUBLIC KEY INFRASTRUCTURE
AND DIGITAL CERTIFICATES
JOSHEL WOO

ABSTRACT
Cryptography is the study of the design of mathematical formulas (algorithms) for encryption and
decryption, intended to ensure the secrecy and/or authenticity of messages.

Encryption is the conversion of plaintext data to unintelligible data, called ‘ciphertext’, by using
algorithms and secret codes (keys). Decryption is defined as the reverse of this situation, the
conversion of unintelligible data into a legible format. The following diagram provides an
overview of encryption where simple message containing the word “private”.

Encryption Decryption

Key A Key B

Ciphertext
Plaintext Encryption Decryption Plaintext

Private @Ca$1k Private

Figure 1: Example of Encryption

In the diagram above, the message “Private” is encrypted with the encryption key with the
encryption algorithm, to provide the unintelligible ciphertext “@Ca$1kw”. Subsequently, the
message is then decrypted with decryption key used with the decryption algorithm to derive
the original plaintext message “Private.”

Two primary means of encryption exist, based on symmetric keys (sometimes referred to as
secret key encryption) and that of asymmetric keys (sometimes referred to as public key
encryption).

1. Symmetric Key Encryption (Secret Key)

Symmetric key encryption is performed through the usage of a common ‘secret’ key, which
is only known to the transacting parties. Thus, in the example above, key A and key B
would be identical. Based on this secret key, both parties would encrypt messages to and
from each other, ensuring the confidentiality of their messages even if transmitted over
public networks (such as the Internet).

58
 Symmetric key encryption is typically performed based on publicly known and industry
accepted encryption algorithms, such as Data Encryption Standard (DES), Triple-DES
(3DES), Rivest Cipher 4 (RC4), International Data Encryption Algorithm (IDEA) and Advanced
Encryption Standard (AES). As a result, the confidentiality of encrypted messages is based on
the confidentiality of the secret key (as the algorithm itself is publicly known). A compromise
in the private key would result in compromise of the entire encryption mechanism.

2. Asymmetric Key Encryption (Public Key)

Asymmetric key encryption, commonly known as public key encryption, is achieved
through the use of private and public “key pairs.” Each user in public key encryption has a
key pair, comprised of a private key and a public key. The keys in a key pair are unique to
each other, but possess a mathematical relation that allows messages that are encrypted
with one key to be decrypted with the other. Thus in the example given in Figure 1, key A
and key B are different keys, where messages encrypted by key A can only be decrypted
with key B.

In practice, confidentiality is achieved via the sharing and encryption of messages with the
public key (hence the name) with a transacting party. Where a person wishes to transmit a
message to another user, he/she must first obtain the receiver’s public key to encrypt
the message and subsequently send the encrypted message. The receiver then decrypts
the message with his/her own private key (which is kept secret), assuring that the
confidentiality of the message has been maintained.

The widely used asymmetric key algorithm in use is the Rivest Shamir Adleman (RSA)
algorithm. Other known asymmetric key algorithms include the ElGamal system, Merkle-
Hellman and the McEliece algorithms.

The primary difference in asymmetric key encryption (as opposed to symmetric/secret key
encryption) is that the public key used in asymmetric key encryption can be openly shared,
and compromise in this public key would not result in the compromise of message
confidentiality.

However, it must be noted that the consideration of safety of the private key (based on
knowledge of the public key) is based on computational feasibility. Because the private and
public keys are mathematically linked, computation of the private key is always ‘possible’
from the public key. The strength of the public key cryptosystem lies in the difficulty, time
and effort required for this ‘reverse computation.’ Thus, while the computing power
available today may make it extremely time-consuming and unrewarding to perform an
attempt to derive a private key from a public key (based on a particular key length), it can
be foreseen that future advances in computer technology would necessitate the need for
greater key lengths and possibly newer and stronger public key algorithm.

59
 PKI INTRODUCTION
Public Key Infrastructure or PKI, is defined as the set of hardware, software, people, policies
and procedures needed to create, manage, store, distribute and revoke Public Key Certificates
(PKCs) based on public-key cryptography6. To understand the basis for PKI, we must first
understand some of the key challenges in public key cryptography.

Figure 2: Public Key Message Encryption

If user Amy wishes to communicate with user Sam, Amy must first obtains Sam’s public key.
Amy then proceeds to encrypt her message with Sam’s public key and sends the encrypted
message to Sam. Because Amy’s message has been encrypted with Sam’s public key, only
Sam can decrypt the message, as only Sam has access to his private key. This therefore
ensures that Amy’s message is transmitted securely to Sam, without compromising its
confidentiality. Even if another person obtains (or has previously obtained) Sam’s public key,
the encrypted message is still ‘safe’ as it can only be decrypted with Sam’s private key.

This, however, gives rise to a separate issue: the authenticity of the message. While the
message may be successfully sent and decrypted, how will Sam know that the message was
actually sent by Amy, and not somebody else who is impersonating Amy and has access to
his public key (remember that the public key can be made available to anyone)? In addition,
Sam may have dealt with other people previously and shared his public key with them.

6 Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure PKIX Roadmap, Oct 1999.

60
The answer to this lies in the creation of a unique message signature; a digital signature that
will prove that the message was actually sent by Amy and has not been modified.
While there exists a number of methods of creating digital signatures, we shall focus our
discussion on the digital signatures created via the encryption of message digests. Such an
example is provided below.

Figure 3: Message Encryption with Digital Signatures

Before encrypting and sending the message to Sam, Amy computes a message digest (Step
5), typically based on a publicly known message digest algorithm (such as MD5 and SHA-1).
Amy then encrypts the message digest with her own private key creating her digital signature
(Step 6), and includes this with the original message. The message is then encrypted with
Sam’s public key (Step 7) and sent to Sam (Step 8). Amy must also send Sam her own public
key so that he can verify her digital signature (Step 9).

When Sam receives the message, he decrypts it with his private key (Step 11) and separates
the message into the original message and the digital signature. Sam then proceeds to
compute his own message digest (12), based on the same algorithm as Amy. Sam must now
check this value with the message digests that Amy computed to ensure that the message
was unchanged. In order for this to be performed, Sam must have access to Amy’s public key
(as Amy’s signature was encrypted with her private key). After decrypting the digital signature
(Step 13), Sam checks his own message digest value against Amy’s computation. If the values
match, Sam can be assured that message has not been modified in transit.

61
 While the example provided illustrates the use of a digital signature along with an encrypted
message, it is important to point out that digital signatures may be used in isolation of message
encryption. This is the case if message confidentiality is not required, where for example a
publicly available document is published and the only concern of a user would be as to whether
the document itself has not been modified and is accurate. The digital signature scheme can
then be applied for such a purpose.

Based on our example, it can be seen that a number of key exchanges as well as extra
information (such as the message digest algorithm to be used) must be exchanged between
both parties. In addition, both parties need to be assured that he/she is dealing with the actual
or intended party. While a digital signature can assure a person that the message is authentic
and has not been modified, the signature in itself does not prove a person’s identity. A person,
say Ami, could easily replace Amy in the above example by intercepting Sam’s public key,
creating a new message and signing it with his own private key. Ami can then send this
message to Sam along with his own public key, claiming to be Amy. Unless Sam knows exactly
what Amy’s public key is supposed to be (digitally), Sam will not able to tell that the message
was not actually signed by Amy. An example of such an occurrence is as below.

Figure 4: Simple Example of Impersonation

62
The example in the previous page identifies a need for a ‘protected’ method of distributing
public keys, as well the need to ensure that the public keys used actually belong to the
person/party intended. This is where Public Key Certificates (PKC), commonly referred to as a
digital certificates, arise.

A digital certificate is a user’s information and public key stored in a digital format (based on
the X509v3 certificate format). To ensure that the user information detailed in the certificate is
‘authentic’ and does not contain false information, the certificate itself is signed by a trusted
Certification Authority (CA). The CA’s signature provides assurance to the recipient of the
certificate that the information contained, including the public key of the certificate holder, is
authentic. As long as a user has access to the CA’s public key, he/she can then verify the
contents of the digital certificate.

While this creates another implication, that of a secure means of distributing the CA’s own
certificate (containing its public key), in practice, CA certificates for common CAs are often built
into key Internet applications and web browsers. In addition, the implementation of Root CAs
and a hierarchical model provide some level of security over the distribution of CA certificates
over the Internet.

PKI COMPONENTS
As mentioned previously, PKI is defined as the set of hardware, software, policies and
procedures needed to create, manage, store, distribute, and revoke Public Key Certificates
(PKCs) based on public-key cryptography. The key functions of PKI as an overall infrastructure
include the following:7

• Certificate Registration – issuing new certificates for public keys

• Certificate Revocation – canceling issues certificates
• Key Selection – obtaining another party’s public key
• Trust Evaluation – determining validity of certificates and the authority conferred
by the certificate

These PKI functions are performed by the following PKI components:8

• Certification Authorities – to issue and revoke certificates

• Registration Authorities (RAs) – to vouch for the binding of public keys, certificate
holder information and other attributes

• Certificate holders – that possesses certificates and can sign and

encrypt documents

• Clients – that verify digital signatures and their certification

paths through a known public key of a trusted CA

• Repositories – to store certificates and Certificates Revocation

Lists (CRLs)

7 Internet X.509 Public Key Infrastructure PKIX Roadmap

8 RSA Frequently Asked Questions about Today’s Cryptography v4.1, May 2000

63
 USAGE OF PKI AND DIGITAL CERTIFICATES
The implementation of PKI capability into the MyKad along with the usage of Digital Certificates
will provide the following key benefits:
• Authentication
• Digital Signature and Non-repudiation
• Encryption

1. Authentication
The implementation of PKI provides a widespread means of performing user authentication. An
example of such an authentication function, through the use of a challenge-response
mechanism, is detailed below.

A simple method for authenticating a user to a system would be for the system to issue a
random challenge (simple data values) to the user, and require the user to encrypt the
challenge and send it back to the server. The server will then attempt to decrypt the
document based on the user’s public key (from the user’s digital certificate) and match it
against the original challenge. (Note: There are a number of methods for the server to obtain
the user’s digital certificate, such as when the user transmits his/her certificate directly to
the server, where the server stores a central copy of all certificates or where a server retrieves
the certificate from a central/common repository).

If the value of the decrypted challenge matches that of the server’s original
challenge message, the server can be assured the user is whom he/she claims
to be as only he/she would access to his/her private key (to ‘correctly’ encrypt
the challenge).

Such a system for authentication could be widely implemented: for example, users on the
Internet can be authenticated to computer systems (such as a user logging into his/her
Internet banking system or logging into public databases). This could also be implemented
in entire organizations, where all employees would authenticate themselves to the computer
systems via such a method.

2. Digital Signature and Non-repudiation

People sign documents in everyday life including credit card receipts, letters, legal and
business documents. Digital signatures provide a person with a means of performing this
signature function electronically. The most common means of performing a digital signature
is through encrypting a message digest with a person’s private key (refer to our example in
the Introduction to PKI).

64
 Through the use of digital signatures, any person will be able to verify that a digital
document or message was indeed signed by a particular person. All a person would need
to do is to obtain the signer’s digital certificate in order to verify his/her signature.

In addition, the implementation of the Digital Signatures Act 1997 provides digital signatures
with legal effect, having the same level of assurance as that of a handwritten signature or
thumbprint. This allows digital signatures to be used online for formal, business and legal
purposes.

3. Encryption
Confidentiality of information and privacy can be achieved via the use of encryption.
PKI provides this function via the use of the public and private keys. The introduction and
examples from the previous pages provide an illustration on the use of encryption with PKI.
Information encrypted with a person’s public key can only be decrypted with his/her
private key, ensuring the confidentiality of the information and privacy between the
transacting parties. By obtaining and encrypting the intended message with the receiver’s
public key (through the digital certificate), a person can be assured that his/her message
is kept private.

In addition, where a person wishes to ensure the secrecy of his/her own documents (such
as those that may be stored in a shared location such as a network server or Internet
server), he/she can encrypt the document with his/her own public key, thereby preventing
others from decrypting it.

PKI AND DIGITAL CERTIFICATES IN A SMART CARD BASED SCHEME

In a smart card scheme such as the MyKad, the PKI elements contained in the card must
successfully be read and used by the applications, PC and smart card readers of the PKI
components described above. The relevant interfacing standards are described in the table
below. Most of the elements described will be available from commercial vendors providing the
specific component, i.e. the smart card, the reader and the application or cryptographic library.

Function Card Element Interfacing Standard

• Interfaces to the Application requiring PKI Cryptography Library PKCS#11 & CSP

• Interfaces to the PC Smart Card Reader Driver

PC/SC
• Interfaces to the Smart Card
• Reads Data from Card Smart Card Reader

• Generation of Keypair(s) Smart Card with ISO07816 part 1,2,3,4

• Storage of Certificates RSA Co-processor

65
 UTILIZATION OF MYKAD PKI IN THE GOVERNMENT SECTOR
This section will provide some examples into the possible usage and utilization of the MyKad
PKI capabilities. While the possibilities and potential benefits of a PKI implementation are
extensive, this section will provide some examples in specific key areas in MSC flagship
products and the government sector, and is not meant to be exhaustive. The principles and
examples used in a particular area (such as secure e-mail) are very likely to be applicable in a
large number of other areas.

Online Tax Submission

One of the widest and perhaps most obvious application of the MyKad PKI would be in
enabling online tax submissions. With the pending amendment to the Income Tax Act 1967,
taxpayers will be allowed to file their tax returns through the Internet. The application of the
MyKad in this area would include:

1. Authenticating users to the Inland Revenue Board (IRB) online systems; and
2. Digitall signatures to ensure the authenticity and confidentiality of documents transmitted.

In the area of authentication, taxpayers could use their GMPC/s to authenticate themselves to
the IRB servers to access their confidential information and required forms, such as Form B
and Form J. The forms themselves would be digitally signed to provide assurances to the
public on their authenticity.

Electronic Procurement (EP)

Based on the current Electronic Procurement model, with participation of over 15,000
government offices/purchasers and over 30,000 registered vendors, the MyKad PKI can be
implemented to provide authentication, confidentiality and privacy (via encryption) and support
non-repudiation via digital signatures.

The EP system would utilize a common online authentication mechanism based on the MyKad
for both government and vendor representatives. Such an authentication mechanism would
ensure that only specific and registered users would be able to access the system, while
allowing the system to operate on the Internet. This would essentially create a private
environment, allowing private communications and transactions to occur between registered
members to be conducted in a public network.

The flow of documentation within such an environment would require strict confidentiality and
this could be achieved via encryption mechanisms built around the MyKad. In order to ensure
that transactions are legally binding and to support non-repudiation in the EP environment, the
MyKad card would be utilized to digitally sign all formal documents and contracts. This will
enable the entire EP system to operate in a ‘paperless’ mode.

Government Office Environment (GOE)

In the area of general GOE, the primary benefit of the MyKad would be in the area of electronic
communication, filing and documentation. In addition, the use of the MyKad as a common

66
authentication mechanism to control access to all computer networks and systems as well as
physical access would allow a centralization and simplification of access control in the entire
environment.

Communication, reports and other documents can be encrypted and distributed over both private
and public networks in a secure manner, allowing the transmission of confidential information
between multiple offices and locations across the country to be performed over the Internet.

Where electronic filing is concerned, the digital signature from a MyKad card could overcome
one of the key issues surrounding electronic filing, which is the authenticity and integrity of
electronic documents. Documents protected with an appropriate digital signature from a MyKad
card would be able to provide assurance as to the authenticity and integrity of the documents,
providing an additional step towards a paperless office environment.

In the future, the application of a common authentication system could be extended towards
the storage of information online, in centralized public databases, where the security of access
to such systems would be built around the MyKad card.

Human Resource Management System (HRMS)

The key area of benefit for human resource workflow systems derived from PKI and the MyKad
would be in the area of encryption and secure document distribution. Confidentiality is especially
important in this area and this could be achieved through the usage of the MyKad card.

The use of encryption in such a system would allow private documents such as salary and
EPF information, promotion letters and other confidential documents to be transmitted
electronically, in a secure manner ensuring confidentiality, while digital signatures would provide
assurance as to the authenticity of such transmitted documents.

Telemedicine
In the area of Telemedicine, the MyKad PKI can be applied in all three key areas, that of
authentication, digital signatures and encryption.

In relation to the Lifetime Health Plan (LHP), secure online storage of medical records can be
achieved via authentication mechanisms built around the MyKad with secure and encrypted
data channels. This would allow access to specific information for patients and separate
access for authorized medical personnel.

The implementation of such a system could allow the private medical records of a person to
be downloaded and sent via secured e-mail to their Doctor, whom the patient is visiting for the
first time, or downloaded directly from the Internet at the clinic. Registered medical practitioners
would be able to obtain confidential patient information online in an encrypted format, based
on their authorisation, as granted by their own patients.

An online authentication mechanism can also be designed around the MyKad to assist in the
authentication of users in the Mass Customised Personalised Health Information & Education
(MCPHIE). The public could use their MyKad to access online health information specifically
tailored based on their personal profiles.

67
 In terms of the Continuing Medical Education (CME) application, the MyKad can be used to
restrict access to specific medical knowledge bases and discussions based on an
authentication and authorisation mechanism. In addition, secure distribution of medical reports,
industry updates and other information can be achieved through the use of secure e-mail,
ensuring that information reaches the intended audience only.

Finally, in the area of Teleconsultation and peer knowledge sharing, medical practitioners could
use the MyKad to conduct secure online conferencing as well as to publish discussion papers
and contribute ideas in a private manner. All documents can be digitally signed to ensure
authenticity and to enhance the credibility of discussion-style databases.

Where medical practitioners wish to engage in direct online conferencing, this can be achieved
via mutual authentication with the MyKad digital certificates and appropriate session encryption
protocols.

Smart Schools
In line with the Smart Schools initiative, a number of MyKad-enabled solutions could be
implemented. This would include online classrooms and tutoring, online discussions, secure
distribution of courses and exam materials, as well as online examinations. Essentially, the
MyKad could provide security to initiatives that bring schools online.

An example of this would be for online classroom tutoring, where students can authenticate
themselves with a particular server providing this online service. The potential of online tutoring
can be enormous, in providing a means of education to remote locations, or areas where the
setting-up of physical schools may not be economically feasible. This would, however, be
dependent on the level of Internet penetration available as well as the widespread usage of
computers in remote areas, which may prove a greater challenge than PKI.

While online tutoring may not replace physical classrooms, at least in the near future, another
possible implementation could be for specific ‘Webcasts’ or special lectures and conferences
to be conducted online, targeting specific age groups or students. Any student wishing to
access such Webcasts would only be required to connect to the Internet and authenticate
him/herself to the server providing this service. This can extend to special broadcasts, key
topics of interest based on current industry trends as well as specific lectures/talks conducted
by Education Ministry officials and other invited speakers.

Students and teachers can also use the security features of the MyKad to participate in online
discussion and real-time communication. Among the key concerns in such an area would be
individual accountability, which could be achieved through the use of digital signatures.

Another area of possible PKI implementation would be in the area of online examinations and
submission of examination papers. Where standardized exams exist (such as UPSR, PMR and
SPM), this could be conducted online and provided to students via specific servers set up on
the Internet. The MyKad could be implemented in such an environment to provide access

68
security to the examinations and ensure secured transmission channels. Upon completion,
students would be able to digitally sign their submissions with their digital signature as proof of
submission and to ensure non-repudiation. Such an initiative could pave the way for common
and centrally administered examinations for all levels of education.

UTILIZATION OF MYKAD PKI IN THE PRIVATE SECTOR

A business transacting on the Internet must have the confidence that the other party is in fact
who they say they are, and they are legally capable of committing to a transaction of the size
and/or type desired. Authentication is not merely an issue of verifying mere representation by
a party but more of verifying the identity, as well as the level of authorization in performing the
transaction. Hence, the need to authenticate and verify the identity of transaction parties.

A business must be able to prove that they or their customers have sent or received a
transaction. Repudiation occurs when a user denies a specific action being performed.
A customer should never be able to repudiate a transaction that has actually occurred.
Non-repudiation requires indelible evidence that an action has occurred and there is proof that
can be shown to a third party.

Furthermore, a business must also ensure that:

• Confidentiality: a message is only viewed by the intended recipient
• Integrity: information is not tampered or altered whilst in transit

This section will provide some examples into the possible usage and utilisation of the MyKad
PKI capabilities by individuals in their capacity as both customers as well as employees of
businesses for three key business applications. The principles and examples used in a
particular area (such as signing and secure e-mail) are very likely to be applicable in a large
number of other areas.

Electronic Banking
In Bank Negara Malaysia’s (BNM) “Minimum Guidelines on the Provision of Internet Banking
Services by Licensed Banking Institutions”, BNM has detailed that a Bank’s security arrangements
should at minimum achieve the following objectives:
1. Data privacy and confidentiality;
2. Data integrity during both transmission and storage;
3. Authentication of communications, transactions and/or access requests;
4. Non-repudiation of communications and transactions.

BNM has advised that digital certificates issued in accordance with the Digital Signature Act
1997 should be considered by banks to address the issue of non-repudiation for high value
or important transactions, or at the request of customers. Customers, after authentication
themselves with the Bank using the MyKad card, may:

69
 1. Make inquires and transact in a secure manner;
2. Sign documents and forms, such as loan applications, request for cheques, etc, online
with their digital signatures;
3. Transact online, such as fund transfers, payments etc., with indelible evidence in the form
of digital signatures.

In addition to internal banking transactions, banks are the leading issuers of credit cards, which
remains a popular form of consumer payment and settlement. The number of credit cards in
Malaysia as at the end of March 2000 is 2.415 million with an outstanding debt of RM5.719
billion.9 The credit card debt outstanding accounts for 1.35% of the total loans outstanding in
the country and 11.41% of the total consumption credit as at the end of March 2000. In many
online merchant and B2C transactions, payment instructions online use credit cards. In
addition to authenticating a customer with GMPC/PKI, digital signing of online purchases will
give added non-repudiation of transactions and ease the payment verification required by the
bank for credit card transactions.

Electronic Broking
Under the current provisions of the Securities Industry Act and KLSE Rules and Code on
Electronic Client-Ordering System (ECOS), electronic broking consists of order-routing and
messaging only. The actual trade is still transacted with manual intervention by a dealer’s
representative. The dealer representative retains the discretion to accept or decline the order.

However, most market analysis and draft regulatory reform anticipate market pressures, cost
and competitive pressures will eliminate the need for dealer representative intervention, subject
to the availability of strong authentication and non-repudiation measures.

The use of Certificates:

1. Will provide added assurance that a user/client will have been rigorously authenticated;
2. Address counter-party risks by providing non-repudiation and digital signatures for each
trade;
3. Provide confidentiality and privacy in terms of encryption sessions between the client and
the broker.

Clients, after authentication with a Broker using the GMPC/PKI, may:

1. Make inquiries and transact in a secure manner;
2. Transact online, such as purchase and sales of securities, with indelible evidence in the
form of digital signatures;
3. Make online payments, or send signed instructions, with a settling bank to pay for the
broking transactions above.

Supply Chain Portals (B2B & B2G)

A lack of trust online continues to restrict companies that want to move boldly onto the Internet.
Recent studies by the GIGA Group as well as Arthur Andersen have shown that the largest

9 BNM Press Release – Report on Credit Card, 25 September 2000

70
single barrier to the growth of B2B e-business is concern about whether Web security, as it
exists today, is strong enough for transactional commerce. In order for e-business to flourish,
trading partners must have complete confidence regarding each other’s identity. Even trading
partners with existing relationships cannot know for certain when communicating on the
Internet, whether they are dealing with an imposter or not. Business engaging in large
web-based transactions must be able to establish and maintain trust through each step of the
trading cycle – from initial overture right through payment and settlement. For B2B e-business
to gain acceptance, standards of identity verification and authentication have to be established,
so that procurement and financial settlements can take place in a secured environment. Although
most B2B and B2G will use Entity/Server-level PKI and Certificates, business transactions
must still be initiated and completed by individuals.

The corresponding workflows and supporting documentation will require the use of individual
certificates for:
1. Authentication of authorised signatories/officers for transacting and messages;
2. Encryption of transaction message; and
3. Signing and non-repudiation.

Client-side certificates can also be used to assign rights, roles and privileges of the individual
within his/her respective organization. When the client-side certificates are issued by a
licensed Certification Authority, these certificates can be used to access additional business
credentials. As each transaction commences, the user is authenticated and authorised using
his/her digital certificate to determine the identity as well as level of authorisation permitted
within the employer.

Subsequently, instructions, messages and confirmations of transactions, be it ordering,

receiving or payment authorisation must be signed by an authorised individual.

Within a supply chain portal, there exists a multitude of vendors and suppliers, many of whom
may be competitors. Hence, privacy of transactions is a major concern and the GMPC/PKI
keys can be used for transaction and message encryption.

Furthermore, payment and settlement may be transacted using the same certificate in the
electronic banking context. Note that message and transaction encryption may be addressed
with Entity/Server-level certificates.

Other Capital Market Consideration: SC/KLSE

In addition to the e-broking specific considerations, Capital Market application of the use of:
1. Online applications for Initial Public Offerings (IPOs);
2. Online account opening for both; and
3. Online enquiry, after a user has been rigorously authentication.

In all three scenarios, individual investors/users could use the MyKad PKI abilities to provide
the necessary authentication and digital signatures necessary to facilitate these transactions.

71
 In its “Framework for the Implementation Commerce Electronic in the Capital Market”, the
Securities Commission (SC) has expressed its intention to:
1. Amend provisions in the securities and futures laws to ensure they cater to both the
traditional paper-based environment and an electronic one.
2. Study the need to impose encryption or other security requirements on intermediaries’
electronic communications with their clients.
3. Study the possibility of replacing all legislative requirements for manual signatures with the
technological neutral term “authentication”.

Furthermore, the SC has also recommended that:

1. Market intermediaries ensure security and integrity of their data storage systems, whether
manual or electronic, by ensuring the records, where required by law, are created and
maintained that such records are durable and cannot be altered (integrity and possibly
non-repudiation).
2. The central depository consider providing depositors access to their securities balances
via the Internet (authentication & encryption).
3. Eventually, a pure order execution system, may be the first candidate for the online opening
of accounts, provided there is a safe and secure way of authenticating the identity of the
investor.

In keeping with its stance on technological-neutrality, the SC will not prescribe specific
methods, such as digital signatures. It may, however, issue policy statements to provide
guidance as to what constitutes suitable authentication. Furthermore, its upcoming Capital
Markets Master Plan has indicated that its will be aligned with existing Cyberlaws (i.e. the Digital
Signatures Act 1997) as well as MSC initiatives.

CONCLUSIONS
Almost all studies conducted on the network economy and the Internet identify “security” as a
major concern for business. Like electricity and telephone infrastructures, a security infrastructure
like PKI has become an essential enabler of business objectives, be they increasing revenue,
reducing costs, meeting compliance mandates, or reducing risk. The PKI application in MyKad
would be a catalyst in generating the spread of e-commerce.

REFERENCES:
Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure PKIX Roadmap, Oct 1999
RSA Frequently Asked Questions about Today’s Cryptography v4.1, May 2000
BNM Press Release – Report on Credit Card, 25 September 2000
Security Commission – Framework for the Implementation

72
YVONNE OUNG
MSC TRUSTGATE SDN BHD

MSC Trustgate.com Sdn Bhd was initiated in 1999 by Multimedia Development Corporation
(MDC) and has been licensed under the Digital Signature Act 1997 as a Certification Authority
(CA) to provide digital certification services including Digital Certificates, Public Key Infrastructure
(PKI) and cryptographic products.

Being a member of the VeriSign Trust Network, MSC Trustgate.com is perfectly positioned to
provide its clientele leading security infrastructure solutions in ASEAN and beyond.
MSCTrustgate.com leverages on proven technology and technical expertise to help companies
build a secure online web presence by encrypting communications and transactions; authenticating
the identities of individuals; offering secure online payment functions and validating transactions.
The company also provides MyKad PKI solution for the Malaysian government.

Today, MSCTrustgate.com is the fastest growing Trusted Internet Services company in the
region. For information, please visit www.msctrustgate.com.

For more information on Digital ID or MyKad PKI, please contact:

MSC Trustgate.com Sdn. Bhd. (CA Lic. No: 0022000)

Ground Floor Belatuk Block
Cyberview Garden
63000 Cyberjaya, Selangor, Malaysia

Tel: +6 03 8318 1800

Fax: +6 03 8319 1800
E-mail: marketing@msctrustgate.com

Websites:
http://www.msctrustgate.com
http://www.mykey.com.my

73
 TRUST BUT VERIFY
YVONNE OUNG

That is the saying in diplomacy. The same applies to Internet transactions.

Imagine you are an Internet user…

• How do you ensure that the other party you communicate or transact with is who he claims
he is?

• How do you ensure that the information you send to the other party is not being “eaves-
dropped” by someone?

• How do you ensure that the information you send via the Internet is not being altered by
some intruders?

Now, imagine you are operating an Internet business that offers products or services….

• How do you verify the identity of your online visitors each time they transact with you?

• How do you give your customers a peace of mind that when they transact with you, their
confidential information will be secured during the transmission?

FIVE SECURITY PRINCIPLES FOR COMMERCE

For a long time, these principles provide a basic foundation for a transaction to be carried out
by two or more parties whom may not know one another, or in different geographical areas:

• Authentication – you must make sure you know who you are communicating with
• Privacy – all confidential information must remain confidential
• Authorization – user should not exceed their allowed authority in the system
• Integrity (of the Data) – information should not being tempered with during transmission
• Non-repudiation – transaction must be disputable in the court of law

In the brick-and-mortar world, we use identification card or fingerprint as form of authentication.

We use sealed envelope, secret code, and invisible ink to ensure confidentiality. We use locks
and keys, deploy security guard to control access to particular areas or sections in the
building. We initial changes in the contract or uses a third party witness or notary to guarantee
the integrity of a document. Lastly to ensure that our commerce transaction is proven in the
court of law we get the parties involved to sign the document, we use registered mail, we
record time of transmission, receipt acceptance by using date and time-stamping.

HOW DO WE APPLY THESE FIVE SECURITY PRINCIPLES TO E-COMMERCE?

Today the most commonly form of authentication is the use of user ID and password.
Unfortunately, this method does not provide enough authentication or protection as required
in the five security principles of commerce. The transaction is also not disputable in the courts
of law in Malaysia.

74
SAY HELLO TO DIGITAL CERTIFICATE
Digital Certificate, also commonly refer to as Digital ID, is a form of electronic identity document
based on public/private key encryption. It provides authentication, verification, encryption and
digital signature capabilities for transactions over the Internet. It is an electronic credential that
contains your name, certificate issuers’ name, certificate expiration dates and your public key
(used for encrypting and decrypting messages and digital signatures). Most certificates
conform to the International Telecommunication Union’s X.509 standard, but not all are
compatible across all Web browsers.

KNOW YOUR CERTIFICATION AUTHORITY

Digital certificates are issued by Certification Authority (CA). The CA is a trusted third party
organization that issues and manages certificates. The CA will first validate that an entity (an
organization or a person) is exactly who or what it claims to be, and then issue that entity with
a digital certificate. The certificate will then be presented electronically during electronic
communication or transaction so that two parties can trade securely without further proof of identity.

The CA operates within a Public Key Infrastructure (PKI). PKI is a structure of hardware, software,
people, processes and policies that employs digital certificates technology. The end result is
a form of cryptography of a public key and private key. Messages are sent encrypted with the
receiver’s public key; the receiver decrypts them using the private key.

The CA’s role is to ensure that electronic transactions are conducted with confidentiality, data
integrity, proper user authentication, and protection against repudiation. In Malaysia, the CA is
governed by Digital Signature Act 1997.

DIGITAL CERTIFICATE IN ACTION

There are over 4,500 organizations and governments and 400,000 e-commerce website
worldwide that are using digital ID to secure their online businesses.

Financial Institution:
Banks and brokers are using Digital IDs to give customers secure access to their accounts for
stock trading and account management. Customers can use their Digital IDs as a universal
log-on at a bank’s website for quick access to account information, without having to
memorize multiple passwords.

75
 Telecommunications:
In a highly competitive marketplace of the telecommunications industry, it is crucial to deliver secure
and consistent connectivity to achieve good customer experience. Telecommunications providers
are integrating Digital ID in their services offering to differentiate themselves from their competitors.

Public Sector:
Government must provide a secure and safe e-government environment so that the public can
have trust in dealing with them over the Internet. Digital ID helps to create a safe Internet
environment by securing critical data being transmitted electronically to and from the government
websites. It also ensures that right people are getting access to the right information.

Healthcare:
Security and privacy are critical to all institutions in the healthcare industry – from electronic
patient records to automated claims processing. Healthcare provider uses Digital ID to protect
medical information, to reduce risk of lawsuits and achieve compliance with applicable regulations.

Retailers:
By accepting Digital IDs at their site, a store manager can collect information about who
accesses the website and which services are most popular, or set up accounts for purchasers.
This enables them to provide relevant content on an individual basis, link Digital ID information
to order status and purchase history databases, and eliminate false orders or repudiated sales.

Publishing/Subscription Services:
Digital ID helps maximize subscription revenue by preventing multiple users from sharing a
password, and help to enhance the user experience by providing a one-step registration
process. They can also boost advertising revenue by enabling companies to present precise
demographic information about their readership to advertisers.

Services Companies:
Digital IDs give organizations the ability to provide higher level of service because they can
identify their customers. These companies can use Digital IDs to track shipments without
having customers enter user names or tracking information, which also provides increased
efficiency and privacy.

76
MYKAD PKI FOR MALAYSIAN CITIZENS
In 2001, the National Registration Department introduced MyKad, a new form of national
identity card that contains a smart chip to store information such as driving licence, MEPS
cash, Touch ’n’ Go, etc. Many do not know that the new 64K MyKad is PKI-enabled. This
means you can inject the digital certificate inside MyKad and use it to securely conduct
transactions on the Internet.

In May 2004, the Internal Revenue Board (IRB) also introduced the first government-to-public
application called e-Filing. This application allows Malaysian Citizens with MyKad that is PKI-
enabled to file their income tax online. The first phase of e-Filing is opened to corporate
taxpayers while the next phase will be opened to individual taxpayers.

With a click of a button, you can trigger MyKad PKI to generate digital signature so that you
can electronically sign your income tax form and submit online to IRB.

For more information on Digital ID or MyKad PKI, please contact:

MSC Trustgate.com Sdn. Bhd. (CA Lic. No: 0022000)

Ground Floor Belatuk Block
Cyberview Garden
63000 Cyberjaya, Selangor, Malaysia

Tel: +6 03 8318 1800

Fax: +6 03 8319 1800
E-mail: marketing@msctrustgate.com

Websites:
http://www.msctrustgate.com
http://www.mykey.com.my

77
 E-SECURITY
AWARENESS
SURVEY
2003 & 2004
 INTRODUCTION

The Malaysian Communications and Multimedia Commission (MCMC) conducted E-Security

Awareness Survey for the year 2003 and 2004.

The main aim of the survey was to create greater awareness of security issues and to promote
e-security best practices among the general public.

The survey was designed to identify and record the level of awareness and understanding of
the general public in relation to security issues.

The findings of the survey enables MCMC to design and develop relevant action plans to
educate and enhance awareness of the general public in the field of information and network
security.

80
 E-SECURITY AWARENESS SURVEY 2003

OBJECTIVE OF THE SURVEY

The objective of the survey is many-fold and, among them is as follows:

To create greater awareness of security issues for the general public

To avoid, lessen or minimize the probability of security incidences among the general public
by encouraging the usage of e-security solutions

To promote e-security best practices among general public

To educate the general public of the benefit of securing their electronic identity and access
devices

To create responsible and knowledgeable users of the Internet

To promote the usage of the Internet in a responsible manner

To gauge the level of awareness of e-security issues within consumers

SURVEY AREAS
DEMOGRAPHIC DATA
To capture age, race, sex, marital status and work status of the respondents

GENERAL KNOWLEDGE
To capture level of awareness of respondents on computer viruses, anti-virus tools, firewall,
hacking and prevention measures

PASSWORD
To capture level of awareness of respondents on password settings

INTERNET ACCESS
Questions based on the Internet usage (where and when), Internet security and Internet
commerce

DIGITAL SIGNATURE
To test the knowledge of respondents in relation to digital signature and PKI

E-SECURITY
To gauge the general level of awareness of the public on security issues

81
 WHO RESPONDED
A total of 1,211 respondents took part in the survey in three locations in Kota Bahru (KB),
Kelantan, Kota Kinabalu (KK), Sabah and Johor Bahru (JB), Johore.

Figure 1: Respondents by Locations

82
Total respondents: 1,211

Figure 2: Respondents by Race and Sex

Location KB KK JB Total

Race\Sex Male Female Male Female Male Female

Malay 230 52 183 47 175 86 773

Chinese 35 19 50 25 92 51 272

Indian 3 2 2 2 35 14 58

Others 2 1 65 32 7 1 108

Total 270 74 300 106 309 152 1,211

Figure 3: Respondents by Work Status

Work Status\Location KB KK JB Total %

Student 126 189 220 535 44.2

Employed 191 191 202 576 47.5

Unemployed 34 26 27 17 1.5

Self-Employed 223 128 32 83 6.8

Total 344 406 461 1,211 100.0

Figure 4: Respondents by Age

Age\Location KB KK JB Total %

Student 126 189 220 535 44.2

1 – 10 6 7 2 15 1.2

11 – 20 63 90 105 258 21.3

21 – 30 158 181 235 574 47.4

31 – 40 73 74 73 220 18.2

41 – 50 41 48 34 123 10.2

51 – 60 3 6 12 21 1.7

Total 344 406 461 1,211 100.0

83
 Figure 5: Respondents by Marital Status

Marital Status\Location KB KK JB Total %

Single 198 253 325 776 64.1

Married 146 153 136 435 31.9

Total 344 406 461 1,211 100.0

ABOUT THE RESPONDENTS

Information on the individuals responded to the 2003 survey is summarized in Figures 1 to 5.

Overall, a total of 1,211 respondents took part in the survey at the three locations. From the
total respondents, 879 respondents (72.58%) were male while 332 respondents (27.42%)
were female.

In terms of employment, 44.2% were University Students, 47.5% respondents were employed.
Only 1.5% were unemployed and 6.8% self-employed.

47.4% respondents were from the ages of 21–30, 21.3% (11–20), 18.2% (31–40), 10.2%
(41–50) and 1.7% (51–60). Only 1.2% respondents were between the ages of 1–10.

63% of the respondents were single and 31.9% married.

84
SURVEY ANALYSIS: EXECUTIVE SUMMARY

Observations on General Knowledge

• Approximately 97.8% of the respondents answering the survey reported they have access
to a PC either at home, school, office, and university or cyber café.

• 90.9% claimed that they know what a computer virus is and 85.5% are aware of anti-virus
software.

• Apart from that, only 84.3 % of respondents reported to have anti-virus software installed
on the PC that they use.

• The greatest concern among the majority of the respondents is computer viruses and being
hacked while online.

• 69.4% reported that they have experiences of being infected by a computer virus.

• 60.3% did not report the incident to the respective government or regulatory bodies.

• 49% reported that they do not know what a personal firewall is.

• 54.6% of the respondents did not install a personal firewall on their PC.

Observations on Passwords

• The survey found that 62.4% of respondents reported using passwords with five to eight
characters, while 24.6% use more than eight characters.

• 1.1 % of respondents change their passwords daily and a further 65.2% change their
passwords once in a month.

• The survey also found that the majority of the respondents are most concern about
revealing or sharing their passwords. For that reason, 78.6% of the respondents memorise
their passwords.

• 77.7% reported that they do not share their passwords with others.

Observations on Internet Access

• A total of 76.6% respondents reported that they have access to the Internet. From the
above percentage, 49.2% claimed that they access the Internet at home while 19.8%
access the Internet at places of work (office).

• A total of 102 students use the Internet at school whereas 175 of those who are employed
use the Internet at their offices.

85
 • From the survey, it is recorded that 28.8% of respondents spend more than 10 hours on the
Internet in a week. Only 36.6% claimed that they spend three hours in a week on the Internet

• Based on the survey, over 67% reported that they have not performed an online financial
transaction on the Internet, both in local and international websites.

• 17% feel these transaction are very safe, with less than 38% perceiving a serious security issue

• More than 29.1% of respondents indicated they make Internet purchases from local sites
whereby 15.9% make purchases from international sites.

• At least 14.3% of respondents claimed that payment method is a reason for them to
purchase online from local websites, while 12.3% of respondents mentioned that security
is a factor that make them purchase online from international websites.

Note: Internet dial-up penetration rate for Malaysia in 2003 is 11.4%.

The Internet dial-up penetration rate for each of the state in Malaysia is as follows:

Johore 9.6%
Kedah 6.3%
Kelantan 6.9%
Melaka 11.5%
Negeri Sembilan 10.5%
Pahang 6.7%
Penang 15.8%
Perak 8.0%
Perlis 8.3%
Selangor 14.2%
Terengganu 6.6%
Wilayah Persekutuan Kuala Lumpur 32.8%
Wilayah Persekutuan Labuan 17.8%
Sabah 3.6%
Sarawak 6.2%

The broadband penetration rate for Malaysia in 2003 is 0.44%.

86
Observations on Digital Signature

• More than 49% of the respondents do not know what a digital signature is, and only 5.9%
claimed to have a digital signature.

• 66.5% of the respondents reported that they do not know which government body
regulates the digital signature.

• 8.8% of the respondents get their digital signatures from Digicert while 7.5% from MSC
Trustgate. Majority are employed in companies, which used the digital signatures.

Observations on E-Security Awareness

• 55.2% of respondents consider themselves as beginners whereas 41% appraise themselves
in the intermediate level on E-Security issues. Only 1.4% of the total respondents claimed
that they experts in handling E-Security issues.

• 87.5% of respondents said that they have concerns on security issues when connected to
the Internet.

• More than 84% of respondents reported that there is not enough awareness campaign on
the E-Security issues particularly for computer users at home.

KEY FINDINGS OF THE SURVEY

The following points summarize the key findings of the survey:

• Most of the respondents have access to a PC and the Internet. But some of them do not
have anti-virus software installed in their PCs. They risk having the PCs being open to
Internet threats e.g. worms, viruses and hackers.

• Respondents are worried about the increased threats against their computer systems.
Respondents are increasingly worried about the sophistication of computer security
breaches and their fears are valid. Even relatively low grade threats, e.g. viruses, worms and
being hacked can result in significant financial and time losses.

• Respondents are recognizing the need for awareness programmes and education.
Awareness programmes and education which address Internet, e-mail usage, firewall,
digital signature and computer system breaches can go a long way to mitigating the impact
of some of the problems related to security issues.

• Most of the IT security incidents are not reported to government bodies.

• Most of the incidents occur as a result of poor or no security awareness procedures and
could, therefore, be prevented.

CONCLUDING COMMENTS
It is imperative that agencies such as the MCMC continue to play their roles in ensuring a safe
and secure networking environment by creating greater awareness amongst users by holding
a series of awareness programme on e-security in the future.

87
 FULL SURVEY RESULT
SURVEY ON GENERAL KNOWLEDGE

Q1: Do you have access to a PC?

Location KB KK JB Total %

Home 232 245 273 750 62.0

School/University 25 51 76 152 12.6

Office 81 77 105 263 21.7

Home and School/

University 2 1 2 5 0.4

Home and Office 0 3 1 4 0.3

Cyber Café 4 3 2 9 0.7

All 0 0 2 2 0.2

NA 0 26 0 26 2.1

Total 344 406 461 1211 100.0

Q2: Do you know what a computer virus is?

KB KK JB Total %

Yes 308 363 430 1101 90.9

No 18 22 31 71 5.9

NA 18 21 0 39 3.2

Total 344 406 461 1211 100.0

Q3: Do you know what an anti-virus software is?

KB KK JB Total %

Yes 288 342 405 1035 85.5

No 37 42 56 135 11.1

NA 19 22 0 41 3.4

Total 344 406 461 1211 100.0

88
Q4: If yes, do you have an anti-virus software installed in the PC that you use?

KB KK JB Total %

Yes 285 326 410 1021 84.3

No 30 46 51 127 10.5

NA 29 34 0 63 5.2

Total 344 406 461 1211 100.0

Q5: Have you ever been infected by a computer virus?

KB KK JB Total %

Yes 540 282 319 841 69.4

No 83 99 142 324 26.8

NA 21 25 0 46 3.8

Total 344 406 461 1211 100.0

Q6: If yes, did you report the incident to anyone?

KB KK JB Total %

Yes 83 105 83 262 21.6

No 280 239 280 730 60.3

NA 98 62 98 219 18.1

Total 344 406 461 1211 100.0

Q7: If you did report the incident, to whom did you report it to?

KB KK JB Total %

MCMC 60 84 65 209 17.3

ISP 59 76 68 203 16.7

Police 3 4 6 13 1.1

NA 222 242 322 786 64.9

Total 344 406 461 1211 100.0

89
 Q8: Do you know what a personal firewall is?

KB KK JB Total %

Yes 126 158 213 497 41.0

No 187 216 190 593 49.0

NA 31 32 58 121 10.0

Total 344 406 461 1211 100.0

Q9: Do you have a personal firewall installed in your PC?

KB KK JB Total %

Yes 66 87 112 265 21.9

No 191 230 240 661 54.6

NA 87 89 109 285 23.5

Total 344 406 461 1211 100.0

Q10: Has your PC ever been hacked while you were on the Internet?

KB KK JB Total %

Yes 75 84 67 226 18.7

No 241 291 330 862 71.2

NA 28 31 64 123 10.1

Total 344 406 461 1211 100.0

90
SURVEY ON PASSWORDS

Q11: How many characters does your password have?

Location KB KK JB Total %

5 0 0 0 0 0.0
Less than 5 but
more than 8 221 161 274 756 62.4

More than 8 91 105 102 298 24.6

NA 32 40 85 157 13.0
Total 461 406 461 1211 100.0

Q12: How often do you change your passwords?

Location KB KK JB Total %

Daily 3 6 4 13 1.1

Weekly 19 20 26 65 5.4

Monthly 225 286 279 790 65.2

NA 97 94 152 343 28.3

Total 461 406 461 1211 100.0

Q13: Where do you keep your passwords?

Location KB KK JB Total %

On Post It Notes 11 11 10 32 2.6

On Paper 15 15 12 42 13.8

Memorise it 279 334 339 952 78.6

Other (e-mail, computer,

mobile phone) 1 0 3 4 0.3

NA 38 46 97 181 4.7

Total 461 406 461 1211 100.0

Q14: Do you share your passwords with others?

KB KK JB Total %

Yes 37 38 47 122 10.1

No 277 337 327 941 77.7

NA 30 31 87 148 12.2

Total 461 406 461 1211 100.0

91
 SURVEY ON INTERNET ACCESS

Q15: Do you have access to the Internet?

KB KK JB Total %

Yes 274 323 331 928 76.6

No 43 58 39 140 11.6

NA 27 25 91 143 11.8

Total 461 406 461 1211 100.0

Q16: If yes, where do you access the Internet?

KB KK JB Total %

Home 195 216 185 596 49.2

School 18 48 54 120 1.0

Office 74 72 94 240 19.8

University 4 5 14 23 1.9

Cyber café 7 7 12 26 2.1

All 0 0 2 2 0.2

NA 46 58 100 204 16.4

Total 461 406 461 1211 100.0

Q17: How often do you surf the Internet in a week?

KB KK JB Total %

1 hour 33 42 33 108 8.9

2 hours 51 64 72 187 15.4

3 hours 134 164 145 443 36.6

More than 10 hours 126 101 118 345 28.5

NA 0 35 93 128 10.6

Total 461 406 461 1211 100.0

92
Q18: Have you ever purchased anything on the Internet?

KB KK JB Total %

Yes 72 82 83 237 19.6

No 238 289 287 814 67.2

NA 34 35 91 160 13.2

Total 461 406 461 1211 100.0

Q19: If yes, were you comfortable with the security when you make your purchase
on the Internet?

KB KK JB Total %

Yes 58 72 71 201 16.6

No 115 149 137 401 33.1

NA 171 185 253 609 50.3

Total 461 406 461 1211 100.0

Q20: If No, what stopped you from making your purchase on the Internet?

KB KK JB Total %

Security 135 168 165 468 38.6

Price 28 34 24 86 7.2

Payment method 85 97 101 283 23.3

Others 7 4 11 22 1.8

NA 89 103 160 352 29.1

Total 461 406 461 1211 100.0

Q21: Where did you make your Internet purchase from?

KB KK JB Total %

Local websites 104 131 117 352 29.1

International websites 45 79 69 193 15.9

NA 195 196 275 666 55.0

Total 461 406 461 1211 100.0

93
 Q22: If from local websites, why did you make your purchase?

KB KK JB Total %

Security 31 50 52 133 11.0

Price 36 61 47 144 11.9

Payment Method 57 59 57 173 14.2

Others 3 6 4 13 1.1

NA 217 230 301 748 61.8

Total 461 406 461 1211 100.0

Q23: If from an international websites, why did you make your purchase?

KB KK JB Total %

Security 38 60 51 149 12.3

Price 29 40 40 109 9.0

Payment Method 31 38 45 114 9.4

Others 4 8 8 20 1.7

NA 242 260 317 819 67.6

Total 461 406 461 1211 100.0

94
SURVEY ON DIGITAL SIGNATURE

Q24: Do you know what a digital signature is?

KB KK JB Total %

Yes 128 163 191 482 39.8

No 192 220 186 598 49.4

NA 24 23 84 131 10.8

Total 461 406 461 1211 100.0

Q25: Do you have a digital signature?

KB KK JB Total %

Yes 27 29 90 146 12.1

No 20 30 21 71 5.9

NA 297 347 350 994 82.0

Total 461 406 461 1211 100.0

Q26: If yes, where did you get your digital signature?

KB KK JB Total %

Digicert 32 43 32 107 8.8

MSC Trustgate 26 37 28 91 7.6

Others 2 6 2 10 0.8

NA 284 320 399 1003 82.8

Total 461 406 461 1211 100.0

Q27: Do you know which government body is the regulator of digital signature?

KB KK JB Total %

Yes 63 74 67 204 16.8

No 233 281 291 805 66.4

NA 48 51 103 202 1.8

Total 461 406 461 1211 100.0

95
 SURVEY ON E-SECURITY

Q28: How do you rate yourself on E-Security issues?

KB KK JB Total %

Yes 128 163 191 482 39.8

No 192 220 186 598 49.4

NA 24 23 84 131 10.8

Total 461 406 461 1211 100.0

Q29: Do you consider E-Security issues a concern when you connect to the
Internet?

KB KK JB Total %

Yes 299 351 410 1060 87.5

No 27 40 51 118 0.2

NA 18 15 0 33 12.3

Total 461 406 461 1211 100.0

Q30: Do you think that there is enough awareness campaign on E-Security issues
for home computer users?

KB KK JB Total %

Yes 32 53 67 152 12.6

No 294 338 394 1026 84.7

NA 18 15 0 33 2.7

Total 461 406 461 1211 100.0

Notes:
The category “NA” includes cases where a respondent selected more than one answers, or
where the respondent did not fall within one of the other categories.

96
 E-SECURITY AWARENESS SURVEY 2004

WHO RESPONDED
A total of 3,628 respondents took part in the survey in four locations in Kuala Lumpur (KL),
Penang, Ipoh, Perak and Kuching, Sarawak.

Figure 1: Respondents by Locations

97
 Total respondents: 3,628

Figure 2: Respondents by Race and Sex

Location KL Penang Ipoh Kuching Total

Race\Sex M F NA M F NA M F NA M F NA

Malay 155 160 2 372 144 7 474 223 8 200 93 19 1,857

Chinese 28 31 1 217 135 6 234 104 7 401 176 9 1,349

Indian 10 7 0 36 7 5 58 12 2 11 0 6 154

Others 11 6 0 7 11 0 16 3 0 127 86 1 268

Total 204 204 3 632 297 18 782 342 17 739 355 35 3,628

Figure 3: Respondents by Work Status

Work Status\Location KL Penang Ipoh Kuching Total %

Student 215 475 587 515 1792 49.4

Employed 154 370 396 468 1388 38.3

Unemployed 5 22 30 24 81 2.2

Self-Employed 7 22 37 13 79 2.2

NA 30 58 91 109 288 7.9

Total 411 947 1,141 1,129 3,628 100

Figure 4: Respondents by Age

Age\Location KL Penang Ipoh Kuching Total %

1 – 10 0 0 0 3 3 0.1

11 – 20 102 262 415 276 1,055 29.1

21 – 30 246 446 427 560 1,679 46.3

31 – 40 50 130 147 156 483 13.3

41 – 50 8 65 100 74 247 6.8

51 – 60 0 2 5 1 8 0.2

NA 5 42 47 59 153 4.2

Total 411 947 1,141 1,129 3,628 100

98
Figure 5: Respondents by Marital Status

Marital Status\Location KL Penang Ipoh Kuching Total %

Single 314 664 790 807 2,575 71

Married 87 237 287 242 853 23.5

NA 10 46 64 80 200 5.5

Total 411 947 1,141 1,129 3,628 100

ABOUT THE RESPONDENTS

Information on respondents in the 2004 survey is summarized in Figures 1 to 5.

From the total respondents, 2,357 were male (65%), 1,198 were female (33%) and 73 (2%)
did not indicate their gender.

In terms of employment, 49.4% of the respondents were students, 38.3% employed, 2.2%
unemployed, 2.2% self-employed and 7.9% did not indicate the category they are in.

46.3% respondents are from the ages of 21–30, 29% are from the ages of 11–20, 13.4% are
from the ages of 31–40, 6.8% are from the ages of 41–50, 1.7% are from the ages 51–60
and 0.3% are aged 60 and above. Only 0.1% respondents are from ages 1–10. 2.4% of the
respondents did not indicate their age group.

71% of the respondents are single and 23.5% married. 5.5% of the respondents did not
indicate their marital status.

SURVEY ANALYSIS: EXECUTIVE SUMMARY

Observations on General Knowledge

• 94.6% claimed that they know what a computer virus is and 91% reported that they are
aware of anti-virus software.

• Apart from that, only 88% of respondents reported to have an anti-virus software installed
in the PC that they use.

• The greatest concerns among the majority of the respondents are computer viruses and
being hacked while online.

• 68.4% reported that they have experiences of being infected by a computer virus.

99
 • 53.6% of the respondents did not report the incident to the respective government or
regulatory bodies.

• 44.5% reported that they did not know what a personal firewall is.

• 60.6% of the respondents did not install a personal firewall in their PC.

Observations on Passwords

• The survey found that 58.5% of respondents used passwords with five to eight characters,
while 21.6% use more than eight characters.

• 1.6% of respondents changed their passwords daily, and a further 37.5% changed their
passwords once in a month.

• The survey also found that the majority of the respondents are most concerned about
revealing or sharing their passwords. 87.7% admitted that they memorised their passwords.

• 84.3% reported that they do not share their passwords with others.

Observations on Internet Access

• A total of 85.6% respondents reported that they have access to the Internet. From the
above percentage, 59.5% claimed that they access the Internet at home while 11.4% of
respondents access the Internet at their places of work/offices.

• A total 480 of students use the Internet in schools, whereas 415 of those employed use
the Internet at their offices.

• From the survey, it is recorded that 20.8% of respondents spend more than 10 hours on
the Internet in a week. Only 39.7% claimed that they spend less than five hours in a week
on the Internet.

• Based on the survey, over 76.4% reported that have not performed an online financial
transaction on the Internet, either in a local or international website.

• 22% feel these transactions are very safe.

• More than 34.1% of respondents indicated they make Internet purchases from local sites
whereby 17.6% from international sites.

• At least 11.9% of respondents claimed that the payment method is a reason for them to
purchase online from local websites, while 9.4% of respondents mentioned that security is
a factor that make them purchase online from an international website.

100
Note: Internet dial-up penetration rate for Malaysia in 2004 is 12.7%.

The Internet dial-up penetration rate for each of the state in Malaysia is as follows:

Johore 9.9%
Kedah 6.6%
Kelantan 6.7%
Melaka 11.8%
Negeri Sembilan 10.8%
Pahang 6.3%
Penang 16.3%
Perak 8.5%
Perlis 9.3%
Selangor 14.3%
Terengganu 6.5%
Wilayah Persekutuan Kuala Lumpur 34.5%
Wilayah Persekutuan Labuan 16.2%
Sabah 4.2%
Sarawak 6.7%

The broadband penetration rate for Malaysia in 2004 is 0.98%.

Observations on Digital Signature

• More than 51% of the respondents do not know what a digital signature is and only 8.7%
claimed that they have a digital signature.

• 69.3% of the respondents reported that they do not know which government body is the
regulator of the digital signature.

• 7.4% of the respondents get their digital signatures from Digicert while 7.1% from MSC
Trustgate. Majority of them are employed in companies, which use digital signatures.

Observations on E-Security Awareness

• 81.8% of respondents said that they are concerned with security issues when connected
to the Internet.

• More than 78% of respondents reported that there is not enough awareness campaign on
the E-Security issues particularly for home computer users.

101
 KEY FINDINGS OF THE SURVEY
The following points summarize the key findings of our survey:

Most of the respondents have access to a PC and the Internet

However, some of them do not have anti-virus software or personal firewalls installed in their
PCs. They risk having their PCs exposed to Internet threats e.g. worms, viruses, spywares, etc.

Respondents are worried about the increased threats against their computer systems
Respondents are increasingly worried about the sophistication of the computer security
breaches and their fears are valid. Even relatively low grade threats e.g. viruses, worms and
hacking can result in significant financial and time loss.

Respondents are recognizing the need for awareness programmes and education
Awareness and education programmes that address Internet, e-mail usage, firewall, digital
signatures and computer system breaches can go a long way to mitigating the impact of some
of the problems related to security issues.

Most of the IT security incidents are not reported to relevant bodies

Most of the incidents occur as a result of poor or no security awareness procedures

and in most instances can be prevented

CONCLUDING COMMENTS
It is imperative that agencies such as the MCMC continue to play their roles in ensuring a safe
and secure networking environment by creating greater awareness amongst users by holding
a series of awareness programmes on e-security in the future.

102
FULL SURVEY RESULT
SURVEY ON GENERAL KNOWLEDGE

Q1: Do you have access to a PC?

Location KL Penang Ipoh Kuching Total %

Single 314 664 790 807 2,575 71

Home 254 705 901 776 2,636 72.7

School/University 70 135 123 97 425 11.7

Office 69 83 96 103 351 9.7

Home and School/ 0 0 0 16 16 0.4

University

Home and Office 0 0 0 101 101 2.8

Home, School 0 0 0 13 13 0.4

and Office

Home, School 0 0 0 5 5 0.1

and Cyber Café

Cyber Café 5 4 6 7 22 0.6

NA 13 20 15 11 59 1.6

Total 411 947 1,141 1,129 3,628 100

Q2: Do you know what a computer virus is?

KL Penang Ipoh Kuching Total %

Yes 385 892 1,077 1,077 3,431 94.6

No 18 49 60 49 176 4.9

NA 8 6 4 3 21 0.5

Total 411 947 1,141 1,129 3,628 100

Q3: Do you know what an anti-virus software is?

KL Penang Ipoh Kuching Total %

Yes 367 868 1,010 1,056 3,301 91

No 35 72 126 69 302 8.3

NA 9 7 5 4 25 0.7

Total 411 947 1,141 1,129 3,628 100

103
 Q4: If yes, do you know if an anti-virus software is installed on the PC that you use?

KL Penang Ipoh Kuching Total %

Yes 355 847 982 1,007 3,191 88

No 46 76 139 95 356 9.8

NA 10 24 20 27 81 2.2

Total 411 947 1,141 1,129 3,628 100

Q5: Have you ever been infected by a computer virus?

KL Penang Ipoh Kuching Total %

Yes 291 566 780 843 2,480 68.4

No 109 238 342 262 951 26.2

NA 11 143 19 24 197 5.4

Total 411 947 1,141 1,129 3,628 100

Q6: If yes, did you report the incident to anyone?

KL Penang Ipoh Kuching Total %

Yes 126 307 376 444 1,253 34.6

No 224 517 632 571 1,944 53.6

NA 61 123 133 114 431 11.8

Total 411 947 1,141 1,129 3,628 100

Q7: If you did report the incident, to whom did you report it to?

KL Penang Ipoh Kuching Total %

MCMC 11 52 51 60 174 4.8

ISP 85 237 336 303 961 26.5

Police 1 3 4 6 14 0.4

Company 13 1 0 19 33 0.9

Vendor 15 15 0 49 79 2.2

NA 286 639 750 692 2,367 65.2

Total 411 947 1,141 1,129 3,628 100

104
Q8: Do you know what a personal firewall is?

KL Penang Ipoh Kuching Total %

Yes 197 457 559 704 1,917 52.8

No 201 455 558 401 1,615 44.5

NA 13 35 24 24 96 2.7

Total 411 947 1,141 1,129 3,628 100

Q9: Do you have a personal firewall installed in your PC?

KL Penang Ipoh Kuching Total %

Yes 95 263 346 448 1,152 31.8

No 276 583 713 625 2,197 60.5

NA 40 101 82 56 279 7.7

Total 411 947 1,141 1,129 3,628 100

105
 SURVEY ON PASSWORD

Q10: How many characters does your passwords have?

KL Penang Ipoh Kuching Total %

5 47 109 140 129 425 11.7

Less than 5 but 258 558 673 635 2,124 58.6

more than 8

More than 8 58 203 240 286 787 21.7

NA 48 77 88 79 292 8.0

Total 411 947 1,141 1,129 3,628 100

Q11: How often do you change your passwords?

KL Penang Ipoh Kuching Total %

Daily 3 21 15 18 57 1.6

Weekly 15 37 60 55 167 4.6

Monthly 114 353 429 465 1,361 37.5

Yearly 14 28 22 46 110 3.0

When necessary 6 0 0 18 24 0.7

Seldom/Sometimes 1 0 0 31 32 0.9

Quarterly 4 7 8 3 22 0.6

Never change 17 0 0 60 77 2.1

NA 237 501 607 433 1,778 49.0

Total 411 947 1,141 1,129 3,628 100

Q12: Where do you keep your passwords?

KL Penang Ipoh Kuching Total %

On Post It Notes 6 20 19 21 66 1.8

On Paper 9 37 40 43 129 3.6

Memories it 355 821 1,016 989 3,181 87.7

Other (e-mail, computer, 2 1 1 5 9 0.2

mobile phone)

NA 39 68 65 71 243 6.7

Total 411 947 1,141 1,129 3,628 100

106
Q13: Do you share your passwords with others?

KL Penang Ipoh Kuching Total %

Yes 47 122 152 140 461 12.7

No 337 793 959 969 3,058 84.3

NA 27 32 30 20 109 3

Total 411 947 1,141 1,129 3,628 100

Q14: Do you have access to the Internet?

KL Penang Ipoh Kuching Total %

Yes 343 805 965 991 3,104 85.5

No 57 123 164 126 470 13

NA 11 19 12 12 54 1.5

Total 411 947 1,141 1,129 3,628 100

Q15: If yes, where do you access the Internet?

Location KL Penang Ipoh Kuching Total %

Home 189 601 731 638 2,159 59.5

School 65 128 143 144 480 13.2

Office 83 107 113 112 415 11.4

Cyber café 16 15 39 21 91 2.6

Home, school and office 0 0 0 11 11 0.3

Home and office 1 0 0 83 84 2.3

Home and school 0 0 0 24 24 0.7

NA 57 96 115 96 364 10.0

Total 411 947 1,141 1,129 3,628 100

107
 Q16: How often do you surf the Internet in a week?

KL Penang Ipoh Kuching Total %

1 hour 145 359 515 424 1,443 39.8

2 hours 97 271 293 320 981 27.0

3 hours 96 215 196 248 755 20.8

More than 10 hours 9 28 40 50 127 3.5

NA 64 74 97 87 322 8.9

Total 411 947 1,141 1,129 3,628 100

Q17: Have you ever purchased anything on the Internet?

KL Penang Ipoh Kuching Total %

Yes 74 177 190 319 760 20.9

No 320 738 924 788 2,770 76.4

NA 17 32 27 22 98 2.7

Total 411 947 1,141 1,129 3,628 100

Q18: If yes, were you comfortable with the security when you make your purchase
on the Internet?

KL Penang Ipoh Kuching Total %

Yes 65 199 232 302 798 22.0

No 134 419 532 468 1,553 42.8

NA 212 329 377 359 1,277 35.2

Total 411 947 1,141 1,129 3,628 100

108
Q19: If no, what stopped you from making your purchase on the Internet?

Location KL Penang Ipoh Kuching Total %

Security 161 419 472 404 1,456 40.1

Price 31 86 107 114 338 9.3

Payment method 112 225 301 287 925 25.5

Not interested 0 0 0 5 5 0.1

Security, price and 0 0 0 8 8 0.2

payment

Security and payment 0 0 0 22 22 0.6

Price and payment 0 0 0 3 3 0.1

NA 107 217 261 286 871 24.1

Total 411 947 1,141 1,129 3,628 100

Q20: Where did you make your Internet purchase from?

KL Penang Ipoh Kuching Total %

Local websites 130 311 392 405 1,238 34.1

International websites 35 166 198 238 637 17.6

NA 246 470 551 486 1,753 48.3

Total 411 947 1,141 1,129 3,628 100

Q21: Why did you make the Internet purchase?

KL Penang Ipoh Kuching Total %

Security 18 93 123 109 343 9.5

Price 64 161 168 181 574 15.8

Payment method 44 97 133 157 431 11.9

Not interested 0 0 0 2 2 0.1

Easy/faster 1 1 0 13 15 0.4

Product not available 1 0 0 8 9 0.2

in Malaysia

NA 283 595 717 659 2,254 62.1

Total 411 947 1,141 1,129 3,628 100

109
 SURVEY ON DIGITAL SIGNATURE

Q22: Do you know what a digital signature is?

KL Penang Ipoh Kuching Total %

Yes 180 400 512 564 1,656 45.7

No 211 507 603 535 1,856 51.1

NA 20 40 26 30 116 3.2

Total 411 947 1,141 1,129 3,628 100

Q23: Do you have a digital signature?

KL Penang Ipoh Kuching Total %

Yes 30 85 93 106 314 8.7

No 361 811 1,013 980 3,165 87.2

NA 20 51 35 43 149 4.1

Total 411 947 1,141 1,129 3,628 100

Q24: If yes, where did you get your digital signature?

KL Penang Ipoh Kuching Total %

Digicert 13 57 104 95 269 7.4

MSC Trustgate 11 77 93 76 257 7.1

NA 387 813 944 958 3,102 85.5

Total 411 947 1,141 1,129 3,628 100

110
Q25: What do you use the digital signature for?

KL Penang Ipoh Kuching Total %

Secure my website 10 52 51 70 183 5.0

Secure my e-mail 24 92 103 116 335 9.2

Secure my Internet 30 80 116 99 325 9.0
banking transaction

Secure my Internet 14 27 27 33 101 2.8

banking transaction,
to file income tax
online and secure
my Internet trading
transaction

Secure my e-mail 12 39 58 40 149 4.1

and secure my
Internet trading
transaction

Secure my website, 7 12 16 15 50 1.4

secure my e-mail,
secure my Internet
banking transaction,
file income tax online
and secure my Internet
trading transaction

Secure my website, 11 15 22 15 63 1.7

secure my e-mail and
secure my Internet
banking transaction

NA 303 630 748 741 2,422 66.8

Total 411 947 1,141 1,129 3,628 100

111
 Q26: Do you know which government body is the regulator of digital signature?

KL Penang Ipoh Kuching Total %

Yes 79 179 221 202 681 18.8

No 285 640 801 789 2,515 69.3

NA 47 128 119 138 432 11.9

Total 411 947 1,141 1,129 3,628 100

Q27: Do you have a MyKad?

KL Penang Ipoh Kuching Total %

Yes 254 627 808 807 2,496 68.8

No 136 283 308 289 1,016 28.0

NA 21 37 25 33 116 3.2

Total 411 947 1,141 1,129 3,628 100

Q28: Do you know that MyKad is PKI-enabled?

KL Penang Ipoh Kuching Total %

Yes 146 366 512 462 1,486 41.0

No 244 526 590 628 1,988 54.8

NA 21 55 39 39 154 4.2

Total 411 947 1,141 1,129 3,628 100

Q29: Are you aware that you can file income tax online using MyKad?

KL Penang Ipoh Kuching Total %

Yes 106 282 433 336 1,157 31.9

No 281 611 671 750 2,313 63.8

NA 24 54 37 43 158 4.3

Total 411 947 1,141 1,129 3,628 100

112
Q30: Have you applied for digital certificate for your MyKad?

KL Penang Ipoh Kuching Total %

Yes 30 79 108 99 316 8.7

No 346 811 992 972 3,121 86.0

NA 35 57 41 58 191 5.3

Total 411 947 1,141 1,129 3,628 100

Q31: If yes, where did you get your MyKad PKI-enabled?

KL Penang Ipoh Kuching Total %

Digicert/Ivest 23 109 150 131 413 11.4

MSC Trusgate 36 135 184 149 504 13.9

NA 352 703 807 849 2,711 74.7

Total 411 947 1,141 1,129 3,628 100

Q32: If no, do you plan to PKI-enabled your MyKad?

KL Penang Ipoh Kuching Total %

Yes 260 529 665 680 2,134 58.8

No 84 265 351 325 1,025 28.2

NA 67 153 125 124 469 13.0

Total 411 947 1,141 1,129 3,628 100

113
 SURVEY ON E-SECURITY

Q33: Do you consider E-Security issues a concern when you connect to the
Internet?

KL Penang Ipoh Kuching Total %

Yes 245 746 1,005 970 2,966 81.8

No 130 141 108 126 505 13.9

NA 36 60 28 33 157 4.3

Total 411 947 1,141 1,129 3,628 100

Q34: Do you think that there is enough awareness campaign on E-Security issues
for home computer users?

KL Penang Ipoh Kuching Total %

Yes 58 136 227 237 658 18.1

No 333 758 887 861 2,839 78.3

NA 20 53 27 31 131 3.6

Total 411 947 1,141 1,129 3,628 100

Notes:
The category “NA” includes cases where a respondent selected more than one answers, or
where the respondent did not fall within one of the other categories.

114
MORE SPECIFIC INFORMATION
FOR BUSINESSES

INCIDENCE
RESPONSE
AND
HANDLING
FOR EVERYONE
 MOHAMED SHAFRI HATTA
NISER, AUTHOR

Mohamed Shafri Hatta graduated from Universiti Utara Malaysia (UUM), Sintok, Kedah Darul
Aman, in Bachelor of Information Technology (BIT) with Hons, majoring on networking, in 1998.
Mohamed Shafri was also a GIAC Security Essentials Certified (Certifications issued by SANS
Institute, USA). He is also a EC Council Certified Ethical Hacker (CEH) and pursuing Cisco
Certified Network Associates (CCNA).

In February 2001, he joined National ICT Security Emergency Response Centre (NISER) where
he was with the Malaysian Computer Emergency Response Team (MyCERT) as one of the
pilers under NISER. His main task is to do first and second level support for MyCERT. His other
tasks include network security audit, network and system penetration testing. He has done
more than 10 presentations for NISER & MyCERT in seminars, conferences and trainings since
2002. He is currently the Network Security Analyst for NISER and his field of expertise is
Incident Handling and Network Security.

ORGANIZATION

NISER (National ICT Security and Emergency Response Centre) was formed by the National
Information Technology Council (NITC). The agency began its operation in November 2000
and was officially launched on 10 April 2001. NISER has been specifically tasked to support
the nation’s ICT security and cyber defense initiatives to avert potential intrusions and unlawful
cyber actions that could threaten the nation’s critical infrastructure.

NISER also deals with computer abuses and information security breaches through the
Malaysian Computer Emergency Response Team (MyCERT). MyCERT, which was established
in 1997, is a national incident response centre responsible for rapid response to problem
identification and solutions implementation.

NISER functions through collaborations with organisation from both private and public sector,
including the Internet communities, to continuously identify possible gaps that could be
detrimental to national security. It believes in this collaborative model as it recognises that no
organisation can champion and resolve ICT security issues single-handedly.

In performing its tasks, NISER is guided by the following principles: to maintain technical
competency, to pursue proactive action, to harness collaborative effort, to remain neutral and
impartial and to be a not-for-profit organisation.

116
INCIDENT RESPONSE AND HANDLING FOR EVERYONE
MOHAMED SHAFRI HATTA

ABSTRACT
Hacking, cracking and now hacktivism is fast becoming a serious threat to inter-networking.
ISPs and companies whose businesses depend on network availability are faced with a new
challenge greater than recovering from service hiccups, which is defending and recovering
from attacks.

Denial of Service attack, intrusion and domain rerouting are major threats to the Internet
services. Despite the many technologies such as firewall and Intruder Detection Systems, the
human element is required in Incident Response – to ensure responsiveness and effectiveness
of the technology. NISER will share some of the major requirements in running an effective
Incident Response Team, now a necessity in operating and maintaining any network.

INTRODUCTION
What is an Incident?
The term “incident” refers to an adverse event in an information system, and/or network, or the
threat of the occurrence of such an event. An incident can be defined as any activity that
interrupts the normal activities of a system and may trigger some level of crisis. Incident implies
harm or the attempt to harm.

What is Incident Handling?

Incident Handling is a series of actions taken to protect and restore the normal operating
condition of computers and the information stored in them when an adverse event occur, with
well-defined procedures involving several stages. It involves all the activities used before,
during, and after a computer security incident occurs on a host, network, site, or multi-site
environment.

Purpose of Incident Handling

• To mitigate or reduce risks associated to an incident.
• To respond to all incidents and suspected incidents based on pre-determined processes.
• To provide unbiased investigations on all incidents.
• Establish a 24x7 hotline/contact to enable effective reporting of incidents.
• Each organization should have an incident handling team to control and contain any
incidents that may occur.
• Incident handling team should recommend short-term and long-term solutions.

117
 CATEGORIES OF INCIDENTS
Crisis
Crisis can be categorized as any incident that may cause destruction or service disruption
such as natural disaster and infrastructure attack.

Security Breach
Any event which breach the security policy of an organization or the laws of the country. Some
of the examples are breach of confidentiality, modification of data or compromisation of integrity.

Abuse & Misuse

Any activity conducted which are against the acceptable use policy of the organization such
as causing annoyance or conducting non-work related activity such as e-mail abuse (spamming
and mail bomb) and illegal content (pornography and piracy).

Human Error
Human error can be categorized as any accidental damage done due to human error, which
may cause disruption of service, and may not involve criminal activity. An example is information
disclosure and misconfiguration by the organization.

TYPES OF INCIDENTS
Spamming
Spamming would refer to e-mails that you do not wish to receive and are irrelevant to you.
These mails usually have business motives for marketing purposes and sent by individuals with
personal goals, or by marketing agents for selling their products.

Mail bomb
Mail bomb is the act of sending large quantities of e-mails to a single user or system, which
could flood his/her mailbox and may crash the system. Mail bomb is considered as serious as
it can disrupt mail traffic and in some cases, could lead to denial of service to the network.

Intrusion
Intrusion is referred to the unauthorised access or illegal access to a system or network. This
could be the act of root compromise, web defacements and installation of malicious
programmes, i.e. backdoor or trojan.

Hack threat
Hack threat is referred to illegal and unauthorised hacking attempts to a system or a network
with malicious intention to compromise a vulnerable system, such as illegal port scanning
and probes.

118
Virus
Virus is a malicious code of programming, which survives and replicates in a computer system
and attacks silently and without the user’s knowledge. Once in the system, the virus will
replicate and infect other files, thus changing them in the process. Viruses are mainly found in
software, programmes, screen savers and data files. A virus might carry a “payload” which is
released by the virus upon a triggering event and also determines the extent of the damage
the virus does.

Worm
Worm is a self-contained programme that is able to spread functional copies of itself and does
not need any external help, to other computers via the network.

Denial of Service (DoS)

Denial of service would refer to the illegal act of bringing a particular system down, or to disable
a system. There are various types of DoS attacks, i.e. ping flood attack, Smurf attack and SYN
attack.

Destruction
Destruction is defined as an illegal act made to destroy the system, data/information and/or
physical assets, crippling the whole system. Such incidents can be the results from repeated
attempts toward the targeted system which finally lead to destruction of the whole system.

Fraud
It is strictly where a computer system is used as an instrument to a crime, for example, its
processing capability is used to divert funds illicitly such as in e-mail forgery (user impersonation),
e-commerce (payment anonymity) and e-banking (ATM and credit card fraud).

Forgery
Forgery would mean to forge or impersonate something/someone to make it as if real and true.
These include forgeries of your name and e-mail address in messages to others, or of other
people's identities in mail to you. Both can be extremely unpleasant or even damaging, if the
recipient gets fooled.

Harassment
Harassment is a malicious act of annoying and threatening someone through various means;
i.e., via e-mails, and/or letters with personal motives and reasons. Harassment is usually done
by someone close to the victim or someone unknown to the victim.

INCIDENT HANDLING: STEP BY STEP

Preparation
System or network administrator should take proactive techniques in securing their organization
system. This includes applying proper patches and service pack, upgrade operating system,

119
 applications and software. An organization should also have defence mechanism such as
firewall, intrusion detection system and anti-virus programme to defend their network.
Any unnecessary services or ports should be closed to minimize the probability of attack.

Other preparations that can be undertaken by an organization is to send their staff for security
training, such as Incident Handling training. With this training, incident handler or system
administrator should include maintaining the organization infrastructure in their day-to-day task.
Constant log monitoring is the most important process and system administrator should be on
the alert and suspicious of anomalous activities.

Organization should establish contacts with local ISPs, other Computer Emergency Response
Teams (CERTs) and law enforcement agencies. This will help the organization when an incident
happens. Keep a database of the relevant person in charge and their contact detail’s must be
made accessible to your team. Make sure you have their contact numbers, i.e. phone, fax,
e-mail, pager.

Last but not least, an organization should have a standard operating procedure (SOP) of
Incident Handling and enforce it within the organization. Policies on password, system/network
access and secure communication are a must.

Identification
Organization should verify an incident which has occurred and exclude the possibility of human
error by checking any errors in system configuration, users or administrator errors. Once the
above errors ruled out, determine the type of incident.

IT personnel should not panic when an incident occurs. Panicking will make coordination and
communication difficult and remaining calm can avoid making critical errors.

Incident handler should take note of and document every piece of information or evidence
associated to the incident. Use the four principle of W's: Who, What, When, Where and some
more extras like How and Why.

Analyze the information and evidence. Safeguard the evidence you have by keeping a backup
copy. Incident handler should analyze any relevant logs, files and codes that might indicate
successful penetration or traces left by the intruders.

Incident handler or system/network administrator should notify the appropriate parties. Notify
the appropriate people like the security coordinator and the manager.

Containment
The first action in containment is to disconnect the affected machine from the network. This is
to prevent further spread of the incident. It will also avoid intruders from getting into the server
again. The security manager should deploy a small team to physically secure the incident area.

120
Incident handler should be alert to potential planted malicious codes or scripts in the affected
system. Incident handler should not log in to the compromised system immediately, as you
need to check if there is any rootkit installed. Analyze the cryptographic fingerprint of core
binary files of the compromised system against a trusted system. For best practice, check
other neighboring system or network for possibility of compromised. Review all logs and file
signature databases.

Incident handler should make a back up copy of the compromised system to a new media.
Make binary to binary or bit to bit back up. Seal and store the back up tapes securely so that
no one can temper with the evidence. This process is necessary for forensic analysis and
court proceedings.

System or network administrator should change the password of the compromised system or
other systems that it regularly connects. If the system is subjected to a sniffer attack, you may
need to change passwords of all systems on the affected LAN or subnet.

Eradication
In this process, incident handler should determine the root of attack. How do you do that?
Analyze all information gathered during the identification phase and look for weaknesses in the
operating system and application that could have been exploited.

The next step is to apply defense mechanism. Organization should apply firewall, routers filters,
intrusion detection system (IDS), intrusion prevention system (IPS) and anti-virus programme
both at network and host level. If possible change the server name and IP address.

The last process is to carry out vulnerability assessment on the system and network to
determine if the software needs to be upgraded/patched. Run a host-based and network-based
assessment tools to test the robustness of your system and network configurations. Remove
the cause of the incident. Close unnecessary ports/services if the incident was due to an open
port. Patch and upgrade software if the incident was due to vulnerable/older version of
software. Malicious code planted by the intruder should also be removed and cleaned.

Recovery
Restore the system for a clean backup. After restoration, verify that the operation was successful
and system is back to normal. Security manager will determine when to restore operations. Once
the system is back to normal, monitor for any hidden backdoors that may have escaped
detection.

Follow-Up
In the follow-up process, produce a comprehensive report on the whole incident for reference
purposes. Incident handler should follow-up with owners of the system to check whether they
have done the necessary. Conduct assessment to the system regularly, to verify the system
is secure and is not vulnerable.

121
 BEST PRACTICE
Intrusion Detection Checklist
http://www.cert.org/tech_tips/intruder_detection_checklist.html

Windows NT Intrusion Detection Checklist

http://www.auscert.org.au/render.html?it=1972&cid=1920

UNIX Security Checklist

http://www.auscert.org.au/render.html?it=1935&cid=1920

Securing an Internet Name Server

http://www.cert.org/archive/pdf/dns.pdf

Secure Infrastructure Design

http://www.cert.org/archive/pdf/Secure_Infrastructure_Design.pdf

Internet Information Service 5.0 Security Checklist

http://www.microsoft.com/technet/security/chklist/iis5chk.mspx

Internet Information Service 4.0 Security Checklist

http://www.microsoft.com/technet/security/chklist/iischk.mspx

Windows Server 2003 Security Guide

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx

Windows XP Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/xpcl.mspx

Windows 2000 Server Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx

Windows NT 4.0 Server Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/nt4svrcl.mspx

Windows NT 4.0 Workstation Baseline Security Checklist

http://www.microsoft.com/technet/security/chklist/nt4wscl.mspx

Steps for Recovering from a UNIX or NT System Compromise

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

122
CONCLUSIONS
An incident handling and response team must strive for quicker response time to minimize the
downtime. An organization should have proper policy and mechanism in place. This will expedite
the incident handling process. The effectiveness of incident handling team in managing
escalation and investigation is the most critical asset of an organization. Incident handling team
should notify the appropriate or affected parties of any incidents. This will minimize the probability
of successful attack. The best thing is to communicate with Internet Service Provider (ISP),
vendors or Computer Emergency Response Team (CERT).

REFERENCES
1. http://www.mycert.org.my/resource.html
2. http://www.mycert.mimos.my/securityterm.html
3. http://www.cert.org/tech_tips/
4. http://www.microsoft.com/technet/security/default.mspx
5. http://www.auscert.org.au/render.html?cid=1920
6. Computer Security Incident Handling Step by Step, SANS Institute, 1999

123
 VIRUSES,
WORMS,
TROJAN
HORSES 101
 MADIHAH MOHD SAUDI
NISER, AUTHOR

Madihah Mohd Saudi is the virus analyst for NISER and is responsible for conducting in-house
testing for virus analysis; reviewing standard operating procedures for virus analysis;
developing acceptable user policies; damage control and laboratory specifications. She is also
accountable in responding to virus cases, as MyCERT (Malaysia Computer Emergency
Response Team) 2nd level support. Her other tasks are Windows security audit and Anti Virus
audit. Madihah joined NISER in 2001 as a Computer Forensic analyst and project manager for
the Computer Forensics’ department.

Madihah earned her Bachelor’s Degree in Computer Science from Universiti Kebangsaan
Malaysia (UKM) in 2001. Her mission for NISER and for herself is to be one of the best security
analysts in the nation.

She holds the GIAC Security Essentials Certification which was issued by SANS Institute, USA
in 2001 and also a Certified Ethical Hacker (2003) awarded by the EC-Council, USA.

126
 VIRUSES, WORMS, TROJAN HORSES 101
MADIHAH MOHD SAUDI

ABSTRACT
Nowadays large or small computer applications developers are adopting the trend of “push to
market first” – fix the bugs later. This leads to disaster outbreak such as the Melissa virus, Code
Red Worm, NIMDA worm and the more recent Blaster and Nachi worms.

Thus, it is critical that we understand these malicious codes or better known as virus, worm
and Trojan Horse. There are many ways in which malicious codes spread. The common
mediums are through e-mail attachments, scripts in web pages and networks and file sharing.
In this paper we will discuss what these malicious codes are; how they behave; their impact
on society; the countermeasures that can be taken which include the detection, removal and
prevention methods; two case studies on issues related with worm outbreak; the propagation
of malicious codes; who is responsible for the damage it caused; whether the virus writer or
person who distribute it and the future of malicious codes.

Keyword: malicious code, virus, worms, Trojan horse

INTRODUCTION
Definition of malicious code
Malicious code is a term used to describe all sorts of destructive programmes which are
viruses, worms, Trojans, pests and rogue Internet content[1]. Malicious code is more prevalent
today than ever before, and both home users and system administrators need to be on the
alert to protect their network or company against attacks. It is coming out so fast these days
that even the most accurate scanners cannot track all the new ones.

By referring to MyCert’s Abuse Statistics from 1997 until June 2004, we can see a rapid
increase of computer crime cases in Malaysia, especially in virus cases[2]. For virus cases,
from seven cases in 1997, it has increased to 379 cases in 2001 and until June 2004 it has
touched 158 cases. As we know, Code Red worm hit the world in August 2001, followed by
Nimda Worm in September 2001 and Blaster worm, Nachi worm and Sobig.F worm in August
2003. A huge amount of money had been used to recover from the attacks. These worms
instigated a classified infrastructural attack to the Malaysian public. Details of the worms can
be referred at ‘Situational Report on Major Worms up to 2003 in Malaysia’ available from
NISER’s website[3].

127
 DEFINITION OF VIRUS, WORM AND TROJAN HORSE
The Internet is constantly being flooded with information about computer viruses, worms and
Trojan Horses. Terms like virus and worm have been used interchangeably, but they have
different meaning and function. The definitions are listed below:

Viruses
Virus is defined as a programme, which when executed, can add itself to other programmes,
without permission[4]. This is done in such a way that the infected programme, when
executed, can add itself to other programmes as well. The virus inserts itself into the chain of
command and executes a legitimate programme that results in the execution of the virus as
well as the programme.

If we relate to our daily life, virus programming logic mimics their biological counterparts.
First, they invade their host victims by changing the underlying structure. Once infected, host
file becomes viruses themselves and begin to infect other files. Later, computer viruses mutate
and evolve to fight anti-virus ‘antibiotic’ programmes, and massive infection results in the larger
system malfunctioning.

Virus hoax is another term given to a message warning about non-existent viruses. It generally
asks readers to forward the message to everyone possible. It is highly recommended that users
ignore or delete such e-mail.

As for viruses, it can be categorized into six categories, which are:

a. Boot Sector Virus

These viruses infect floppy disk boot records or master boot records in hard disks.
They replace the boot record programme (which is responsible for loading the operating
system in memory), copying it elsewhere on the disk or overwriting it when you first turn on
your computer. Boot viruses load into memory if the computer tries to read the disk while
it is booting. This kind of virus can prevent you from being able to boot your hard disk.

b. File Virus
These are viruses that attach themselves to (or replace) .COM and .EXE files, although in
some cases they can infect files with extensions like .SYS, .DRV, .BIN, .OVL and .OVY.
With this type of virus, uninfected programmes usually become infected when they are
executed with the virus in memory. In other cases they are infected when they are opened
(such as using the DOS DIR command) or the virus simply infects all the files in the
directory is run from (a direct infector).

c. Macro Virus
Written using a simplified macro programmeming language, these viruses affect Microsoft
Office applications, such as Word and Excel, and account for about 75% of viruses found
in the wild. A document infected with a macro virus generally modifies a pre-existing, commonly
used command (such as Save) to trigger its payload upon execution of that command.

128
d. Multipartite Virus
A multipartite virus is a hybrid of Boot and Programme viruses. They infect programme files
and when the infected programme is executed, these viruses infect the boot record. When
you reboot the computer the virus from the boot record loads in memory and start infecting
other programme files on disk.

e. Polymorphic Virus
These viruses change code whenever they are passed to another machine; in theory these
viruses should be more difficult for anti-virus scanners to detect, but in practice they are
usually not that well written.

f. Stealth Virus
These viruses hide their presence by making an infected file to appear infected, but do not
usually stand up to anti-virus software.

From these six categories of virus, it can be simplified that the virus can spread through file,
boot programme and macro file.

The first viruses emerged in the mid-1980’s. By 1990, there were still less than 100 viruses.
Today it is estimated that there may be more than 50,000 viruses. Interestingly, the majority of
viruses are not out in the public, referred to as “in the wild.” Resources say that only 100-180
of the 50,000 viruses account for all the viruses that are in the wild. Most of the viruses exist
only in personal virus collections, also called “virus zoos.”

Worms
A worm is a self-contained programme (set of programmes), that is able to spread functional
copies of itself to other computer system (usually via a network). It is very similar to virus in that
it is a computer programme that replicates and often, but not always, contains some
functionality that will interfere with the normal use of a computer or a programme. Worms do
not need to attach themselves to other files or programmes, where the worm exists as a
separate entity. A worm can spread itself automatically over the network from one computer to
another. But it can always exist as an e-mail attachment.

Worms can be categorized into two categories, which are:

a. Host computer worms

Host computer worms are entirely contained in the computers on which they run and use
network connections only to copy themselves to other computers. The original worm
terminates itself after launching a copy on another host (so there is only one copy of the
worm running somewhere on the network at any given moment).

129
 b. Network worms
Network worm consists of multiple parts (called ‘segments’), each running on different
machines (possibly performing different actions) and using the network for several
communication purposes. Propagating a segment from one machine to another machine
to another is only one of those purposes. Network worms that have one main segment that
coordinates the work of the other segments are sometimes called ‘octopuses’. An example
of the latest network worm is Bobax worm.

Trojan Horse
A Trojan horse is defined as a programme, which masquerades as a legitimate programme,
but does something other than what it was originally intended. It is a programme that looks
useful but contains unauthorized, undocumented code for unauthorized functions. It can be
passed via worm or virus. There are many different types of Trojans that are existed. These are:

a. Remote Access Trojan

These are probably the most popular and very likely the most dangerous of the many Trojan
classes currently available. It is these types that work in the server/client mode. The server
part installs itself on the unsuspecting user’s computer and the client remains on the
attacker’s system. Once an infected machine has been discovered, the intruder establishes
a link between the two. He can subsequently perform any action the user can and more.
For example, let’s assume that the user has valuable data stored in a folder called “XYZ”
on his C: drive. In order to steal that data, all the intruder needs to do is to drag and drop
the folder called XYZ from the user’s C: drive onto his own. It is as simple as that! Examples
of most popular Remote Access Trojans are Net-bus, Sub-seven and Back Orifice (The
Cult of the Dead Cow – CDC).

b. Mail Trojan
Another popular type of Trojan in hackers’ circles is the mail Trojan. It works in server mode
only and its main function is to record certain data such as the keystrokes the user enters
when passwords are typed, the websites he regularly visits and files in general. An infected
machine will automatically send the information by e-mail to the attacker. These are very
difficult to spot because the e-mail client is part of the Trojan itself.

c. FTP Trojan
This particular class of Trojan works in server mode only. It allows FTP access to an infected
machine and can download or upload files at the intruder’s whim.

d. Telnet Trojan
Telnet Trojans run in server mode only and allow an intruder to execute DOS commands
on a remote machine.

130
e. Key logger Trojan
These Trojans record the keystroke input on an infected machine and then stores the
information in a special log file that the intruder can access in order to decipher passwords.

f. Fake Trojan
This type of Trojan uses fake dialog boxes and other bogus windows that purport to show
that the user has attempted to perform an illegal operation. By displaying a dialog box, its
sole purpose is to get the user to enter his user name and password. That information is
then stored on file so that the intruder can use it at a later date.

g. Form Trojan
This is a Trojan that once installed ascertains the users’ personal data such as IP address,
passwords and other personal data that he or she has stored on their system and then by
connecting to the cracker’s web page, submits the online form via HTTP. A cracker can
then use the information gained whenever he wishes. The Trojan performs this function
without any user intervention and without the user’s knowledge. The user will not see any
indication of the transmission such as pop-up windows that would indicate that this is
taking place.

To perform most of the above stated tasks, one has to grab the IP address of the victim. This
can be done by using either a third party programme or if the victim does not have a great
knowledge of computers. The other way is to create an FTP link between you and the victim
while chatting and while the file is being transferred, note down the IP address of the victim;
using commands like “netstat -an” or any telnet command.

131
 DIFFERENCES BETWEEN VIRUS, WORM AND TROJAN HORSE
Virus
1. Non self-replicate
2. Produce copies of
themselves using
host file as carriers
3. Cannot control PC
remotely
4. Can be detected and
deleted using anti-virus
Worm
1. Self-replicating
2. Do not produce copies
of themselves using
host file as carriers
(independent
programme)
3. Cannot control PC
remotely
4. Can be detected and
deleted using anti-virus
Trojan Horse
1. Non self-replicate
2. Do not produce copies
of themselves using
host file as carriers
(independent
programme)
3. Control pc remotely
4. Sometimes cannot be
detected and deleted
using anti-virus

From the table above (taken from NISER virus lab testing), we can conclude that worm and
virus are very similar to one another but are technically different in the way that they replicate
and spread through a system. As for Trojan Horse, its capability to control PC remotely makes
it different from worm and virus.

IMPACT TO SOCIETY
From NISER ICT Security survey for Malaysia 2001/2002, based on the results shown in
Figure 1 at Appendix A, virus attacks were the most frequent security breach experienced in
2001/2002 with a record of 1,280 times. In terms of financial losses, virus attacks thus
become one of the major contributors.

A breach in information security can impact many business processes within an organization
and that impact becomes more difficult to assess. It is not simply a case of how much it costs
to rectify the breach but of a range of other issues such as; delayed delivery of contracts, lost
opportunities, legal and contractual liabilities incurred, loss of customer confidence and loss of
trust. Furthermore, organizations do not like to publicize that they have suffered a security
breach because of the adverse publicity that it brings and the damages it is likely to inflict on
the company’s reputation.

Below are other impacts to society:

a. Loss of data
For example Excel spreadsheets which consists of client information. The virus might
damage the data, or accidentally e-mail the data to the competitor which lead to disclosure
of confidential information.

132
b. Loss of trust and reputation
If a customer receives inaccurate data, will they return? Reputation risks depend on worm
publicity profile. For example: wide spreading worm carries high reputation risk

c. Information compromised
User may be working unknowingly with data that is wrong.

d. Loss of customers
If customers are not happy due to viruses, they will find someone else.

e. Loss of loyalty and retention

Return customers do not like problems.

f. Loss of website
If certain data is corrupted, business which is based on online transaction might not work.
If the website for the transaction distributes viruses, it may be disabled.

g. Loss of time
How much time can company afford to waste? And how much cost of repair or of business
loss would company have to suffer.

Another scenario the impact of key logger (Trojan Horse) is taken from the article in The Star
newspaper in 2003. Details of the article can be referred at Appendix B. The student was
accused of hacking into university system and then installs a key logger Trojan Horse to
capture keystrokes entered by another person.

This scenario which took place at Michigan, USA is not something which is impossible to
happen in Malaysia.

SIGNS AND SYMPTOMS

Diagnosis questions
Below are sample of diagnosis questions which can helps user to identify if he or she has been
infected by virus.

1. Did loading programmes take more time than usual?

2. Did other disk accesses take more time than usual?
3. Was there unusual screen activity or any warning messages appear?
4. Did drive lights come on without reasons?
5. Was memory or disk space reduced?
6. Any files disappear or appear?
7. Was there any increase in programme size?

133
 How can these diagnosis questions help user identify if he/she has been infected
by a virus?
As for the first question, if programme loads take longer than normal, this might indicate the
virus has already gained control at the start up of the procedures for a system or programme.
When the system is booted up or an application programme is loaded, the virus will perform
its activities. Quite possibly, the virus will extend the time taken for the load to be completed
by several seconds

For the second diagnosis question, the situation where the disk accesses excessive for very
simple tasks might indicate that virus activities have been performed. For example, saving a
page of text usually takes about a second, but a virus extends this to two or three seconds.
Make sure to watch out for a slow down in directory access and updating procedure times.

As for the third question, this is the easiest way to detect if a PC has been infected. Unusual error
messages appear might give a clue that something is wrong with the PC. This is especially so
if the message appears frequently. It might indicate virus infection.

Access lights will come on when there is no obvious reason presented for question number
four. For example, if the light for one of the drives keeps flashing even when no access is being
made to load or save data, then it may very well be that the PC has been infected.

For question number five, if memory or disk space is reduced, then this is a common warning
sign that a virus has moved in and begun replicating. Some viruses affect the memory once it
has been activated.

For question number six, some viruses delete files, either randomly or according to specific
instructions. If a file has disappeared from a PC directory for no good reason, suspect a virus
is at work. Also check for infection if unexplainable files start appearing.

As for question number seven, if programmes change size rapidly particularly an executable
file, then further inspections for virus infection should be performed. One thing that one should
bear in mind, some viruses increases the size of the programme, but return the number
displayed back to the original specification. In this situation you are recommended to use file
integrity checker.

All of these questions can be used as guidelines in identifying or detecting virus infections.

System administrator
All the signs and symptoms below must be investigated especially by the system administrator.

• E-mail appearing at two or more connected PCs at the same time.

• The e-mail server and network could start to slow down under the strain of sending
thousands of e-mails all at once
• A firewall might report a sudden onset of either incoming or outgoing traffic on a rarely used
TCP/IP port

134
• Sudden decrease in processing speed soon after downloading a new file/the machine
appears sluggish
• Reading unexpected e-mail or visiting a new website (redirect by the Internet Explorer).

With an e-mail worm, the same strange e-mail massage with an attached file or web link starts
appearing all over the corporate network at once. A message with exactly the same subject
line starts appearing in everyone’s inbox from several different users, including users who don’t
normally send a lot of e-mails.

PREVENTION TECHNIQUES
A malicious attack can enter your company’s network through an e-mail attachment, shared
file folders, wireless peripherals, web pages, laptops or even a direct attack on a router or
server. The bottom line is that any point of access to your network may be at risk.

Below are the recommended prevention techniques:

Risk Opportunity Prevention Technique

Opening every e-mail and Screen your e-mail (visually and with anti-virus software). Consider
attachment you receive limiting e-mail attachments.
Filter all double extension attachment or any executable attachment.

Using your e-mail preview Turn off preview pane, read text instead of html. Update and install the
latest patch for e-mail application and the Internet Explorer

Responding to SPAM Report SPAM to:

mycert@mycert.org.my
Abuse@domainname
Webmaster@domainname

Visiting unknown websites Be cautious when visiting unknown websites. Use personal firewall to
avoid any unexpected file to be downloaded automatically.

Connecting to unknown Networks If you are not sure and do not need it, do not connect.

Using unlicensed software Follow copyright laws

Using any diskette or CD without If you aren’t sure and don’t need it, don’t use it. Trust references.
verifying the source

135
 Risk Opportunity Prevention Technique

Using shared systems Avoid all this. May violate some copyrights laws and allows too much
Peer-to-peer systems access. Use password protect drive shares
File sharing

Allowing unauthorized users Lock your system and use password screen savers. Use
access to your system personal firewall.

Did not patch PC especially for Always install the latest patch and make sure your machine Windows
Windows platform update is updated regularly.

Browsing and downloading Install software for anti-spyware.

MP3 song

CASE STUDY OF INFECTED E-MAIL AND SASSER.A WORM

Case Study 1: Infected E-mail
If the e-mail server for your organization has an anti-virus software to filter the infected attachment,
it will not be a problem (Please refer to Appendix C Figure 2). Another question user might ask
is does he or she get infected by virus from just opening the e-mail? The answer is yes, there
are viruses that can infect the PC without launching the application. Such viruses can penetrate
through some e-mail client application, like the Microsoft Outlook. It is advisable to remove the
scripting tool facility. However, virus infections happen when you launch or execute file attachments
without first scanning the file for any unknown virus.

What if you received with an e-mail with the anti-virus scan result as below? Would you just open
the attachment or scan the attachment even though the anti-virus results already displayed?

Figure 3: E-mail with anti-virus result

Believe it or not this anti-virus result is fake.

136
Figure 4: E-mail with fake result

Above is the example of Netsky.P worm which includes message containing fake results of
anti-virus scanning.

The lesson learnt here is to scan all e-mail attachment before executing or reading them.
For details on safe e-mail practices, please visit: http://www.mycert.org.my/faq-safe_
e-mail_practices.htm

Case Study 2: Sasser.A worm

Harith was browsing the Internet using his machine (Windows XP) to search for information for
an assignment. A few minutes later, a pop-up message appeared with a LSASS shell error (as
displayed below). Harith ignored the message and closed it. The then PC prompted for reboot
in 60 seconds. When the machine restarted, after a few minutes his machine kept rebooting
again and again…

137
 He did not know what to do. When he asked his colleagues, most of them claimed that they
had experienced the same situation. When he checked his machine, he found that his
machine had a few unknown files at windows directory, registry and memory. An unknown
connection also had happened.

(Please refer to Appendix D for the screen captured found in his windows directory, registry
and memory).

What is the next proper step should scenario 1 happens?

General information about this infected machine:

Harith’s machine was infected by Sasser.A worm.

On 2 May 2004, MyCERT received reports and detected a new Internet worm that propagated
rigorously upon infection by scanning TCP port 445 and sending payload to random IP
addresses. The worm, W32.Sasser, is an Internet worm that arrived as AVSERVE.EXE on
target systems, and once infected a machine the worm would open TCP port 9996 and TCP
port 5554 for malicious activities.

The worm exploits vulnerability that exists in Microsoft Windows Systems:

*Exploits the Local Security Authority Subsystem Service (LSASS) vulnerability released on 13
April, 2004 (partly described in Microsoft Security Bulletin MS04-011), using TCP port 445 and
specifically targets Windows XP, Windows 2000 and Windows 2003 machines.

Once infected, the worm exploits the vulnerable system by overflowing a buffer in LSASS.exe.
It creates a remote shell on TCP port 9996. Then, it creates an FTP script named cmd.ftp on
the remote host and executes it. The FTP script instructs the targeted victims to download and
execute the worm from the infected host. The infected host accepts this FTP traffic on TCP
port 5554. The worm would have the name consisting of 3 to 5 digits, followed by _up.exe
(eg. 12345_up.exe).

The infected host would prompt LSASS shell error and reboot. After the reboot, the worm
would scan for other active machines to infect by scanning random IP address TCP port 445.

Details for solution 1: Manual Removal Steps and solution 2: Automatic Removal Tool Steps
can be referred at Appendix E.

138
ISSUES
How does malicious code spread?

Some users believe that by not opening any e-mail attachment they are saved from viruses,
worms, Trojans or pest patrols. The truth is that malicious codes can spread from one
computer to another through many methods, all of which depend on users’ carelessness. It is
considered lucky if a user has never been infected but others who are not as careful (or
unlucky) infect their hard disks by running downloaded files, or after placing a newly-obtained
floppy disk in a drive. Viruses and worms spread fastest among computers networked on a
LAN, especially when e-mail file attachments are involved.

Sharing certain types of files with others always involves certain risk factors. The medium is
irrelevant: files from a LAN server, downloaded from Internet sites or from a floppy (even from
shrink-wrapped software). The riskiest of all are files posted on Internet newsgroups, because
there is totally no control or accountability. Many people have become victims of brand new
viruses and worms, by downloading executable files posted deliberately by vandals.

Before the growth of the Internet, viruses used to spread more gradually, from user to user,
and anti-virus vendors were usually able to distribute a remedy before things got out of hand.
That has all changed, especially with worms, because some people will click on any e-mailed
file that they receive. Vandals have seized this opportunity, and created programmes designed
to spread to all those who correspond with careless users. Because of this threat, the only
100% safe e-mail file attachment is a deleted e-mail file attachment.

Some websites store information on your computer, in small text files called cookies that can
be used when you re-visit their sites. It is also known as spyware. Examples include items you
have selected for purchase, registration data, or your user name and password, for websites
that require them. Since cookies are text files, they are not executable, and this fact eliminates
the possibility of viruses, because they must be hosted by an executable file. Anti-spyware
software can be used to eliminate the spyware.

Another example of how malicious code is spread is through malicious applet: an applet that
attacks the local system of a Web surfer [6].

Malicious applets involve denial of service, invasion of privacy or annoyance. It will forge e-mail
from you to whomever the applet’s author chooses, saying whatever they wish while
masquerading as you; steal your CPU cycles to perform their own work while your legitimate
processes languish, and crash your local system by using all available system resources. The
best way to avoid or stop malicious applet is to set a security policy that allows only applets
signed by trusted parties to run.

139
 Who is responsible of the damage it caused, whether the virus writer or person who
distribute it

A survey carried out by Sophos Anti Virus showed that:

• The majority of virus writers are male and aged between 14 and 24.
• Most do not seem to have active social lives or girlfriends.
• Once virus writers go to university, develop a large social circle and pursue other activities,
they tend to stop writing viruses.

Virus writing is not cool and can get the writer into serious trouble. For example, in November
1988, Cornell graduate student Robert Morris wrote the first worm to propagate over the
Internet. The Morris Worm exploited a Unix-related vulnerability. Morris, the son of a security
expert at the National Security Agency, was convicted of computer abuse offences and
sentenced to three years probation, 400 hours of community service and a $10,000 fine.

The following suggestions are drawn from observation and from personal exchanges of views
with virus writers as well as with anti-virus researchers, rather than from any formal research.
The first batch of observation is drawn from alt.com.virus newsgroup and is based on an entry
in the FAQ for the newsgroup. It is assumed that a virus writer:

• Does not understand or prefer not to think about the consequences their action will have
on other people, or they simply do not care.
• Draws a false distinction between creating /publishing viruses and actually distributing them.
Apparently they consider it perfectly reasonable to make a virus available to anyone who
cares to distribute it.
• Considers it to be the responsibility of someone else to protect other systems from their
creations. They think it is the responsibility of the victim to defend him or herself.

Why people want to distribute it? The answers are:

• They do not know it is malicious code.

• The malicious code is binding to a legitimate object (example a Word document)
• Fooled by unexpected e-mail subject/content
(example: E-mail subject : Help!)-which consist infected attachment.
• Surfs across a malicious web page
• Did not know they were infected
• Resistant to good security practices

In this situation, we cannot point finger to virus writer or person who distribute it! The most
important thing is user education. It is a key component of anti-virus strategy.

The security manager is advised to assume that system users are incompetent and to tailor
anti-virus strategy accordingly and consider social factors such as policy and education when
attempting to reduce security risks and malicious code.

140
The future of malicious code

David Harley, co-author of Viruses Revealed (Osborne/McGraw-Hill, 2001) predicted that to

produce a malicious code, the author must exploit one of the three vulnerabilities: software,
“liveware” or hybrid [7].

An example of software is a self-launching worm which requires no human activity. As for

“liveware”, it will manipulate victims into running unsafe codes (can also be defined as using
social engineering to trick victim), for example running infected e-mail attachment. As for
hybrid, it is known as blended threats which is a combination of software and “liveware”.

Even now, all of these three vulnerabilities have been widely used by authors of malicious
codes.

CONCLUSIONS
As more new technologies are invented, so do the malicious codes. Nobody knows in what
form it will be and how will it spread and the damage it can do. One thing is for sure the author
of malicious codes will try to make them more complex, unpredictable and easy to spread.
The best way to avoid malicious codes is to prevent it. By practicing good and safe computing,
updating your anti-virus software regularly and be aware of new vulnerabilities and patch it, the
spread of malicious codes can be reduced.

REFERENCES
1. http://www.indefense.com/manuals/white/malicious.htm
2. http://www.mycert.org.my/abuse-stat/index.html
3. http://www.mycert.org.my/other_resources/NISER-MYC-PAP-7070-1.pdf
4. David Harley, Robert Sladeurs, Urs E. Gattiker, Viruses Revealed, USA, Osborne/McGraw Hill, 2001,
pg 5.
5. Colin Haynes, The Computer Virus Protection Handbook, Singapore, Tech Publications, 1990,
0pg 88.
6. http://www.securingjava.com/chapter-four/chapter-four-1.html
7. http://www.infosecuritymag.com/2002/may/maliciouscode.shtml
8. www.sophos.com

141
 APPENDIX A

Figure 1

142
APPENDIX B

143
 APPENDIX C

Figure 2

144
APPENDIX D Screen captured

145
146
147
 APPENDIX E
Solution 1: Manual Removal Steps

1. Disconnect the infected machine from the network.

2. Disable system restore for Windows XP

Steps:
a. Click Start.
b. Right-click My Computer, and then click Properties.
c. Click the System Restore tab.
d. Select “Turn off System Restore” or “Turn off System Restore on all drives” check box

3. Apply the latest Service Packs.

* For Windows 2000 apply SP4
* For Windows XP apply SP1

4. Apply the Microsoft Security Bulletin MS04-011 patch.

The MS04-011 patch can be downloaded at:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

5. Terminate the malicious process that is running.

Steps:
a. Press Ctrl+Alt+Delete .
b. Click at 'Task Manager' tab.
c. Click the Processes tab.
d. Scroll through the list and look for the following processes and click 'End Process'
tab.
-'avserve2.exe'
-any process with a name consisting of four or five digits, followed by _up.exe (for
example, 12345_up.exe).

*Each of the malicious file size is 15.5 kb.

e. Exit the 'Task Manager'.

6. Delete malicious file at Windows directory.

Steps:
a. Delete the AVSERVE.EXE and <random numbers consisting of
4-5 numbers>_UP.EXE files from the WINDOWS directory. Example:

C:\Windows\System32\12345_up.exe

** %Windir% is a variable. The worm locates the Windows installation folder

(by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

*Each of the malicious file size is 15.5 kb

148
7. Delete the dropped file by the worm at registry
Steps:
a. Click Start, and then click Run.
b. Type regedit and click OK. (The Registry Editor opens.)
c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

d. In the right pane, delete the value:

"avserve.exe"="%Windir%\avserve.exe"

e. Exit the Registry Editor.

f. Enable system restore for Windows XP.

8. Re-scan the PC to make sure it has been cleaned completely. If there are still infected files,
delete them. Please make sure to write down the filename before deleting to make things
easier when you want to reinstall the files later.

9. Re-connect the machine to the network. Take preventive measures against such virus as
written in this paper or refer to MyCert’s web pages for details.

Solution 2: Automatic Removal Tool Steps

1. Disconnect the infected machine from the network

2. Disable the system restore for Windows XP.

Steps:
a. Click Start.
b. Right click My Computer, and then click Properties.
c. Click the System Restore tab.
d. Select “Turn off System Restore” or “Turn off System Restore on all drives” check box

3. Apply the latest Service Packs.

* For Windows 2000 apply SP4

* For Windows XP apply SP1

4. Apply the Microsoft Security Bulletin MS04-011 patch.

The MS04-011 patch can be downloaded at:

http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

149
 5. Download an Automatic Removal tool provided by the following anti-virus vendors which
detects and removes the worm.

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee:
http://vil.nai.com/vil/stinger/

Trend Micro:
http://www.trendmicro.com/download/dcs.asp>http://www.trendmicro.com/download/d
cs.asp

6. Enable the system Restore for Windows XP

7. Re-scan the PC to make sure it has been cleaned completely. If there are still infected files,
delete them. Please make sure to write down the filename before deleting to make things
easier when you want to reinstall the files later.

8. Re-connect the machine to the network. Take preventive measures against such virus as
written in this paper or refer to MyCERT’s web pages for details.

150
 THE IMPORTANCE
OF AN
INFORMATION
COMMUNICATION
AND TECHNOLOGY
(ICT) SECURITY
AUDIT FOR
BUSINESS
ORGANIZATIONS
 MURARI KALYANARAMANI AND JAMES TSENG
PRICEWATERHOUSECOOPERS

Murari Kalyanaramani
Manager – Security and Technology
PricewaterhouseCoopers Advisory Services Sdn. Bhd.

• Certified Information Systems Auditor (CISA)

• BS 7799 Lead Auditor Certificate
• Bachelor of Business (Accounting and Information Technology), University of Technology
Sydney (UTS), Australia
• Member of the Information Systems Audit and Controls Association (ISACA) – Malaysian Chapter

Murari joined PricewaterhouseCoopers in July 2000 and is currently the lead Manager for the
Information Assurance team within the Security and Technology Group. He has participated in
numerous systems audits, business process reviews, business continuity and information security
framework development projects for clients in diverse environments, inclusive of pharmaceutical,
aviation, oil and gas, financial institutions, telecommunications, gaming, broadcasting and
manufacturing sectors.

James Tseng
Associate Consultant – Security and Technology
PricewaterhouseCoopers Advisory Services Sdn. Bhd.

• Micrsoft Certified Professional – Security and Network Design

• Bachelor of Computing (Distributed Design), Monash University, Australia

James Tseng joined PricewaterhouseCoopers in June 2002 and has participated in numerous
systems audits and network security reviews for clients in diverse environments, inclusive of
aviation, broadcasting, manufacturing, oil and gas, financial institutions, pharmaceuticals and
telecommunications sectors. Prior to joining PricewaterhouseCoopers, he worked as a Security
Analyst with e-Cop, a regional Managed Security Services (MSS) company, specializing in
Internet security surveillance, security consulting and network security implementation.

152
 THE IMPORTANCE OF AN INFORMATION
COMMUNICATION AND TECHNOLOGY (ICT)
SECURITY AUDIT FOR BUSINESS ORGANIZATIONS
MURARI KALYANARAMANI AND JAMES TSENG

1. ABSTRACT
Information, Communication and Technology (ICT) Security audit is a holistic exercise, which
encompasses an assessment of an organisation’s controls implemented to counter the
threats and vulnerabilities an organisation’s ICT infrastructure is susceptible to. Essentially,
ICT security audits contribute to the preservation of the confidentiality, integrity and availability
of an organisation’s information assets. This paper will examine in detail the importance of
ICT security and the need for ICT security audits to be carried out to protect organisational
information assets.

2. INTRODUCTION
“If senior management have yet to establish priorities to perform security audits on their
ICT infrastructure which supports critical business processes, how and when would
they intend to evaluate the current security posture of their ICT infrastructure?”

Over the years, more businesses and organisations have expanded their geographical
boundaries through the usage of the Internet. Such exponential growth has created a new
paradigm of communication through this network of systems’ interconnectivity. Securing
ICT infrastructure is not a matter of just implementing policies, procedures and technical
controls to counter the accompanying threats and vulnerabilities. A mechanism of ensuring
the controls implemented are operating as intended is essential to provide assurance to
the Board of Directors, stakeholders, business partners and regulators, that organisational
assets and processes are secure against fraud and the risks arising from global interconnectivity.
A continuous programme of assessment and monitoring should be implemented to ensure
that risks are managed within the acceptable levels established by management.

3. DEFINING ICT SECURITY

ICT security can be defined by its strategic role in business performance, its potential in
enhancing the protection of information assets while enabling proper access to them, and
the resource components that must be engaged to ensure its effectiveness. Security also
can be defined as an increasingly important aspect of the relationship between an organization
and its customers, partners, and employees.

Most importantly, security is a strategic business process for organizations because providing
a balance of protection and enablement in line with business objectives will substantially
improve operating performance.

153
 Forward-looking organisations that align security with enterprise objectives are more likely
to translate security strategy into reduced costs of doing business, revenue enhancement,
competitive advantage, and ultimately, shareholder value. Organizations that fail to align
security with their business objectives will find their performance diminished and long-term
viability threatened. This notion of security as a business enabler is now an essential concept
for enterprises in every industry. As a strategic process, security either protects an organization’s
information assets from harm or misuse, or enables access to information assets in a
manner that supports the organization’s objectives.Together, these two concepts – security
as protection and security as enablement – comprehensively define the promise of security
for organizations.

4. THE NEED FOR ICT SECURITY

Information is an extremely valuable asset to any organization and like all valuable assets,
it should be protected from both internal and external threats.

Figure 1: The Security of Inclusion and Exclusion

ICT security has long centered around the concept of “exclusion”, the primary goal of
which is to prevent unauthorised access to the internal sources of an ICT environment.
Organisations implemented the security of exclusion by setting up security perimeters
between enterprise networks and the outer world. These virtual boundaries isolated internal
networks – keeping out unwanted visitors, defending against viruses and malicious code
and protecting against external attack.

This approach to information security has been practised since the 1970’s when
mainframe-based applications were the dominant systems in use by organisations. As
companies migrated their systems to client/server-based applications in the 1980s and
early 1990s, they continued to strictly separate internal and external environments.

During the late 1990s and early 2000s, businesses began deploying Internet-based
applications, in which customers, employees, and business partners could access enterprise
applications from inside their Web browsers. Companies began to implement Internet-
based environments such as user portals, supplier portals, intranets, and extranets in order
to reduce costs, improve collaboration, and increase productivity. This transition to an
extended enterprise created the need for a fundamental shift in the approach to information
security to that of “inclusion”.

The implementation of Internet-based environments, other new technologies and rapid

connectivity to external parties has led to increased risks to an organisation’s information
assets. Information that is more valuable than ever before is more accessible and easier to
divert. Organisations that fail to address the broader security issues that accompany this
change will have insufficient controls in place to minimize risks. These risks could lead to

154
 significant financial, legal difficulties and reputation risk for these organisations. Appropriate
preventive, detective and corrective controls in the form of policies, standards, procedures,
organisational structures or software/technology functions and monitoring mechanisms are
therefore required to minimise the risks associated with the confidentiality, integrity and
availability of information assets within an organisation.

These aspects of security should be the underpinnings of any ICT security programmeme.

5. WHY ICT SECURITY

AUDIT IS IMPORTANT TO BUSINESS ORGANISATIONS?
For an ICT security programme to be effective, monitoring processes need to be
implemented to ensure security policies, procedures and technology implemented are
operating effectively and are operating as intended monitoring processes include the
operational procedures that auditors, systems and security administrators use to monitor
security levels and compliance to organisational policies and procedures. These processes
are essentially carried out to ensure that risks are mitigated through the implementation and
operation of controls in an organisation’s ICT environment to safeguard organisational
information assets from damage, loss, unintended disclosure or denial of availability.

Audits also provide a means for organisations to identify security gaps before it is breached
and to provide a means of evaluating the governance over outsourced operations.

5.1 To identify security gaps before it is breached

Identifying threats that can put an organization at risk is only one part of a comprehensive
security strategy. Companies must also actively identify asset weaknesses that could
be exploited in an attack. Every enterprise asset has attributes that make it vulnerable
in some way, whether the asset is a server, a client, a website, transactional data, or
a business process. Some vulnerabilities might be the result of weaknesses in the
technologies that control the asset, such as a bufferoverflow bug in the application
software that runs a company’s website. Others are simply due to the inherent nature
of the asset itself, such as the need for confidential data to remain private. Table 1
provides an overview of some common enterprise vulnerabilities.

Although an enterprise cannot control the existence of vulnerabilities, it can control the
way in which it chooses to deal with them. Properly implemented security policies,
standards, and technologies can help to limit risk by proactively identifying weaknesses
in enterprise assets. The goal of this activity, called vulnerability detection, is to allow
sto remediate vulnerabilities before they can be exploited by an attack. Before
organisations can undertake vulnerability detection, they must first develop an
understanding of where their vulnerabilities might exist – whether in their technology,
process, environment, or some other potential point of failure.

155
 Table 1: Common Enterprise Vulnerabilities
This general understanding should inform the organisation’s security policies and
standards. Organisations usually implement vulnerability detection programmes in phases,
starting with the most necessary assets (as identified during the risk assessment or
asset classification process) and widening the scope to less essential assets as the
overall environment becomes more controlled. Managing the scope of the project in
this way is often essential to its success, as it limits the amount of raw data generated
by vulnerability detection activities to a level that can yield usable information.

The vulnerability detection process consists of three primary activities:

Compliance testing
Compliance testing can occur at many levels of the enterprise. Its primary aim is to
ensure that organizations conform to their own established security policies and
standards. An organization might choose to measure compliance against any number
of criteria, such as:

❥ Security policies against regulatory requirements

❥ Corporate standards against security policies
❥ Documented procedures against security policies
❥ Procedures as practised against documented procedures
❥ Technical controls against security policies
❥ Integration of information systems against technical controls
❥ Organisational security policy against specific departmental or system procedures
❥ Risk exception inventory against documented policy exceptions

In the same way that creating and implementing corporate security policies require a
well defined method, so must companies define their approach to compliance testing.
An effective compliance-testing programme has five basic characteristics: independence,
planning, evidence gathering, reporting, follow-up. Failure to include any one of these
criteria when devising test procedures can undermine the results of the testing process,
thus limiting its usefulness.

Compliance testing is of value only if the results of the test are impartial. To ensure
that a compliance test maintains its integrity and objectivity, the person or group
conducting the test must be independent of the asset being tested. In its strictest
sense, independence can be defined as lacking any direct or material indirect financial
interest in the asset being tested. In simple terms, this means that the testers should
not be involved in any operational or financial decisions.

Furthermore, they should be responsible to a department other than the department

that is conducting the test, to avoid any kind of managerial influence or pressure that

156
may skew analysis of test results. For example, in a typical company the security group
might be responsible for maintaining the security policy and the technical controls to
be tested, while the IT department maintains the information systems. In such a case,
neither the security group nor the IT department should perform the compliance tests.
Instead, the company should call upon another internal entity, such as an IT auditing
department, or perhaps an outside specialist.

Vulnerability scanning
Vulnerability scanning is the process of identifying and assessing the weaknesses in
a given enterprise environment. It takes a comprehensive view of all technology assets,
including applications, servers, workstations, and network elements, and evaluates
how susceptible the environment is to attack. By looking at how the individual assets
fit into the larger environment, vulnerability scanning can help organisations spot weak
links in their IT infrastructures.

Too often, organisations are preoccupied with preventing so-called gaping holes in
their environments. They focus on the major vulnerabilities that could lead directly to
unauthorized access, while failing to resolve the small vulnerabilities in less essential
systems that can also be jumping-off points for attacks. Trust relationships, unsecured
single sign-on privileges, and misconfigured user accounts are just a few examples
of minor vulnerabilities that make it easy for an attacker to jump from machine to machine
until he finds the target he seeks.

To conduct comprehensive vulnerability scanning, companies usually take a two-

pronged approach. First, they scan for common vulnerabilities that can affect individual
assets. Next, they analyze their unique environments to identify how vulnerable they
are to highly customized attacks. Vulnerability testing should be a proactive process.
Companies should develop procedures to routinely perform vulnerability testing as
part of the application development life cycle, and especially when designing and
deploying new applications.

For example, when deploying web-based applications, a company might use

automated scanners to identify common vulnerabilities. Several recent studies have
demonstrated that the later in the application life cycle a bug is discovered, the more
expensive it will be to remedy. Identifying any weaknesses during application
development facilitates correcting the flaws before deployment.

Best practices dictate the use of many vulnerability scanning techniques. For instance,
automated scanning tools can identify weaknesses, while penetration testing (sometimes
called ethical hacking) can simulate the routes an attacker might use and demonstrate
the potential for unauthorized access.

157
 Operations availability analysis
Another important component of vulnerability detection is operations availability
analysis, the process of maintaining the operational resilience of a company’s systems
and ensuring that systems remain available and can be easily recovered if unplanned
downtime occurs. Global competition and near-instantaneous communications are
just two of the factors why availability is so important for today’s modern enterprise.
While a true 24-hour global economy might not be reality yet, maximum availability is
more and more important for a growing number of companies. Typical candidates for
high-availability system design include:

❥ Networks – Connecting to Internet service providers (ISPs), LANs, and WANs.

❥ Application servers – Deploying server farms to distribute processing across
several application servers.
❥ Web servers – Caching or load balancing front-end Hypertext Transfer Protocol
(HTTP) or HTTPS requests, or distributing them across server farms.
❥ Databases – Clustering, replicating, and distributing data stores.

Any number of factors can have a negative impact on the availability of enterprise
systems. Poor resource management, inadequate operational procedures, and even
natural disasters can bring down entire networks. Likewise, an unforeseen security
incident can have disastrous consequences for today’s always-on applications.
Operations availability can be viewed as an umbrella process model that includes
numerous focus areas and systems, such as:

❥ Workflow engines
❥ Business process modeling
❥ Networking environments
❥ Operating systems
❥ Application servers
❥ Web servers
❥ Call centers
❥ Enterprise resource planning (ERP)/customer relationship management
❥ (CRM)/portal environments
❥ Mainframe/legacy systems
❥ Telecommunications/phone systems
❥ Custom application development
❥ E-mail/groupware systems

Disaster Recovery
Disaster recovery is a crucial part of operations availability analysis. Disaster recovery
measures are designed to guide a company’s IT operations through the recovery process
following a major incident. Types of incidents include fire, natural disasters, terrorism,
malicious acts, accidents, or other hazards specific to an industry. Disaster recovery

158
 plans should be part of larger business recovery and continuity plans that ensure critical
business processes are operational following a disaster. Plans should be developed to
address short-, medium- and long-term scenarios, ranging from a few hours of service
interruption to several months of unavailability.

Organisations need to identify the risks or impacts each type of disaster presents to
business continuity and operations and prioritize their disaster recovery efforts based
on those most likely to impact core business processes. Next, the company should
determine acceptable levels of downtime based on the acceptable level of risk relative
to it core business processes. These estimates will drive policies and procedures
governing IT operations (such as frequency of backups), as well as investments in
people, processes, and technologies to ensure operations are restored within the
allotted timeframe. Finally, organisations should develop appropriate plans to address
these risks and develop contingency plans in the event a particular incident or set of
incidents should occur.

Disaster recovery plans should include the relocation of people, equipment, and data
to a suitable remote center of operations. The remote center must have adequate
equipment, supplies, and capacity to handle the infrastructure supporting critical
business processes. Books, manuals, and operating instructions should be available
and staff must be trained in the tools and procedures needed to restore operations
(for example, data backup and recovery, archiving, and retrieval). The disaster recovery
plan must be reviewed, updated, and tested regularly to ensure it is viable and usable
when needed. Organisations must also disseminate disaster recovery policies and
procedures to employees at all levels; identify and train appropriate staff to coordinate,
manage, and execute the recovery plan; and coordinate with community and government
organisations to ensure smooth, orderly management of the situation.

5.2 To keep organisations better informed and assured on their outsourced

IT operations
Today, IT outsourcing is an increasingly important strategy for global enterprises. Many
companies worldwide are either currently outsourcing key portions of their IT infrastructure,
or considering doing so in the new future. When appropriately implemented, outsourcing
of IT functions can deliver a significant portfolio of business benefits in the form of cost
saving, achieving standardisation and allowing organisations to focus on the core
capabilities of IT. With these benefits, however, come a whole set of risks.

❥ Failure to retain control of the strategic direction of the organisation’s IT infrastructure

as the vendor may not fully understand the business and may not always represent
the best interests of the organization
❥ Inadequate service levels resulting in potential loss of data, breach of confidentiality
and loss of reputation
❥ Inappropriate staffing and skill sets to manage outsourcing relationships and contracts

159
 It is even more risky if the IT outsourcing involves parties offshore. It is one thing to
pass tasking authority to a separate organisation, it is quite another when the supporting
organisation is operating from offshore, or working to support customer operations
spread out across a global footprint. The stakes are higher – and the effects of a
mistaken or poorly executed strategy can be both magnified, and harder to correct.

To mitigate such risks, outsource governance processes should be implemented,

including the monitoring and audit over the outsourcing service provider. For many
companies undertaking an IT outsourcing initiative, governance is arguably an area
that organisations most frequently underestimate – in terms of time and investment,
as well as in terms of the structural architecture necessary to manage accountability.
Companies that commit to IT outsourcing without a strong governance capability do
not have any appropriate means of controlling performance. IT outsourcing does not
change the fact that the customer's organisation still carries the burden of operational
risk. In fact, because the processes, roles, responsibilities, and incentives that determine
project performance are now spread across two entirely separate organisations, the
need for a clear governance structure is even more critical in IT outsourcing arrangements.
It is the customer organisation's responsibility – not the IT outsourcing vendor's – to
establish a disciplined governance structure.

Part of the governance processes would include the performance of regular ICT
security audits to ensure the preservation of confidentiality, integrity and availability over
the organisation’s information assets. In essence, the establishment of a robust
governance structure, helps an organization meet the following objectives:

❥ Ensure alignment of the IT outsourcing initiative: Every IT outsourcing

contract must be carefully aligned with the organisation’s key business objectives,
as well as the needs of the primary stakeholders

❥ Verify that the IT services outsourced are being performed: At a basic level,
the first question is generally simple: “Was the job completed?”

❥ Manage changing priorities across complex portfolios of discrete IT

projects and continuous IT services: Operating environments change constantly
– and in order to remain agile, an organisation must have the managerial levers of
control necessary to prioritise, redirect, and manage the performance of any
outsourcing contract.

❥ Establish direct, visible accountability for performance related to IT:

Specific ownership responsibility must be 1) clearly defined for all parties, including
IT, business units, corporate department, users, and vendors and 2) appropriately
measured using relevant metrics.

❥ Define specific ownership of the key drivers: The engine of accountability is

the ability of management to know precisely - at any time, and for any key stage in
the IT outsourcing process, both inside the customer organisation as well as the
vendor's organisation – who is responsible.

160
 ❥ Craft well-integrated IT management processes: Customer organisations
must build a culture of accountability and continuous improvement of IT
management processes, controls, and support based on internal and external
best practices. Too often, IT leaders and managers focus only on a single point
within the IT management and delivery framework. Instead, they must concentrate
the need to fully integrate and link strategies, plan, actions, results, and measurement
across both the client organisation's internal processes as well as the outsource
vendor’s processes.

6. THE CHALLENGE OF IMPLEMENTATION – COST

The outcome of a security vulnerability assessment or audit results in the ICT security and
operations managers being confronted with a new challenge – the challenge of implementing
the necessary solutions to plug the security gaps utilising cost-effective measures but at
the same time not compromising on the controls required.

Essentially, these managers are faced with aligning the implementation of the solutions
which may take the form of individual security initiatives, with their associated costs, justifying
the cost in terms of the business, increasing the efficiency of existing services, and mitigating
business risk.

Risk-based decision analysis

When organisations create their investment strategies to implement the necessary security
and control mechanisms, they face a number of issues, including:

❥ Security investments are justified against hypothetical losses.

❥ Security benefits are difficult to quantify.
❥ Limited capital could be allocated against a wide variety of risks and possible solutions.
❥ Communicating risks and benefits of specific security investments to nontechnical
stakeholders could be difficult.

To overcome these obstacles, companies must develop a risk-based decision analysis

that enables them to allocate security resources and prioritize security projects. Such an
analysis considers the risk decision, uncertainties that make the decision difficult, and
preferences that value the outcomes. In doing so, the organisation creates a common
language and structure that can be used and understood by both technical and non-technical
stakeholders to reach consensus in security investment decision-making.

A crucial component of the risk-based decision analysis is an organisation’s risk and value
map. The map illustrates the current annualized cost of a security event and the projected
costs of the same event after the security investment.

161
 Figure 2: A Simplified Version of a Risk And Value Map
For example, the costs might take into account such costs as the number of customers
who switch to another supplier due to an event, the value of each lost customer, the additional
advertising required to counteract the effects of the event, and the cost to reimburse customers
for disrupted service, and so on.

7. CONCLUSION
As ICT and organisational business models continually evolve, new threats will rear their
ugly head providing more opportunities for exploitation. The tendency for organisations to
react to these new emerging threats is still largely reactive in nature.

Threats will continue to increase in numbers, and to counter-balance these threats,

International Standards and Professional Bodies, such as the International Organisation for
Standardisation (ISO), British Standards Institute (BSI), SANS and the Information Systems
Audit and Controls Association (ISACA) will constantly update and develop best practices
(both strategically and technically) for organisations to adopt to counter these threats.
In tandem, organisations need to continually assess their ICT environment to ensure that
policies, procedures and best practices implemented are achieving their intended objectives
and providing a sufficient measure of protection over organisational information assets.

REFERENCES
1. National State Auditors Association (NSAA) and the U.S. General Accounting Office (GAO),
Management Planning Guide for Information Systems Security Auditing, December 10, 2001
2. Murphy, Bruce. Boren, Rik. Schlarman, Steve., “Enterprise Security Architecture”, Information
Systems Security, CRC Press, 2000
3. IT Governance Institute, IT Control Objectives – The Importance of IT In The Design, Implementation
and Sustainability of Internal Control over Disclosure and Financial Reporting, ITGI, 2004
4. Lutchen, Mark D., Managing IT as a Business, John Wiley & Sons, 2004
5. Institute of Internal Auditors, Building, Managing and Auditing Information Security, IIA, April 2000
6. Milus, Stu, “The Institutional Need for Comprehensive Auditing Strategies”, GIAC Security Essentials
v1.4b, SANS Institute, 2003
7. IT Governance Institute, CoBIT Mapping – Overview of International IT Guidance, ITGI, 2004
8. Humphreys, Ted., “Information Technology – Securing Your Business Connections”, ISO Bulletin
June 2002, ISO, 2002
9. PricewaterhouseCoopers, Information Security – A Strategic Guide for Business,
PricewaterhouseCoopers Global Technology Centre, 2003

162
 THE
PORTRAYAL OF
APPLICABLE
INFORMATION
TECHNOLOGY
(IT) SECURITY
STANDARDS
IN MALAYSIA
 BASRI ZAINOL
SIRIM BERHAD

ABOUT THE AUTHOR

Basri Zainol graduated with a Master’s degree in computer science from State University of
New York, USA in 1987. He has been in the IT industry for the last 17 years. He started his
career as an officer in the Information Services Department of the banking industry. He has
been implementing an integrated banking system during his employment.

He is presently the Programme Head of Software Compatibility & Assurance Programme,

Electronics & Information Technology Centre, SIRIM Berhad. He is responsible for the research
& development of core technology areas of encryption and software assurance. He has been
performing research based activity such as the development of the information broker (IB),
Malaysian Public Sector Management of ICT Security Handbook (MyMIS), automated
information security review methodology AISec), an Information Security Management
assimilator application toll (aISMilator), software assurance tool and digital encryption He has
been trained in the information security area (ISO 17799 and BS7799) from various experts
from Europe, Australia and United Kingdom. He is considered as one of the experts in
Malaysia and a consultant of ISMS.

ABOUT THE ORGANISATION

Established in 1975 under the SIRIM (Incorporation) Act 157 under the Ministry of Science,
Technology and the Environment. SIRIM was corporatised on 16 November 1995 as a
government-owned company under the Ministry of Finance Incorporated. On 1 September
1996, SIRIM Berhad was fully operationalised. SIRIM’s vision is to be a world class corporation
of choice for Technology and Quality while its missions are to enhance customers’
competitiveness through Technology and Quality and to fulfil the needs of the stakeholders.
SIRIM’s role is to act as:

• A champion of quality
• The national technology development corporation
• A vehicle for technology transfer
• A provider of institutional and technical infrastructure for the Government
• A national focal point for market driven R&D

164
 THE PORTRAYAL OF APPLICABLE INFORMATION
TECHNOLOGY (IT) SECURITY STANDARDS
IN MALAYSIA
BASRI ZAINOL

ABSTRACT
Technology alone is not the key to information security. If 90% of respondents to the annual
CSI/FBI Survey on Information Security say they have anti-virus software, how is it that 85% of
those same respondents were hit by viruses, worms and other malicious codes? In any team
situation we are only as strong as our weakest link, and with information now a valuable
business commodity, even the most sophisticated computer security systems are vulnerable
to human interference (intentional or otherwise). What the major information security failures
now appearing in newspaper headlines represent is that human fallibility can have an impact
on information security.

This article explores a portrayal of applicable Information Technology (IT) Security standards in
Malaysia. It shall provide enlightening information on the applicable and most widely used IT
Security standards in Malaysia. Hence, the outcome is an explanation of each IT Security standards
either guidelines or certification standards.

1. INTRODUCTION
In this new era of knowledge-based society, information becomes a very important asset.
Knowledge becomes a key issue to either make decision or improve the skill of employees.
Information is an asset, which has value to an organisation and consequently needs to be
suitably protected.

Information Security has long been viewed by IT professionals as being fundamental. Computing
facilities and the information systems they support have become increasingly accessible as a
result of the explosion of the open public Internet. The successful operation of business in
Malaysia in the present day relies on information and the exchange of information. But threats
to its confidentiality, integrity and availability abound.

Organisations are realising that their information is an asset to the business and should be
regarded as such in the same way as cash and buildings. The impetus to do something then,
comes from a number of sources.

Guidelines for Corporate Governance, new onerous legislative requirements, increasing reliance
on timely accurate information and recognition of the increased threats to the organisation both
internally and externally, have all contributed to information security management becoming a
major issue for business. The demand for information security safeguards has long been
dominated by the military and banking sectors. As a result, the orientation is rather different
from what corporations, government agencies and the public really need. Meanwhile, the supply
of information security safeguards has been dominated by computing and communications
specialists.

165
 2. NATURE OF INFORMATION SECURITY
In the mainframe computer environment of the past, information security could be handled by
an isolated and highly technical staff. Today, information processing technology is widely
distributed not only to employees, but to a wide range of third parties, as well as consultants,
contractors, temporary employees, business partners and customers. Users now perform
tasks that were previously handled by highly trained specialists, and they have generally
received little or no training in the most common information security procedures. Critical
information is now in the hands of a much larger number of people, and it is stored in remote
and disparate locations.

Which makes the results of another recent survey on security a sobering read: two out of three
workers happily gave their computer passwords away to complete strangers when asked in
Victoria Station in London. And hardly surprisingly, their chosen phrase was rarely difficult to
guess with “password” being the most popular choice. Yet another survey in April 2002
revealed that 60% of employees knew little about information security, with almost 50% saying
that they had never received any formal security awareness training. It is an oft-used example,
but based on fact: some people do still write their passwords on post-it notes and stick them
on the front of their computers!

It is applicable to the information security of people, buildings, the contents of buildings,

organisations, and even nations, as well as information. Information security is used in at least
two senses:
i. Condition in which harm does not arise, despite the occurrence of threatening events; and
ii. Set of safeguards designed to achieve that condition.

Threatening events can be analysed into the following kinds:

i. Natural threats are commonly referred to in the insurance industry as Acts of God or
Nature, e.g. fire, flood, lightning strike, tidal wave, earthquake, volcanic eruption;
ii. Accidental threats by humans who are directly involved, e.g. dropping something, tripping
over a power-cord, failing to perform a manual procedure correctly, mis-coding information,
mis-keying, failing to perform a back-up;
iii. Intentional threats by humans who are directly involved, e.g. sabotage, intentional capture
of incorrect data, unjustified amendment or deletion of data, theft of backups, extortion,
vandalism;

Threatening events may give rise to harm. The generic categories of harm are as follows:
i. Injury to persons;
ii. Damage to property;
iii. Loss of data, alteration of data, access to or disclosure of data, and replication of data;
iv. Loss of value of an asset; and
v. Loss of reputation and confidence.

166
Local area networks linked the computing islands within organisations as far back as the mid-
1980s. Interconnection between organisations over wide-area networks was mainstreamed by
the late 1980s. Widespread interconnection via the open public Internet has exploded since
about 1992.

The amazing growth of the Internet, both in size and in influence on our society has led to
increased risks of its exploitation by criminal and terrorist groups. As of now, this exploitation
has been relatively limited, at least with respect to the likely activity in the years to come. There
is a need to act now to develop and put into place intelligence methodologies to aid analysis
of Internet-based security and criminal threats and to augment existing Internet security
practices.

These methodologies cannot be a purely technically based, or the true societal significance of
Internet activity will be overlooked. They cannot be a purely localized activity, or the divergent
needs of various regions and organizations will not be represented. They cannot be simply
responsive to incidents, such as viruses or system attacks, or the advantage will remain with
the intruders. They cannot be centrally controlled or performed, or the need for rapid “Internet-
speed” response will not be met. Internet security threats are distributed, ongoing and multifaceted,
so the strategy for dealing with them must be distributed ongoing and multifaceted.

3. NEEDS OF IT SECURITY STANDARDS

Accompanying the growth in the power and sophistication of information systems has been
an enormous increase in dependence on these systems. Information and communication
technologies have been embraced enthusiastically but with little attention to attendant, if
inadvertent, vulnerabilities. Indeed, reliance on the new systems has grown much faster than
our grasp of the vulnerabilities inherent in the networks, systems and core technologies that
underlie the information and communications revolutions.

Moreover, in spite of some well-publicized and extremely costly incidents, there remains a
remarkable level of complacency. Results from the annual Computer Security Institute and FBI
Annual Survey have revealed considerable reluctance to report problems. In 1999, for
example, only 32% of those who suffered serious attacks reported the intrusions to law
enforcement. While this almost doubled from the 17% figure of the three preceding years, it
was still a remarkably low percentage- and actually dropped back to 25% in the 2000 survey.
Such reticence is not confined to the United States.

This was apparent in a report on British business by the Department of Trade and Industry’s
Information Security Breaches Survey 2000. Although the report suggested that up to 60% of
the UK’s connected businesses might have been the victims of cyber crime within the last two
years, two-thirds of the companies interviewed noted that nothing had changed since the
intrusions, while 30% did not see protection of business information to be a priority.

167
 Information security protects information from a wide range of threats in order to ensure business
continuity, minimize business damage and maximize return on investments and business
opportunities. Information can exist in many forms. It can be printed or written on paper, stored
electronically, transmitted by post or using electronic means, shown on films, or spoken in
conversation. Information security is about people and process. Recent high profile information
security breaches and the value of information are highlighting the ever increasing need for
organizations to protect their information. This has improved the awareness to either adopted
or adapted the internationally or nationally recognised standards by organisations in Malaysia.

4. AVAILABLE STANDARDS IN MALAYSIA

There are more than 200 IT standards available in Malaysia. These standards either have been
adopted or adapted to become Malaysia Standard. Some of the related IT Security standards
of which have addressed the Information and Network Security are:

4.1 ISO 17799: 2000 INFORMATION SECURITY MANAGEMENT STANDARD

This code of practice may be regarded as a starting point for developing organisation
specific guidance. Not all of the guidance and controls in this code of practice may
be applicable. The objective of the standard is to serve as a single reference point for
identifying the range of controls needed for most situations where information systems
are used in industry and commerce and to be used by large, medium and small
organisations. ISO 17799:2000 standard Information Security Management has been
adapted to Malaysian standard. This standard is the most widely recognised security
standard based on BS7799, which was last published in May 1999. It has been
included many enhancements and improvements on previous versions. The first
version of ISO 17799 was published in December 2000.

ISO 17799:2000 is a comprehensive in its coverage of security issues. It contains a

substantial number of control requirements. Information security protects information
from a wide range of threats in order to ensure business continuity, minimize business
damage and maximize return on investments and business opportunities. Information
can exist in many forms. It can be printed or written on paper, stored electronically,
and transmitted by using electronic means or spoken in conversation. Information security
is characterised as the preservation of:
I. confidentiality: ensuring that information is accessible only to those authorized to
have access;
II. integrity: safeguarding the accuracy and completeness of information and processing
methods; and
III. availability: ensuring that authorized users have access to information and associated
assets when required.

168
Information security is achieved by implementing a suitable set of controls, which
could be policies, practices, procedures, organisational structures and software
functions. These controls need to be established to ensure that the specific security
objectives of the organisation are met. It is organised into 10 major sections:

Business Continuity Planning

The objectives of this section are to counteract interruptions to business activities and
to critical business processes from the effects of major failures or disasters.

System Access Control

The objectives of this section are to:
I. control access to information;
I. prevent unauthorized access to information systems;
II. ensure the protection of networked services;
III. prevent unauthorized computer access;
IV. detect unauthorized activities; and
V. ensure information security when using mobile computing and tele-networking
facilities.

System Development and Maintenance

The objectives of this section are to:
I. ensure security is built into operational systems;
II. prevent loss, modification or misuse of user data in application systems;
III. protect the confidentiality, authenticity and integrity of information;
IV. ensure IT projects and support activities are conducted in a secure manner; and
V. maintain the security of application system software and data.

Physical and Environmental Security

The objectives of this section are to prevent unauthorised access, damage and
interference to business premises and information; to prevent loss, damage or
compromise of assets and interruption to business activities; to prevent compromise or
theft of information and information processing facilities.

Compliance
The objectives of this section are to:
I. avoid breaches of any criminal or civil law, statutory, regulatory or contractual
obligations and of any security requirements;
II. ensure compliance of systems with organisational security policies and standards;
and
III. maximize the effectiveness of and to minimize interference to/from the system
audit process.

169
 Personnel Security
The objectives of this section are to reduce risks of human error, theft, fraud or misuse
of facilities; to ensure that users are aware of information security threats and
concerns, and are equipped to support the corporate security policy in the course of
their normal work; to minimise the damage from security incidents and malfunctions
and learn from such incidents.

Security Organisation
The objectives of this section are to:
I. manage information security within the organisation;
II. maintain the security of organisational information processing facilities and information
assets accessed by third parties; and
III. maintain the security of information when the responsibility for information processing
has been outsourced to another organisation.

Computer & Network Management

The objectives of this section are to:
I. ensure the correct and secure operation of information processing facilities;
II. minimise the risk of systems failures;
III. protect the integrity of software and information;
IV. maintain the integrity and availability of information processing and communication;
V. ensure the safeguarding of information in networks and the protection of the
supporting infrastructure;
VI. prevent damage to assets and interruptions to business activities; and
VII. prevent loss, modification or misuse of information exchanged between organisations.

Asset Classification and Control

The objectives of this section are to maintain appropriate protection of corporate
assets and to ensure that information assets receive an appropriate level of protection.

Security Policy
The objective of this section is to provide management direction and support for
information security.

170
4.2 BS7799-2: 2000 INFORMATION SECURITY MANAGEMENT SYSTEM
STANDARD (ISMS)
The BS7799-2:2002 ISMS standard is a standard developed by British Standards
Institute (BSI). It is a new standard, being published and released in September 2002.
It is a certification standard, similar to ISO9001 standard. However, this standard
requires the implementation of all controls specified in the ISO17799:2000 or
BS7799-1:2000 Information Security Management (ISM).

Implementation of BS7799-2:2002 ISMS and ISO 17799:2000 ISM shall be a very

focal agenda for ICT related organisations or department to achieve the recognised
level of information security management standard in the compliance or certification
arena. The process of implementing to achieve the compliance or certification includes
the definition process of scope and policy, risk assessment process, definition
process of information controls, definition process of statement of applicability. These
processes are in line with the ISO methodology of Plan-Do-Check-Act.

The execution of this programmeme requires enormous commitment from management.

This is not only ICT related issues, it focuses on information security. The information
is an asset to any organisation or department. An asset that carries the information is
the information asset. Therefore, information assets shall be protected at the acceptable
information risk level.

The implementation of this standard either for certification or compliance shall be the
following steps:

Step 1: Define the organisation’s information security policy

Step 2: Define the scope of the ISMS, going through the controls outlined in
ISO17799:2000 an organisation will need to decide which controls are suitable for
assessment within their organisation. The outcome of the selected controls will be
dependent on: the business requirement, the assets to be protected, location and the
technology.

Step 3: Risk assessment: The aim of the assessment is to identify the threats and
vulnerabilities to assets and the impacts to the organisation. The results of this will
determine the degree of risk.

Step 4: Risk management, the areas of risk to be managed are identified by the
information security policy and the degree of assurance required by the organisation.

Step 5: Selection of the controls detailed in clause 4 to be implemented and the

objectives of these controls. Justification for the selections made must be provided.

Step 6: Statement of applicability: An organisation will need to document the selected

control objectives and controls, the reasons for selection and justification for the exclusion
of any of the controls listed in clause 4.

171
 4.3 ISO 13335 PART 1 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY
(GMITS) – CONCEPT AND MODEL
The purpose of ISO 13335 Part 1 is to provide guidance on the management aspect
of IT security. The objectives of the standard are to:
I. define and describe the concepts associated with the management of IT security;
II. identify the relationships between the management of IT security and the
management in general;
III. present several models; and
IV. provide general guidance on the management of IT security.

Part 1 describes an overview of the fundamental concepts and models used to

describe the management of IT security. All organisations depend heavily on the use
of information to conduct their business and activities. Loss of confidentiality, integrity
and accountability of information and services can have a direct impact on the
organisations.

Hence, there is a need to protect information and to manage the security of IT

systems within the organisations.

IT security management functions include:

I. determining organisational IT security objectives, strategies and policies;
II. determining organisational IT security requirements;
III. identifying and analyzing security threats to IT assets within the organisation;
IV. identifying and analyzing risks;
V. specifying appropriate safeguards;
VI. monitoring the implementation and operation of safeguards that are necessary in
order to cost; and
VII. effectively protect the information and services within the organisation.

The adoption of the concepts that follow needs to take into account the culture and
the environment in which the organisation operates, as these may have a significant
effect on the overall approach to security. In addition, they can have an impact on
those that are responsible for the protection of specific parts of the organisation.

An approach is necessary for the identification of requirements for IT security within an

organisation. This also is true for the implementation of IT security, and its ongoing
administration. This process is referred to as the management of IT security and
includes the following activities:
• development of an IT security policy;
• identifying roles and responsibilities within the organisation; and
• risk management, involving the identification and assessment of assets to be
protected.

172
 Corporate security objectives, strategies and policies need to be formulated as a
basis for effective IT security in an organisation. They support the business of the
organization and together they ensure consistency between all safeguards. The
objectives identify what shall be achieved, strategies identify how to achieve these
objectives, and the policies identify what needs to be done. Objectives, strategies
and policies may be developed hierarchically from the corporate to the operational
level of the organisation. They should reflect organisational requirements and take into
account any organisational constraints, and they should ensure that consistency is
maintained at each level and throughout all levels. Security is the responsibility of all
levels of management within the organisation and occurs in all phases of a systems
life cycle. The objectives, strategies and policies should be maintained and updated
based on the results of periodic security reviews (e.g., risk analysis, security audits)
and changes in business objectives.

The corporate security policy essentially comprises the security principles and
directives for the organisation as a whole. Corporate security policies must reflect the
broader corporate policies, including those that address individual rights, legal
requirements and standards. The corporate IT security policy must reflect the essential
security principles and directives applicable to the corporate security policy, and the
general use of IT systems within the organisation. An IT system security policy must
reflect the security principles and directives contained within the corporate IT security
policy. It should also contain details of the particular security requirements and
safeguards to be implemented and how to use them correctly to ensure adequate
security. In all cases it is important that the approach taken is effective in relation to
the business needs of the organisation.

4.4 ISO 13335 PART 2 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – MANAGING AND PLANNING IT SECURITY
Part 2 describes management and planning aspects. It is relevant to managers with
responsibilities relating to an organisation’s IT systems. They may be IT managers who
are responsible for overseeing the design, implementation, testing, procurement, or
operation of IT systems, or managers who are responsible for activities that make
substantial use of IT systems as well as IT security personnel.

In order to fulfil these management responsibilities for IT systems, security must be an

integral part of an organisation’s overall management plan and be integrated into all
functional processes of the organisation.

Overview of Planning and Management Process

IT security planning and management is the overall process of establishing and
maintaining an IT security programme within an organisation. Because management
styles and organisational sizes and structures differ, this process should be tailored to
the environment in which it is used. It is implicit that management reviews are conducted
as part of all these activities and functions.

173
 Overview of Risk Management
Risk Management includes four distinct activities:
• determination of the overall risk management strategy appropriate to the organisation
within the context of the corporate;
• IT security policy;
• selection of safeguards for individual IT systems as a result of risk analysis activities
or according to baseline controls;
• formulation of IT system security policies from the security recommendations, and
as necessary the update of the corporate IT security policy (and where appropriate
the departmental IT security policy), and
• construction of IT security plans to implement the safeguards, based on the approved
IT system security policies.

Implementation Overview
The implementation of the necessary safeguards for each IT system should be done
according to the IT security plan. The improvement of general IT security awareness,
although very often neglected, is an important aspect for the effectiveness of safeguards.

Integrating IT Security
All IT security activities are most effective if they occur uniformly throughout the
organisation and from the beginning of any IT system’s life cycle. The IT security process
is itself a major cycle of activities and should be integrated into all phases of the IT
system life cycle. Whilst security is most effective if it is integrated into new systems
from the beginning, legacy systems and business activities benefit from the integration
of security at any point in time.

An IT system life cycle can be sub-divided into three basic phases. Each of these
phases relates to IT security in the following way:
• Planning: IT security needs should be addressed during all planning and decision
making activities;
• Acquisition: IT security requirements should be integrated into the processes by
which systems are designed, developed, purchased, upgraded or otherwise
constructed; and
• Operations: IT security should be integrated into the operational environment. As
an IT system is used to perform its intended mission, it typically undergoes a
series of upgrades, which includes the purchase of new hardware components or
the modification or addition of software.

174
Corporate IT Security Policy
Objectives (what is to be achieved), strategies (how to achieve these objectives), and
policies (the rules for achieving the objectives) may be defined for each level of an
organisation and for each business unit or department. In order to achieve effective IT
security it is necessary to align the various objectives, strategies and policies for each
organisational level and business unit.

Management Commitment
The commitment of top management to IT security is important and should result in a
formally agreed and documented corporate IT security policy. The corporate IT security
policy should be derived from the corporate security policy.

Policy Relationship
The corporate IT security policy may be included in the range of corporate technical
and management policies that together build a basis for a corporate IT strategy statement.
This statement should include some persuasive words on the importance of security.

Corporate IT Security Policy Elements

The corporate IT security policy should at least cover the following topics:
• IT security requirements, e.g., in terms of confidentiality, integrity, availability,
authenticity, accountability and reliability, particularly with regard to the views of the
asset owners,
• organisational infrastructure and assignment of responsibilities,
• integration of security into system development and procurement,
• directives and procedures,
• definition of classes for information classification,
• risk management strategies,
• contingency planning,
• personnel issues,
• awareness and training,
• legal and regulatory obligations,
• outsourcing management, and
• incident handling.

Organisational Aspects of IT Security

Roles and Responsibilities

IT security is an inter-disciplinary topic and relevant to every IT project and system and
all IT users within an organisation. Appropriate assignment and demarcation of
responsibilities should ensure that all important tasks are accomplished and that they
are performed in an efficient way.

175
 Corporate IT Security Officer
The corporate IT security officer should act as the focus for all IT security aspects
within the organisation. The chief responsibilities are:
• oversight of the implementation of the IT security programme,
• liaison with and reporting to the IT security forum and the corporate security officer,
• maintaining the corporate IT security policy and directives,
• co-ordinating incident investigations,
• managing the corporate-wide security awareness programme, and
• determining the terms of reference for IT project and system security officers (and
where relevant, department IT security officers).

IT Project Security Officer and IT System Security Officer

Individual projects or systems should have someone responsible for security, usually
called the IT security officer. The functional management of these officers will be the
responsibility of the corporate IT security officer. The security officer acts as the focal
point for all security aspects of a project, a system or a group of systems. The chief
responsibilities of the post are:
• liaison with and reporting to the corporate IT security officer,
• issuing and maintaining the IT project or system security policy,
• developing and implementing of the security plan,
• day-to-day monitoring of implementation and use of the IT safeguards, and
• initiating and assisting in incident investigations.

Corporate Risk Analysis Strategy Option

Any organisation that wants to enhance security should put in place a strategy for risk
management that is suitable for its environment. An approach provides a balance
involves conducting high level reviews to determine the IT security needs of systems
with analyses to a depth consistent with these needs. The security needs of any
organisation will depend on its size, type of business it is doing, and its environment
and culture.

4.5 ISO 13335 PART 3 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – TECHNIQUES FOR MANAGEMENT OF IT SECURITY
The purpose of the ISO 13335 Part 3 is to provide techniques for the management
of IT security. The techniques are based on the general guidelines laid out in ISO
13335 Part 1 and ISO 13335 Part 2. These guidelines are designed to assist the
implementation of IT security. Familiarity with the concepts and models introduced in
ISO 13335 Part 1 and the material concerning the management and planning of IT
security in ISO 13335 Part 2 is important for a complete understanding. The aim of
this part is to recommend techniques for the successful management of IT security.
These techniques can be used to assess security requirements and risks, and help
to establish and maintain the appropriate security safeguards.

176
The management of IT security includes the analysis of the requirements for security,
the establishment of a plan for satisfying these requirements, the implementation of
this plan, as well as maintenance and administration of the implemented security. This
process starts with establishing the organisation’s IT security objectives and strategy,
and the development of a corporate IT security policy. An important part of the IT
security management process is the assessment of risks, and how they can be
reduced to an acceptable level. The implementation should be supported by an
awareness and training programme, which is important for the effectiveness of the
safeguards. Furthermore, the management of IT security includes the ongoing task of
dealing with various follow up activities which include maintenance, security compliance
checking, change management, monitoring, and incident handling.

Security Elements
Assets
The proper management of assets is vital to the success of the organisation, and is
a major responsibility of all management levels. The assets of an organisation include:
• physical assets,
• information/data,
• software,
• the ability to produce some product or provide a service,
• people, and
• intangibles (e.g., goodwill, image).

Most or all of these assets may be considered valuable enough to warrant some
degree of protection. An assessment of the risks being accepted is necessary if the
assets are not protected. From a security perspective, it is not possible to implement
and maintain a successful security programme if the assets of the organisation are not
identified. Asset attributes to be considered include their value and/or sensitivity and
any inherent safeguards. The protection requirements of assets are influenced by their
vulnerabilities in the presence of particular threats.

Threats
Assets are subject to many kinds of threats. A threat has the potential to cause an
unwanted incident, which may result in harm to a system or organisation and its
assets. Threats may be of natural or human origin and can be accidental or deliberate.
Both accidental and deliberate threats should be identified and their level and
likelihood assessed.

Vulnerabilities
Vulnerabilities associated with assets include weaknesses in physical layout,
organisation, procedures, personnel, management, administration, hardware,
software or information. Vulnerability in itself does not cause harm; vulnerability is
merely a condition or set of conditions that may allow a threat to affect an asset.

177
 Vulnerabilities may remain unless the asset itself changes such that the vulnerability
no longer applies. Vulnerability analysis is the examination of weaknesses, which may
be exploited by identified threats. This analysis must take into account the environment
and existing safeguards.

Impact
Impact is the consequence of an unwanted incident caused either deliberately or
accidentally, which affects the assets. The consequences could be the destruction of
certain assets, damage to the IT system, and loss of confidentiality, integrity, availability,
accountability, authenticity or reliability. Possible indirect consequences include
financial losses, and the loss of market share or company image. The assessment of
impacts is an important element in the assessment of risks and the selection of
safeguards.

Risk
Risk is the potential that a given threat will exploit vulnerabilities to cause loss or
damage to an asset or group of assets, and hence directly or indirectly to the
organisation. The risk is characterised by a combination of two factors: the probability
of the unwanted incident occurring and its impact. Any change to assets, threats,
vulnerabilities and safeguards may have significant effects on risks. Early detection or
knowledge of changes in the environment or system increases the opportunity for
appropriate actions to be taken to reduce the risk.

Safeguards
Safeguards are practices, procedures or mechanisms which may protect against a
threat, reduce vulnerability, limit the impact of an unwanted incident, detect unwanted
incidents and facilitate recovery. Effective security usually requires a combination of
different safeguards to provide layers of security for assets. Safeguards may be
considered to perform one or more of the following functions: detection, deterrence,
prevention, limitation, correction, recovery, monitoring, and awareness. An
appropriate selection of safeguards is essential for a properly implemented security
programme.

Residual Risk
Risks are usually only mitigated partially by safeguards. A partial mitigation is all that is
usually possible to achieve and the more that is to be achieved the greater the cost.
This implies that there are usually residual risks. Part of judging whether the security
is appropriate to the needs of the organisation is the acceptance of the residual risk.
Management should be made aware of all residual risks in terms of impact and the
likelihood of an event occurring.

Constraints
Constraints are normally set or recognised by the organisation’s management and
influenced by the environments within which the organisation operates.

178
Processes for the Management of IT Security
The management of IT security is an ongoing process consisting of a number of other
processes. Some processes such as configuration management and change
management have applicability to disciplines other than security. One process that
experience has shown to be very useful in the management of IT security is risk
management. Several aspects of the management of IT security, including risk
management, risk analysis, change management, and configuration management.

Configuration management is the process of keeping track of changes to the system

and can be done formally or informally. The primary security goal of configuration
management is to ensure that changes to the system do not reduce the effectiveness
of safeguards and the overall security of the organisation. The security goal of
configuration management is to know what changes have occurred, not to use
security as a means of preventing changes to IT systems.

Change management is the process used to help identify new security requirements
when IT systems changes occur. IT systems and the environment in which they
operate are constantly changing. These changes are a result of the availability of new
IT features and services, or the discovery of new threats and vulnerabilities.

Risk management activities are most effective if they occur throughout the system’s
life cycle. The risk management process is itself a major cycle of activities. While the
entire cycle can be followed for new systems, in the case of legacy systems it can be
initiated at any point in the system’s life cycle. The strategy may dictate that a review
is carried out at certain points in a system’s life cycle, or at pre-defined times. There
may be a requirement to carry out risk management during the design and
development of systems, thus ensuring that security is designed and implemented at
the most cost effective time. Risk management is the process of comparing assessed
risks with the benefits and/or costs of safeguards, and deriving an implementation
strategy and system security policy consistent with the corporate IT security policy
and business objectives.

Risk analysis identifies risks that need to be controlled or accepted. In the context of
IT security, risk analysis for IT systems involves the analysis of asset values, threats and
vulnerabilities. Risks are assessed in terms of potential impact that would be caused
by a breach of confidentiality, integrity, availability, accountability, authenticity or
reliability. The result of a risk analysis review is a statement of the likely risks to assets.

Risk analysis is part of risk management and can be accomplished without an

unnecessary investment in time and resources by conducting an initial brief analysis
on all systems. This will determine which systems can be adequately protected by a
code of practice or baseline controls, and those systems which will benefit from a
detailed risk analysis review.

179
 Effective security requires accountability and the explicit assignment and
acknowledgement of security responsibilities. Responsibilities and accountabilities
need to be assigned to asset owners, providers and users of IT systems.

Security awareness is an essential element for effective security. The lack of security
awareness and poor security practices by personnel within an organisation can
significantly reduce the effectiveness of safeguards. In order to ensure that an
adequate level of security awareness exists within an organisation it is important to
establish and maintain an effective security awareness programme.

The use of safeguards should be monitored to ensure they function appropriately; that
changes in the environment have not rendered them ineffective and that
accountability is enforced. Automated review and analysis of system logs is an
effective tool for helping to ensure the intended performance.

Contingency plans contain information about how to operate a business when the
support processes, including IT systems, are degraded or unavailable. These plans
should address the possible compounding of a number of scenarios. Disaster
recovery plans describe how to restore to operation IT systems affected by an
unwanted incident.

Models of the Management of IT Security

The models presented provide the concepts for an understanding of the IT security
management issues. The following models are:
• security element relationships,
• risk management relationships, and
• the management of IT security process.

The concepts introduced and the business objectives of the organisation come
together to form plans, strategies and policies for the IT security of the organisation.
The overriding aim is to ensure that an organisation retains the ability to carry out its
business with risks limited to an acceptable level. No security can be totally effective
and it is important to plan for recovery from an unwanted incident and to structure the
security to limit the extent of the damage.

4.6 ISO 13335 PART 4 GUIDELINES FOR THE MANAGEMENT OF IT SECURITY

(GMITS) – SELECTION OF SAFEGUARDS
Part 4 provides guidance for the selection of safeguards and how this can be
supported by the use of baseline models and controls. It also describes how these
complements the security techniques described in Part 3 and how additional
assessment methods can be used for the selection of safeguards.

180
This part provides guidance on the selection of safeguards. It describes a process for
the selection of safeguards according to security risks and concerns and the specific
environment of an organisation. It shows how to achieve appropriate protection, and
how this can be supported by the application of baseline security.

There are two main approaches to safeguard selection, i.e. using a baseline
approach and carrying out detailed risk analyses. Conducting a detailed risk
analysis has the advantage that a comprehensive view of the risks is achieved.
This can be used to select safeguards, which are justified by the risks, and
thus should be implemented.

Basic Assessment
The process of safeguard selection requires some knowledge of the type and
characteristic of the IT system. In addition, the selection of safeguards is the assessment
of existing and/or planned safeguards. When selecting safeguards, business
requirements should be taken into account. Finally, it is necessary to determine whether
these assessments provide enough information for the selection of baseline safeguards,
or whether a more detailed assessment or a detailed risk analysis is necessary.

Identification of the Type of IT System

For the assessment of an existing or planned IT system, the IT system considered
should be compared with the following components, and the components representing
the system should be identified. Components to choose from are:
• standalone workstation;
• workstation (client without shared resources) connected to a network; and
• server or workstation with shared resources connected to a network.

Identification of Physical/Environment Conditions

The assessment of the environment includes the identification of the physical
infrastructure supporting the existing and planned IT system, as well as related existing
and/or planned safeguards.

Assessment of Existing/Planned Safeguards

After assessing the physical environment conditions and the components of the IT
system, all other safeguards already in place or planned for should be identified. This
is necessary to avoid an already existing or planned safeguard being reselected, and
the knowledge of the safeguards implemented or planned helps to select further
safeguards acting in combination with them.

181
 Safeguard
Organisational and Physical Safeguards
This safeguard category contains all those safeguards dealing with the management
of IT security, the planning of what should be done, assignment of responsibilities for
these processes, and all other relevant activities. The aim of these safeguards is to
achieve an appropriate and consistent level of security throughout an organisation.
Safeguards in this area are listed below.
• Corporate IT Security Policy;
• IT System Security Policy;
• IT Security Management;
• Allocation of Responsibilities;
• Organisation of IT Security;
• Asset Identification and Valuation; and
• Approval of IT Systems.

Security Compliance Checking

It is important that compliance is maintained with all required safeguards, and relevant
laws, regulations and policies, since any safeguard, regulation or policy can only be
working as long as users comply, and systems conform.

Safeguards in this area are:

• Compliance with IT Security Policies and Safeguards; and
• Compliance with Legal and Regulatory Requirements.

Incident Handling
Every employee in the organisation should be aware of the need to report security
incidents, including software malfunctions and identified weaknesses. The organisation
should provide a reporting scheme, which makes that possible. Incident handling
includes:
• Reporting of Security Incidents;
• Reporting of Security Weaknesses;
• Reporting of Software Malfunctions; and
• Incident Management.

Personnel
Safeguards in this category should reduce the security risks resulting from errors or
intentional or unintentional breaking of security rules by personnel. Safeguards in this
area are listed below.
• Safeguards for Permanent and Temporary Staff;
• Safeguards for Contracted Personnel;
• Security Awareness and Training; and
• Disciplinary Process.

182
Operational Issues
Safeguards aim at all procedures maintaining the secure, correct and reliable functioning
of the IT equipment and related system(s) used. Most of these safeguards can be
realized by implementing organisational procedures. Safeguards in the area of operational
issues are listed below.
• Configuration and Change Management;
• Capacity Management;
• Documentation;
• Maintenance;
• Monitoring Security Relevant Changes;
• Audit Trails and Logging;
• Security Testing;
• Media Controls;
• Assured Storage Deletion;
• Segregation of Duties;
• Correct Software Use; and
• Software Change Control.

Business Continuity Planning

In order to protect business, especially critical business processes, from the effects
of major failures or disasters and to minimize the damage caused by such events,
effective business continuity, including contingency planning/disaster recovery, strategy
and plan(s) should be in place. This includes the following safeguards:
• Business Continuity Strategy;
• Business Continuity Plan;
• Testing and Updating the Business Continuity Plan; and
• Back-ups.

Physical Security
Safeguards in this area deal with physical protection. Several of the following items
apply to buildings, secure areas, computer rooms and offices. The safeguard
selection depends on which part of the building is considered. Safeguards in this area
are listed below.
• Material Protection;
• Fire Protection;
• Water/Liquid Protection;
• Natural Disaster Protection;
• Protection against Theft;
• Power and Air-conditioning; and
• Cabling.

183
 IT System Specific Safeguards

Identification and Authentication (I&A)

Identification is the means by which a user provides a claimed identity to a system.
Authentication is the means of establishing the validity of this claim. The following ways
are examples of how to achieve I&A:
• I&A Based on Something the User Knows Passwords;
• I&A Based on Something the User Possesses; and
• I&A Based on Something the User Is.

Logical Access Control and Audit

Safeguards are implemented to restrict access to information, computers, networks,
applications, system resources, files and programmes, and record details of error and
user actions in audit trails and analyse the details recorded, in order to detect and
handle security breaches in an appropriate manner. Safeguards in the area of logical
access control and audit are listed below.
• Access Control Policy;
• User Access to Computers;
• User Access to Data, Services and Applications;
• Reviewing and Updating Access Rights; and
• Audit Logs.

Protection against Malicious Code

Malicious code may be introduced into systems through external connections and
through files and software introduced from portable disks. Malicious code may not be
detected before damage is done unless suitable safeguards are implemented.
Malicious code may be introduced as a result of a deliberate action by a user, or by
system level interactions that may not be visible to users.

Protection against malicious code can be achieved by the use of the safeguards listed
below.
• Scanners;
• Integrity Checkers;
• Removable Media Circulation Control; and
• Procedural Safeguards.

184
Network Management
This area includes topics of planning, operation and administration of networks. The
proper configuration and administration of networks is an effective means to reduce
risks. Safeguards in the area of network management are listed below.
• Operational Procedures;
• System Planning;
• Network Configuration;
• Network Segregation;
• Network Monitoring; and
• Intrusion Detection.

Cryptography
Cryptography is a mathematical means of transforming data to provide security. It can
be used for many different purposes in IT security. The different ways of using cryptography
are discussed below.
• Data Confidentiality Protection;
• Data Integrity Protection;
• Non-Repudiation;
• Data Authenticity; and
• Key Management.

Generally Applicable Safeguards

The categories are:
• IT Security Management and Policies;
• Security Compliance Checking;
• Incident Handling;
• Personnel;
• Operational Issues;
• Business Continuity Planning; and
• Physical Security.

Selection of Safeguards According to Security Concerns and Threats

The selection of safeguards according to security concerns and threats described in
this clause can be used in the following way:
• The first step is to identify and assess the security concerns.
• Second, for each of the security concerns, typical threats are listed and for each
threat, safeguards are suggested according to the IT system considered.

185
 In order to select appropriate safeguards in an effective way, it is necessary to have
an understanding of the security concerns of the business operations. It includes:
• loss of confidentiality,
• loss of integrity,
• loss of availability,
• loss of accountability,
• loss of authenticity, and
• loss of reliability.

The threat types, which might endanger confidentiality, with safeguards to protect
against these threats suggested. If relevant for the safeguard selection, the type and
characteristics of the IT system should be taken into account. Hence, their effect is
not to be underestimated and they should be implemented for an overall effective
protection.

If relevant for the safeguard selection, the type and characteristics of the IT system
should be taken into account. If relevant for the safeguard selection, the type and
characteristics of the IT system should be taken into account. The availability
demands can range from not time-critical data or IT systems to highly time-critical data
or IT systems. The former can be protected against by back-ups whereas the latter
may require some resilience system to be present.

These differences mean that a lot of different safeguards may be applicable. The
safeguards provide a more ‘general’ protection, i.e. they are aimed at a range of
threats and provide protection by supporting an overall effective IT security management.
Hence, their effect is not to be underestimated and they should be implemented for
an overall effective protection.

Selection of Safeguards for According to Detailed Assessment

The selection of safeguards according to detailed assessments follows the same
principles that are applied in the previous clauses. The performance of a detailed risk
analysis allows the special requirements and circumstances of the IT system and its
assets to be taken into account. The difference from use of the previous clauses is
the level of effort, and the detail gathered during the assessment process.

5. CONCLUSION
While organisations are beginning to take information security more seriously, there is still a lot
of work to be done. This work should not focus merely on the technology aspects of the
solutions they require, but rather should also ensure that they understand the cultural and
human aspects related to information security, and that they put the proper policies and
procedures in place to ensure that technology is implemented and maintained correctly. Your
people can be your weakest link, but they can also be your best defence. Ultimately you must
build an appropriate measurement system – what is measured is managed.

186
Information security is important, challenging, and multi-faceted. It involves organisational
safeguards as well as technical safeguards. It cannot be approached using naive military ideas
about ‘absolute security’. Instead a ‘risk-managed’ approach has to be adopted, and costs
and inconvenience traded-off against security. And it requires vigilance, because security
schemes suffer from entropy, i.e. they run down very quickly unless they are maintained.
Reviewing against the standards can be very time consuming. However, implementation is
worthwhile. Information Security is an ongoing battle.

REFERENCES
ISO 17799:2000 Information Security Management Standard
BS 7799-2:2002 Information Security Management System
ISO 13335 Part 1– 4 Guidelines for the Management of IT Security
June 2001 – Special Report
May 1998 – Special Report
Centre for Information Security Technology, Columbia, Maryland
University of California, March 1998 Version 0.3
Information Technology Services, Griffith University, AUSTRALIA
April 1, 2002, London, SW112JEUnited Kingdom

187
 OPEN
SOURCE
AND
SECURITY
 DR. NAH SOO HOE
SIRIM BERHAD

Nah Soo Hoe has been in the ICT industry for over 16 years and is experienced in networking
protocols, Internetworking and information security issues. He participates actively in the
activities of local ICT organisations, in particular MNCC (Malaysian National Computer
Confederation) and PIKOM (Association of the Computer and Multimedia Industry of Malaysia).

He has been involved in numerous MNCC and PIKOM events and initiatives and has
represented both bodies in various Government committees and in working groups at both the
national and international levels on the Internet, ICT security and open source.

He is the current Chairperson of the SIRIM Technical Committee on Information Security

Standards and is also the list owner of two popular OSS mailing lists in the country –
the MYOSS (http://www.my-opensource.org/lists/myoss/) and the MNCC OSSIG
(http://www.mncc.com.my/ossig/lists/general/ossig/) lists.

He currently works as an independent consultant in the areas of:

• Open-source software deployment

• Information systems security

When he is not working or hacking away, he enjoys going for walks in hill resorts with his better
half and sharing a bowl of milk with the numerous alley cats in his backyard.

190
 OPEN SOURCE AND SECURITY
DR. NAH SOO HOE

ABSTRACT
This paper serves to introduce the reader to what open-source software (OSS) is and its
development model and tries to address some of the more common misconceptions and
myths on OSS with respect to security. Common quality and security practices in OSS
development and distribution are also discussed and it rounds off with brief descriptions of
some popular OSS security tools and applications.

INTRODUCTION
The current interest in open-source software (OSS), both in its model of software development
and as a possible replacement for proprietary or close-source software, has led to intense
debates on the suitability of OSS deployment and usage in many areas. One important area
which has garnered much attention is security. In this chapter on “Open Source and Security”
we shall look at OSS from the security point of view. In particular, we shall be discussing the
following:
1. What is open-source software?
2. The Open Source model of software development
3. Common misconceptions about security and quality in OSS
4. OSS software quality and security practices
5. Some popular OSS security tools and applications

WHAT IS OPEN-SOURCE SOFTWARE?

Open-source software is not new. It has its roots in free software and the movement surrounding
it and is derived from it. To understand the history behind OSS we need to understand what
free software is and how it came about. [1]

Free Software
When we refer to the term “free software” we mean “free” as in “freedom” and “liberty” and not
the monetary meaning of “free”. As defined by the Free Software Foundation (FSF), free software
refers to software in which the user has the freedom to run the software, study how it works
as well as re-distribute it in an unmodified or modified form [2]. Note that in order to achieve
this freedom of usage and modification, the source code to the software has to be available.

The concept and practice of free software is not anything new. From the early days of computing,
software has been freely exchanged with source code by researchers and academics. The
technologies that run the Internet were developed in this way. The Internet started with the US
Department of Defence contracting US universities and research organisations to develop a
wide area computer network with no single point of failure. During those days of the
DARPANET (as the research network was then called), software which implemented the
networking protocols and services was freely exchanged among the researchers.

191
 The basic networking protocol of the Internet, TCP/IP, was developed in this fashion. Many of
the basic Internet services run on free software; e.g. Apache (the most widely-used web server
on the Internet), BIND (the software that powers most of the Internet's domain name-to-IP
resolution service) and Sendmail (used by most of the Internet backbone mail transport
agents). It is no exaggeration if we were to say that the Internet runs on free software and owes
its success to it and free software powers the Internet to this day!!

OPEN-SOURCE SOFTWARE (OSS)

With the success of the Internet, the technical people tried to introduce free software used on
the Internet to the business organisations where they work. However, very often they were met
with negative sentiments about using free software by the business and corporate users. To
these people, who were used to paying thousands of dollars for the software sold by
proprietary vendors, the term "free software" is perceived as software of poor quality and
unreliable. In addition to this, some businesses were concerned with the seemingly
uncompromising attitude of the Free Software Foundation with its publicly stated agenda that
it wants all software to be free (as in freedom) and that any form of proprietariness in software
should not be tolerated.

To try and overcome these problems associated with the perception and attitude towards free
software by the corporate and business world, in February 1998, some free software developers
and practitioners put together a “free software” definition and image less confrontational to
businesses [3]. The term open-source software was coined as an alternative to free software
and the case for open source was made based on pragmatic and business grounds.

This was the start of the Open Source movement. It can be viewed as an attempt by some
people in the free software community to take a less confrontational approach towards working
with proprietary software and the business community. They were willing to take on a pragmatic
approach in trying to engage the management and business communities to get them to
understand and appreciate the software that were developed by the free software community.

They realised that this can be a more effective way to get managerial and business buy-in and
hence lead to more adoption of free software in corporations and business establishments.
The actual definition of the term Open Source Software is available from the website of the
Open Source Initiative (OSI) [4]. The original ideals of free software as envisioned by the FSF
– the freedom to run, copy, distribute, study, change and improve the software are still covered
by OSS.

The Open Source Model

Much has been written about the community-style mode of development, maintenance and
distribution of many open source projects [5, 6, 7, 8, 9]. The one thing that makes it very
different from a traditional proprietary software model of development is its degree of openness
and transparency in the development, distribution and maintenance of a product. Extensive use
is made of the Internet and its online collaborative and communication services to achieve this.

192
In OSS projects, while there is always a team which develops, manages, steers and directs
the project towards its objectives, other people usually can and are encouraged to contribute
code and ideas to the project. The project’s aims, development and progress are transparent
and available to anyone who wants to know. For a major project, its website usually will have
the project's guidelines. These may include information on roles and responsibilities, communication,
decision making, source repositories, project management, new project proposals etc.

Discussions about the project both concerning development and end-user issues take place
usually via mailing lists and online forums and again, anyone interested can partake in these
discussions. Some projects actively solicit developers to be active and to become part of the
core team but other projects may keep its core team relatively selective and closed.

Similar to the development process, the distribution and maintenance processes are also very
transparent. Stable and unstable (development) versions of the software are available for
downloads via the Internet. For the more popular projects, apart from the project’s own site
there are mirror download sites. The main form of distribution is source code but pre-compiled
versions for various popular platforms are usually available either from the project site or third
party sites.

Feedback from the users are actively solicited, both for the stable and development versions
of the product. Some projects even have nightly builds for their development versions and so
even an ordinary end-user can get the very latest version (with their associated bugs of course!)
of the product. In many cases, some of the key developers are at hand to monitor these
discussions and feedback. In this way, the product is well exposed and tested by the users
and other developers even while it is still under development. This is a useful model as user
preferences and bugs are recognised and known early. Again, the Internet is utilised extensively
for these activities.

Major OSS projects have well established code control and version systems in place as well
as bug reporting and tracking processes. These features will be covered in more detail later.

COMMON MISCONCEPTIONS ABOUT SECURITY IN OSS

In this section we shall highlight some of the more common misconceptions as well as fears,
uncertainties and doubts (FUDs) about security in OSS. These include:

• OSS has no owner and no party is accountable or responsible for it

• OSS has no proper quality and security control
• OSS is insecure as the software can be examined for security vulnerabilities and exploited
easily due to the availability of source code
• OSS is infested with backdoors and viruses/worms as anyone can plant these in the
source code

193
 Note that in the discussion below it is assumed that we are talking about mainstream major
OSS projects i.e. those that are popular and enjoy at least fairly wide usage. It is difficult to
generalise about small obscure OSS projects. The situation is the same for proprietary
software products, but at least for OSS, the source code is always there for one to check and
fall back on. This cannot be said for proprietary software.

No Accountability and Ownership

One of the common misconceptions about OSS is that a project is carried out by hobbyists
and enthusiasts in their spare time, hence everything, including security controls and issues,
is done on a best-effort basis only. On the other hand, it is usually perceived by many people
that proprietary commercial software is maintained by full-time paid staff and therefore they are
accountable and responsive.

The reality could not be more different than the above. All major OSS projects are owned or
supported either by a commercial company or a non-profit formally registered foundation.

Examples of this are:

• Apache – Apache Software Foundation
• MySQL – MySQL AB
• FreeBSD – FreeBSD Foundation
• Red Hat Linux – Red Hat Corporation
• SuSE Linux – SuSE Corporation (now a division of Novel Corp.)
• Zope – Zope Corporation

An OSS project has owner(s) and people accountable for it. As noted in an earlier section, an
OSS project is owned or managed by one or more core people or developers. In some big
ones (e.g. OpenOffice.org), there are even regional/local marketing representatives.

There will be people responsible for bug or security issues and co-ordinate fixes/responses.
Generally these maintainers are responsive to security issues brought to their attention. In the
unlikely event that the OSS maintainers do not respond, the open source community can help
fix the problem as the source is available. With proprietary software, this is not possible.

On the other hand, there is no guarantee that a proprietary software vendor or company will
be responsive or accountable for their product. Experience has borne this out. This is
especially true as far as responses to reported bugs and security vulnerabilities go; it is not
uncommon for several months to pass after a report is made to it before a vendor patches up
its software. (This issue used to be much worse several years ago.) Lately due largely to the
availability of full disclosure forums [10, 11], commercial vendors have improved on the
timeliness of their patches.

However, one just has to look at the timelines between reported vulnerabilities and patch
releases from the major software vendors to see that this point is still an issue.

194
No Proper Quality and Security Control
There is a common misconception that OSS development is done by hodge-podge of hackers
from all over and that there is no proper processes for quality assurance and security control.

The fact of the matter is that major OSS projects have tight control over their developers. Only
certain developers have “commit” privileges to change the source code. These developers are
usually those who have shown that they have the necessary expertise and experience in
software engineering and programming. To become a member of the core development team,
one has to earn one's place by demonstrating a high degree of expertise and commitment.

Quality control, checks and testing are carried out on the software [15, 16]. This ensures good
quality and not chaos even if the community development model is used. The same software
engineering and quality assurance methodologies and models used in developing software are
deployed irrespective of whether it is open or close source. In fact for open source, if one
suspects that the software is of poor quality one can always resort to scrutinizing the source.
Again this is not possible for close source.

OSS quality and security practices will be discussed in greater detail in a later section.

Source Code Examined for Vulnerabilities and Exploited

The fear for open source is the ready availability of source code will enable the “bad guys” to
scrutinise and examine the code as well as the design for possible bugs and security vulnerabilities
and exploit them. With close source, it is more difficult to do so as source is not available. This
point has some element of truth in it but there are also other considerations which we should
bear in mind before succumbing to this fear.

With the aid of modern debuggers and software development tools, it is possible to reverse-
engineer and also subject a piece of binary close-source software to detailed probing for
common vulnerabilities and coding errors, e.g. buffer overflows, incomplete or inappropriate
checks on user input etc. Infamous vulnerabilities found by third parties on widely used
Microsoft products and on Oracle’s database software bear testimony to this. While the
commercial software licenses may forbid one to perform any reverse-engineering on the
software, the writer doubts that any of the “bad guys” out there will take much notice of this!
It is interesting to note that vulnerabilities for Microsoft products are still being found by outside
parties rather than Microsoft itself in spite of their publicly stated objective to give priority to
security rather than features in their software development.

The availability of source code may not necessarily be a bad thing because it can be argued that:

• For OSS, because the source code can and is scrutinised by many people most of the
major security bugs, vulnerabilities or weaknesses (both in design and coding) will probably
be caught and fixed so that over a period of time the software will evolve into a stable and
secure one. As a counter argument to this, it has been suggested that the many eyeballs
claim may not be accurate as far as checking for secure code is concerned since checking

195
 for security flaws in code can be a tedious process (and not too exciting so many do not do
so) and also many people do not know how to check code for security problems properly.

• Close-source software is proprietary and only the vendor knows whether it is well written
or designed. There can be no independent check on it. An independent audit of the source
code is only possible with OSS. So for applications or environments where security is of
utmost importance, e.g. national security, a comprehensive security audit of the code
needs to be done and only open source can provide that. It is for this reason that many
countries now are looking at OSS as a possible means to be less reliant on software from
US companies to ensure that the software that is powering their critical national infrastructures
and security can be independently audited.

• The lack of public scrutiny can also lead to poor security and complacency by the close-
source developers. Only when an exploit comes out will the problem ever be found out.
For example in 2002, James Allchin, group vice president for platforms at Microsoft Corp.
has admitted to a US Federal court that some Microsoft code was so flawed it could not
be safely disclosed!!! [12]

Source Code Injected with Backdoors, Trojans, Worms/Viruses

Some detractors of OSS have suggested that since the source code is available, anyone can
put backdoors and viruses/worms in the source to gain control of your system. Again this type
of sweeping statement has to be considered in its proper perspective.

This fear is certainly possible if you get or download your OSS from unknown and untrustworthy
sites. Users should either purchase their software CDs or download them from trustworthy and
well known open source sites and ensure that the software's security checksum corresponds
with the one published. Users also have a choice of downloading the source, checking it for
backdoors and compiling it themselves to further mitigate this sort of attack.

In connection with this, it is interesting to note that there have been examples of software from
major commercial proprietary software vendors which have been shipped with viruses in them.

This shows that there is no guarantee that just because you purchase your software from a
well known commercial vendor, it will be free from backdoors etc. In fact without the source
code to verify, it will be almost impossible to have an independent check on this. A good
example is the database software Interbase from Borland, which upon being converted from
close source to open source, was quickly found to contain a backdoor! [13].

Even Microsoft itself had been guilty of shipping software having a backdoor inserted into it [14].

Source Availability Enhances Security

Creating secure software depends a lot on the people designing and developing the software
and the quality assurance processes involved. This applies equally to both open and close
source. However there are certain advantages if the source is available:

196
• Security bugs/vulnerabilities may possibly be caught and fixed by the many eyeballs
approach. For close source, only the vendor knows whether it is well written or designed

• Lack of public scrutiny can also lead to poor security and complacency

• For OSS, there is no reliance on vendor and so a security fix and/or workaround can be
obtained quickly. Close source usually depends on the vendor to come up with a fix and
as noted earlier many vendors are slow to respond.

• A software or a version of a particular software may become unsupported by its developers.

If it is not open source, you are really stuck for bug and security fixes and will be forced to
either abandon or upgrade the software. However if it is open source, you can if you want
maintain and support it yourself.

• There is no reliable independent way of verifying the security of proprietary software.

Independent checks and audits of source is possible only with OSS.

OSS SOFTWARE QUALITY AND SECURITY PRACTICES

OSS development makes extensive use of online collaboration tools. This is expected since
very often the developers are all not in the same physical location. In fact they can be spread
out all over the globe. The Internet makes this possible.

Project Website
Information about a project including how it is set up and managed is usually available from its
website. Relevant guidelines on how the project is run may also be present; these include
information on the decision making process, how communications may be carried out and
how one may get involved etc.

The project website will also contain information on where to download the software/
patches/updates (including mirror sites, if any), documentation, news, security alerts and
announcements, bug reporting/submission etc.

Security News, Announcements and Updates

All major OSS projects have a security contact where you can submit information regarding a
vulnerability. They also will have a security announcement/news section whereby security-
related news and issues about the product will be posted. This is usually a section on its
website. In addition, many also have security announcement mailing lists whereby the information
is sent to the subscribers via e-mail.

The project website will have a download area where the latest updates to the software can
be downloaded. In this way the latest patched version can be obtained by a user the moment
they are available. Auto-updates are supported by some projects too, especially the operating
system projects like Linux distributions.

197
 Some popular OSS, especially those undergoing rapid development, have nightly builds
resulting in frequent testing by many users and the rapid submission of feedback and bug
reports. This means that by the time the product is considered as stable and goes into
production distribution, it will have undergone extensive debugging and user testing resulting
in a very stable and reliable product.

Documentation regarding proper and/or secure configuration and setup for the product is
available for many OSS. This is very useful as often, improper configuration of software may
result in security problems.

The moment a security fix comes out it is announced on various resources on the Internet
including the project website, the software’s own mailing lists and major outside security
mailing lists like Full-disclosure [10] and Bugtraq [11].

Version Control
Some form of version control system is used in all major OSS projects. Popular version control
system software used include Concurrent Version System (CVS) [17] and Subversion [18].

Using version control enables developers to work on different portions of the code as well as
different versions simultaneously. It also allows remote development to take place, a developer
can “check-out” a code file, work on it remotely, and then later “commit” the changes. The
version control system will handle concurrency and synchronisation issues to enable multiple
developers to work on the same code file. Without some form of version control, it will be
almost impossible for the developers to work remotely on a large project.

Version control also has the ability to track when a piece of code has been added/modified:
what was changed and who made the change. In this way a detailed trail can be constructed
to trace how a piece of code came about; this is a very useful feature and can be used for
example in cases concerning code copying/plagiarisation accusations.

The source code tree is available for supported versions and so it is possible to reproduce the
source for any supported version.

Anonymous CVS access is available for many of the major OSS projects. This allows any user
(i.e. not just the developers) to “check-out” the latest source code. Of course not anyone can
commit back changes. Commit privileges are given to some developers only, usually they will
have to earn this privilege by showing their commitment and coding capabilities.

Bug Reporting and Tracking

All software, open or close source, have bugs. These are design, logic or programming errors.
Some of these bugs can give rise to serious security consequences especially if they can be
exploited remotely. It is therefore vital that a proper process and problem/defect tracking
system is in place for bug reporting and tracking. Again OSS relies extensively on the use of

198
software to manage this thereby enabling systematic bug reporting by the users, filing and
tracking by the developers. The common ones used include Bugzilla [19], GNATS [20] and
Scarab [21].

Users are able to send in bug reports online. The status of a bug can be viewed and tracked
online too by anyone. Internally the developers can use the system to track bugs and
associated code changes, communicate with other developers in the team and submit and
review patches. The use of a problem/defect tracking system to manage bugs is vital to the
quality assurance of the software in question.

SOME POPULAR OSS SECURITY TOOLS AND APPLICATIONS

Traditionally, OSS security tools have been used mainly by knowledgeable security experts.
This is mainly due to their features and the fact that the source code is available to ensure that
the tools actually perform what they are supposed to be doing. These tools are chosen over
proprietary close source tools also because they can be modified by the security expert to add
in certain customised features and functionalities. Of course on the other side of the fence,
these tools may also be utilised to great effect by the crackers and “bad guys”.

However, over the last few years, more and more people including businesses and corporations
have discovered that these OSS security tools/applications have equivalent or sometimes
even better functionalities than expensive commercial security tools and so they are gaining in
popularity for corporate use by their security departments. In addition, there is also no reason
why some of them cannot be deployed by personal users or in a normal business/office
environment. In fact many of them have user-friendly GUI front-ends which makes them more
suitable for deployment by non-security specialists.

In this section we shall briefly look at some examples of OSS in the categories of:

• Standard system tools/utilities useful for security

• Anti-virus, anti-spam
• Base secure operating system platform
• File system integrity checker
• Firewall system
• Network intrusion detection system (NIDS)
• Port scanner
• Vulnerability scanner
• Network protocol analyser

199
 Standard System Tools/Utilities
The standard OSS operating systems and environments like FreeBSD or Linux come with a
wide variety of useful utilities which, if used properly, can assist the user in checking and
maintaining the security of his system and network. Many of these tools are standard Unix tools
and are present in these OSS platforms due to their Unix-heritage.

In this section we shall briefly discuss some of the more common ones. Note that this list is
by no means exhaustive. These utilities, useful by themselves, can be made to work co-
operatively as filters using the Unix file “piping” and I/O redirection facilities. This provides a very
powerful method to perform quick analysis and checking of the file system and resources for
signs of security breaches etc.

Although we are showing the utilities here as command line commands, many of these now
can also be activated from the desktop windowing GUI and so may be less intimidating for
some users.

ls: This is the classic command for directory and file listing. It has various options allowing
a user to display the properties of a file or directory. It is normally used to check a file/directory
for its size, owners, permissions, dates and times of creation, modification and access, etc.

find: The “find” utility is a very versatile one for the searching of files in a directory hierarchy.
It has many options, allowing searching based on a wide variety of criteria, e.g. time,
permissions etc. For example the command,

find / -type f \( -perm -04000 -o -perm -02000 \)

will find all files with SUID/SGID permissions. Files with these attributes can be a potential
security risk and generally, unless there is a real need to, these permissions should not be
set in normal files. The use of the find command in this case is useful in an audit of the file
system to look for suspicious files with these attributes enabled.

grep: This utility will print lines matching a pattern from a source usually a file or the output
from a pipe filter. This may be used to filter the output from other utilities, e.g. log files to
look for some pattern or strings.

chmod: This utility allows you to control and change file and directory access permissions.

ssh, sftp, scp: The family of ssh programmes allows secure remote logins and file transfers.

ps: This tool will display the status of processes running on the system. This will provide
very useful information with regard to security since the user can examine and look out for
unusual and/or unknown running processes which can be a sign of security breaches.

top: Display processes using up CPU resources. This will aid the user or administrator in
looking out for “runaway” or denial of service processes.

lsof: This utility will list open files in use by processes. This is used often in conjunction with
the ps command to check on which files are in use by specific processes.

200
 fuser: This will display the processes using the specified files.

rpm -V: On Linux systems that make use of the rpm package manager tool, the “-V”
option can be used to verify that the files of a package have not been modified or changed
since installation. This feature can be used as a simple file integrity checker to ensure that
no backdoors have been planted since installation of the package in question.

procmail: This tool is a very versatile mail processor where it can be run to process an
e-mail as it arrives either into the system or before being delivered to the user’s mail.
“Recipes” or regular expression matching rules can be set up to customise the delivery
options based on these rules. It is a very useful tool for setting up customised e-mail filters
to filter off unwanted e-mail.

Standard Network System Security Tools

Standard OSS systems come with several useful network tools which can be utilised for
security purposes.

ping: This is the ubiquitous network tool to quickly check for the accessibility of a
computer on a TCP/IP network or Internet. If a remote computer is connected to a network
and is reachable from your system, running ping against it should result in a reply from the
remote host. (This assumes that the remote host is configured to allow ping messages to
reach it and to reply, and that the route in between the remote host and your computer
does not filter off ping messages.)

traceroute: This is another popular utility to trace the route taken by a data packet from the
user’s computer to a remote host. It will show the intermediate nodes passed through by
the data packet. A typical traceroute output is displayed below.

traceroute to www.jaring.my (61.6.32.105), 30 hops max, 38 byte packets

1 211.24.251.1 (211.24.251.1) 79.328 ms 108.476 ms 139.916 ms
2 211.24.248.41 (211.24.248.41) 829.850 ms 119.087 ms 119.936 ms
3 fe-0-1-1.GLSFB-MBONE-001.time.net.my (203.121.20.1) 119.936 ms 109.685 ms
99.959 ms
4 211.24.210.1 (211.24.210.1) 109.551 ms 89.771 ms 111.459 ms
5 203.121.17.6 (203.121.17.6) 339.971 ms 99.444 ms 89.955 ms
6 vlan600.msfc2.glsfb.time.net.my (203.121.16.36) 99.918 ms 346.794 ms
103.596 ms
7 Fe0-1-0.gw02.glsfb.time.net.my (203.121.16.21) 90.169 ms 116.041 ms
102.869 ms
8 s1-0-3.bkj18.jaring.my (161.142.155.25) 150.021 ms 119.691 ms 119.500 ms
9 ge2-0.jsr3.jaring.my (161.142.173.8) 150.215 ms 119.816 ms 462.267 ms10
l4-bkj.jaring.my (61.6.32.7) 138.285 ms 109.071 ms 119.937 ms

201
 netstat: This utility enables a user to check network connections on the system and the
availability of open ports. The processes and programmes that are responsible for the
network connections may be displayed too. Suspicious connections or unknown open
listening connections should be investigated further. A simplified sample output from
netstat is given below.

$ netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6818/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 592/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 654/sendmail: accep
tcp 0 0 192.168.1.22:80 192.168.1.20:1096 ESTABLISHED 6824/httpd
tcp 0 0 192.168.1.22:80 192.168.1.20:1095 ESTABLISHED 6822/httpd

tcpdump: This network tool is a network packet sniffer. It can be used to monitor (sniff)
packets flowing on the network to which the system is attached. It is compact and
portable, and the network traffic can be captured to a file for viewing and/or analysis later.
Some basic knowledge of TCP/IP is required to read and interpret the packet captures as
can be seen below.

#tcpdump -n -x -vv
18:26:47.842986 < 192.168.0.22.1046 > 192.168.0.20.pop3: . 1:1(0) ack 1 win
5840 (DF) (ttl 64, id 26680)
4500 0028 6838 4000 4006 511d c0a8 0016
c0a8 0014 0416 006e 06cb 48d2 0d07 6bfc
5010 16d0 4a65 0000
18:26:47.882986 < 192.168.0.20.pop3 > 192.168.0.22.1046: P 1:55(54) ack 1 win
32736 (DF) (ttl 64, id 151)
4500 005e 0097 4000 4006 b888 c0a8 0014
c0a8 0016 006e 0416 0d07 6bfc 06cb 48d2
5018 7fe0 aee5 0000 2b4f 4b20 5150 4f50

iptables, ipfw, pf: All the major OSS operating systems come with at least one firewall
package software. On most Linux distributions this is netfilter/iptables, on FreeBSD
systems it is ipfw while on OpenBSD platforms it is pf. These firewalls enable you to monitor
and control packets coming into and going out of the system. Simple controls are easily
set up by specifying port numbers, IP address and/or type of services in the packets.
These simple controls will enable the firewall to function as a personal firewall to protect
the system. If the system is to be utilised as a full-fledged firewall or gateway to protect
some internal network, more complex controls and rules can be set up, but the user
should have some knowledge of firewall and networking basics before attempting such a
venture in order to prevent the accidental configuration of incorrect rules which may leave
the system open to attacks.

202
It is possible to install a GUI front-end to these standard firewalls so that it is easier for a user
to interact with them. An example of this is given later.

Anti-virus, Anti-spam
There are several OSS anti-virus and anti-spam products that are in popular use. We shall
examine two of them, Clam AntiVirus and Spamassasin.

Clam AntiVirus
The simplest use of Clam AntiVirus (ClamAV) [22] is as a command line virus scanner.
However, the main feature about ClamAV is that it comes with an anti-virus toolkit and library
which enables users and third parties to incorporate ClamAV features and functionalities into
their own software. It also enables a user to create his own virus signature from a virus file
which makes it possible to produce a customised virus signature database in addition to t he
one produced by ClamAV.

It is possible to integrate ClamAV with mail servers (content scanners) for attachment scanning
and several popular mail servers support this.

The ClamAV virus signature database is updated very often and auto update for users via the
Internet is available.

An MS-Windows port named ClamWin is also available [23].

SpamAssassin
SpamAssassin [24] is an extensible e-mail filter which is used to identify spam. It uses a variety
of standard and novel means to perform this. They include header analysis, text analysis,
blacklists, learning classifier and use of distributed hash databases. Once identified,
the mail can then be optionally tagged as spam for later filtering using the user's own e-mail
client application.

SpamAssassin does not require much configuration as there is no need to continually update
it with details of your mail accounts, mailing list memberships, etc. It accomplishes filtering
without this knowledge, as much as possible.

Rules in SpamAssasin are easy to extend and modify as they are stored in text configuration
files mainly which the user or administrator can edit to modify or add new rules.

SpamAssassin support is available for a variety of mail systems including Qmail, Sendmail,
Postfix and others.

Secure Operating System Platform

While nowadays almost all OSS operating system platforms come with good security tools and
reasonably secure default security configuration and policies, there are some which are
developed and put together with security in mind. One of the most popular and well known
operating system that falls into this category is OpenBSD [25].

203
 OpenBSD
OpenBSD is a free multi-platform 4.4BSD-based Unix-like operating system with proactive
security and integrated cryptography. As an indication of its confidence in its security features,
it claims proudly on its website:

“Only one remote hole in the default install, in more than 8 years!”

It is used as the base operating system for many commercial security products. It achieves its
high standards of security by having a comprehensive file-by-file audit/analysis of every critical
software component in its distribution. It also takes great pains to ensure that it has a secure
default configuration and that all non-essential services are disabled. Furthermore as it is an
OSS project based in Canada, it is possible to integrate strong cryptography into it since it is
not bound by the infamous draconian USA restriction which specifies that the export of strong
crypto products can be made only to certain countries.

Bastille Linux
It is also possible to harden a vanilla OSS operating system by checking it for common security
problems and insecure configurations. There are tools and scripts available which can assist
a user to do this. A script which does this for many Linux distributions as well as some versions
of Unix is Bastille Linux [26].

Bastille Linux offers simplified, automated security administration setup and configuration for
Linux/Unix systems. The distributions of Linux it currently supports are Red Hat, Mandrake,
Debian, SuSE and TurboLinux. In addition, HP-UX and Mac OS X are supported too.

When the Bastille Linux script is run, in the process of securing the system it tries to educate
the installing administrator about the security issues involved in each of the script's tasks.
Some of the tasks that Bastille Linux takes the administrator through are:

• Apply a firewall (packet filter) to prevent access to possibly vulnerable services

• Apply system patches for all known security holes
• Perform a SUID – root Audit
• Deactivate or restrict unnecessary services

At each stage of the hardening, the administrator has the option to install the suggested
hardening. In this way the degree of hardening can be controlled as desired by the administrator.

File System Integrity Checker

One of the things which a cracker does upon compromising a system is to change the
configuration of certain system files and also possibly to put in backdoors and trojans. As such
after the discovery of a compromise, it is safest to wipe off the hard drive and perform a fresh
installation of the system software and applications. However, sometimes one may not be able
to do so or may not be able to do this immediately. It will help then if there is someway where
we can check to see whether certain critical system files or data have been tampered with.

204
Also, one of the ways in which the administrator may be alerted to the possibility of a
compromise is the detection of unexpected changes or modifications to system files. Again it
will be very useful from the security standpoint if there is someway to ascertain the integrity of
certain files on the file system. A popular OSS software that allows an administrator to do this
is Tripwire [27].

Tripwire
The programme monitors key attributes of files that should not change, including binary
signature, size, expected change of size, etc. It establishes a “digital inventory” of files and their
attributes in a known, good state, stores it in its database and uses it as a baseline for
monitoring changes. What this means is that it is able to run through the file system, construct
a signature of certain specified files and store it in its database.

At a later stage, tripwire can be invoked to perform the same signature process on a file, and
a comparison made between the signature derived and the signature of the file in question
stored in Tripwire's database. If they are not identical, then the file had been modified.

Tripwire is usually run after a clean installation and configuration, to include in its database the
signatures of earmarked important system files and configuration files. Each time the marked
files are changed, the administrator is notified. It is good security practice to store the tripwire
database on a different file system or better still, on a physically different machine or physical
medium than the one that is being checked.

Firewall System
All systems which are connected to an untrusted public network like the Internet should have
a firewall protecting it. Firewalls act as a gatekeeper, sitting between the internal computer or
network and the outside world (the public network) and controlling the network traffic passing
through using its prescribed policies and rules. OSS has numerous firewall software which a
user can run in his computer. It is possible using OSS firewall software to implement a wide
variety of firewall services ranging from simple personal firewall policies that protect a home
user from the Internet to full-fledged enterprise-wide firewall services that protect large
corporations and businesses. In this section we shall take a brief look at a popular firewall for
Linux – Netfilter/IPTables [28].

Netfilter/IPTables
Netfilter is a stateful packet filtering firewall system for Linux. It is capable of all kinds of network
address and port translations, and has a flexible and extensible infrastructure. With Netfilter
and a hardened Linux system (for example hardened with Bastille Linux), the Internet and
intranet firewalls can be built for the home, office or even company. Typically such an
environment will utilise network address translation (NAT) for sharing an Internet access and
also for implementing transparent proxies. In this manner, the Internet and network access can
be controlled and monitored to the degree desired by the management.

205
 A nice GUI front-end for Netfilter is Firewall Builder [29]. This allows the administrator to build
firewall policies and rules using a graphical interface.

Fig. FWBuilder Interface for Netfilter/IPTables

Network IDS
A network intrusion detection system (IDS) basically sits passively monitoring and examining the
network traffic passing through the network that the IDS is connected to. When it detects
some network traffic that it has been programmed to react to, it will log it and possibly send
out an alert to the administrator. This may be an indication that there is possibly a network
intrusion attempt. Normal IDSes are passive processes in that they just record (log) down the
noted anomalous network traffic behaviour. Reaction and actions to be taken based on the
network traffic observed are left to other processes and/or devices.

(However, in recent times, there is a tendency to combine the intrusion detection with intrusion
prevention functionalities into a single device.) A very popular OSS network IDS that is widely
used is Snort [30]. There are also available many commercial products using or based on Snort.

Snort
Snort is a lightweight network intrusion detection system. It performs real-time traffic analysis,
packet logging and performs protocol analysis, content searching/ matching. It is able to
detect a variety of attacks and probes, and possesses a flexible rules language to describe
traffic that it should collect or pass. In this way Snort signature database for suspicious network
traffic can be updated and customised by a user easily. The detection engine has a modular
plugin architecture and so third-party enhancements can be put in. These include tools for
data and log analysis, front-ends etc.

206
Port Scanner
In a network environment servers are the software which provides services. A client refers to
the software which accesses the service(s) provided by one or more servers. The client and
server can be both local on the same computer or connected remotely via the network using
some networking protocol. The ubiquitous TCP/IP networking protocol is used mainly today
both in internal networks and on the Internet.

In a typical TCP/IP network, a server process running on a computer system will, after start-
up, listen on the host's network IP address at a particular internal address within the host
networking process for incoming client connections. This internal address is known as a “port”.
Port addresses range from 0 to 65535. Thus in order to connect to a service offered by a
server, in addition to the IP address of the host running the server, the port address that the
server is listening on has to be known too.

These server port addresses can be well known (i.e. agreed and specified by the Internet and
TCP/IP networking standards), or they can be arbitrarily configured for use by the server. In view
of this, one of the most important security considerations in a network is to know what ports are
in use by server processes or “open” on a host. This is because attackers will try to attack the
programmes (processes) servicing these open ports to try and remotely compromise the host.
A tool called a port scanner, which can check or scan for ports available on a computer system
over a network will be very useful for both the attacker and defender.

Nmap
Nmap [31] is easily the most well known and popular port scanner in use today. It can run on
many types of computers and operating environments. It is designed to rapidly scan large
networks and it is able to determine what hosts are available on the network in addition to the
services (ports) they are offering. It is also able to guess with a relatively high degree of
accuracy the operating system (and version) that the hosts
are running as well as what type of firewalls (if any) are in
use. Nmap is a command line tool which is compact, fast
to start up and easy to use. There is a graphical front-end
to it called Nmapfe for users who want a GUI tool.

Vulnerability Scanner
A vulnerability scanner is a software which will audit
remotely a given network and determine whether the hosts
on it are susceptible to vulnerabilities recorded in its
database. There are several well known vulnerability
scanners which are open source but the most popular one
is easily Nessus [32].

Fig. Nmapfe

207
 Nessus
Nessus is very fast and has a modular architecture. Each security or vulnerability test is written
as an external plugin and so you can easily add your own tests. A scripting language (NASL
– Nessus Attack Scripting Language) is used to write a security test easily and quickly, and the
Nessus project website contains an up-to-date security vulnerability database that is updated
on a daily basis.

The Nessus Security Scanner is made up of two parts: a server which performs the attacks
and a client which is the front-end and with which the user interacts with. The server and the
client can be run on the same computer or on different systems connected via a network.
Clients are available for various platforms including
a Java version and one for MSWindows. On the
other hand, the server has to run on an Unix or
Linux system.

Network Protocol Analyser

A network protocol analyser enables a user to
peep into and look at the data that is flowing on
the network. It understands many types of
networking and networking services protocols
and hence using a network protocol analyser, one
is able to “snoop” on the network as client and
server processes communicate. This is very useful
in troubleshooting problems and understanding the
technical details in networking as well as network
applications. This capability to tap and capture
data flowing on the network may of course also
be put to use by the “bad guys” to sniff out
confidential and sensitive data like unencrypted
passwords and account information etc. Again as
with most of the security tools described here, its
use can be both for good or bad, it is up to the
user. There are several well known OSS network
protocol analysers, and one of the most popular is
Ethereal [33].

Fig. Nessus Plugins

208
Ethereal
It claims to be the world’s most popular network protocol analyser and there is some
justification to this claim as it is very widely used by security professionals, network engineers
as well as home users and PC support personnel. It is available for all major OSS platforms as
well as for MSWindows.

Ethereal allows the examination of network traffic data from a live network or from a capture
file. It comes with a nice graphical interface for the packet capture, examination and analysis.
It can interactively browse the capture data, viewing summary and detail information for each
packet and there is a rich display filter language to assist the user to focus on the packets of
interest. One useful ability is the ability to view the reconstructed stream of a TCP session, so
a user does not have to understand the TCP protocol in question to be able to view the
information being transmitted.

209
 Fig. Ethereal Network Traffic Capture

Ethereal can read capture files from many packet sniffers e.g. tcpdump (libpcap), NAI’s Sniffer
and Sniffer Pro, Sun’s snoop and atmsnoop, AIX's iptrace, Microsoft’s Network Monitor, etc.
The physical network interfaces supported include Ethernet, FDDI, PPP, Token-Ring, IEEE
802.11 and Classical IP over ATM. Over 500 protocols can currently be dissected, these
include TCP/IP, IPX, SMB and many more.

SUMMARY
This document has shown that there are many unfounded fears about insecurity of OSS. In
fact OSS can offer many advantages from the security viewpoint. Mainstream OSS projects
generally have good quality and security control. OSS is not inherently more or less secure
than proprietary software. Irrespective of what type of software is deployed, what is more
important is for an organisation to implement security best practices and to have security
personnel who understand the security processes involved.

210
There are available today many powerful and useful open source security tools and applications.
These tools have many useful features comparable and in some cases surpassing those of
commercial proprietary products and they can be used to implement cost-effective security
measures.

REFERENCES
1. Nah Soo Hoe, “Free and Open Source Software – Origins, Benefits, Myths and Realities”,
http://opensource.mimos.my/fosscon2003cd/paper/paper_nah_soo_hoe.html
2. “The Free Software Definition”, http://www.fsf.org/philosophy/free-sw.html
3. “History of the OSI”, http://www.opensource.org/docs/history.php
4. “The Open Source Definition”, http://www.opensource.org/docs/definition.php
5. Eric Raymond,“The Cathedral and the Bazaar”, http://www.catb.org/~esr/writings/cathedral-
bazaar/cathedral-bazaar/
6. “Open Sources: Voices from the Open Source Revolution”,
http://www.oreilly.com/catalog/opensources/book/toc.html
7. Davor Cubranic, “Open-Source Software Development”,
http://sern.ucalgary.ca/~maurer/ICSE99WS/Submissions/Cubranic/Cubranic.html
8. Siobhan O’Mahony, “Guarding the Commons: How Community Managed Software Projects
Protect Their Work.”, http://www.people.hbs.edu/somahony/Research Policy article.pdf
9. Siobhan O’Mahony, “Non-Profit Foundations and Their Role in Community-Firm Software
Collaboration.”, http://www.people.hbs.edu/somahony/Non Profit Foundations paper.pdf
10. Full Disclosure security mailing list, http://lists.netsys.com/mailman/listinfo/full-disclosure
11. Bugtraq security mailing list, http://archives.neohapsis.com/archives/bugtraq/
12. Caron Carlson, “Allchin: Disclosure May Endanger U.S.”, May 13 2002,
http://www.eweek.com/article2/0,3959,5264,00.asp
13. Kevin Poulsen, “Borland Interbase backdoor exposed”,
http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed/
14. Joe Wilcox, “Microsoft secret file could allow access to Web sites”, http://news.com.com/2100-
1001-239273.html?legacy=cnet
15. T. J. Halloran and William L. Scherlis, “High Quality and Open Source Software Practices”,
http://opensource.ucc.ie/icse2002/HalloranScherlis.pdf
16. Jason E. Robbins, “Adopting Open Source Software Engineering (OSSE) Practices by Adopting
OSSE Tools”, http://www.ics.uci.edu/~wscacchi/Papers/New/Robbins-msotb-OSSE-Aug03.pdf
17. CVS website, http://www.cvshome.org/
18. Subversion website, http://subversion.tigris.org/
19. Bugzilla website, http://www.bugzilla.org/
20. GNATS website, http://www.gnu.org/software/gnats/
21. Scarab website, http://scarab.tigris.org/
22. Clam Antivirus website, http://www.clamav.net/
23. ClamWin website, http://clamwin.sourceforge.net/
24. Spamassasin website, http://spamassassin.apache.org/
25. OpenBSD website, http://www.openbsd.org/
26. Bastille Linux website, http://bastille-linux.org/
27. Tripwire website, http://www.tripwire.org/
28. Netfilter website, http://www.netfilter.org/
29. Firewall Builder website, http://www.fwbuilder.org/
30. Snort website, http://www.snort.org/
31. Nmap website, http://www.insecure.org/nmap/
32. Nessus website, http://www.nessus.org/
33. Ethereal website, http://www.ethereal.com/

Note:
This work is licensed under the Creative Commons Attribution License. To view a copy of this
license, visit http://creativecommons.org/licenses/by/2.0/ or send a letter to Creative Commons,
559 Nathan Abbott Way, Stanford, California 94305, USA.

211
ADVANCING
SECURITY –
BUILDING TRUST IN
COMPUTING
 MENG-CHOW KANG CISSP, CISA
REGIONAL CHIEF SECURITY & PRIVACY ADVISOR
MICROSOFT ASIA PACIFIC

Based in Singapore, Meng-Chow is the regional Chief Security & Privacy Advisor for Microsoft
Asia Pacific region. His current responsibilities include developing and implementing the
Microsoft’s trustworthy computing strategy in the region, and providing advice and guidance
to customers and IT professionals on security best practices and solutions for implementing
and managing information security in their organisations.

Meng-Chow has been a practicing information security professional for more than 17 years,
with experiences spanning from technical to management in the various security and risk
management roles that he has held in the Singapore government, major financial institutions,
and security technology provider. His last position prior to Microsoft was Vice President and
Regional Information Risk Officer of JPMorganChase.

Meng-Chow has recently been appointed as a board member of the Asia Advisory Board for
the International Information Systems Security Certification Consortium (ISC2). Since 1998,
Meng-Chow has also been concurrently chairing the Singapore’s IT Security and Privacy
Standards Technical Committee (SPSTC).

Meng-Chow received his MSc degree in Information Security from the Royal Holloway and
Bedford New College, University of London, has been a Certified Information Systems
Auditor (CISA) since 1997, and a Certified Information Systems Security Professional
(CISSP) since 1998.

214
 ADVANCING SECURITY –
BUILDING TRUST IN COMPUTING
MENG-CHOW KANG CISSP, CISA

ABSTRACTS
With the emergence of Nimda and Code Red viruses, we have entered a new era where cyber
security has become a critical issue, where identities can be stolen, breaches occur, and
where malicious hackers can wreak far more havoc than ever before, making computing seem
less productive, more frustrating, and a lot less pleasant. In addition to causing short term
financial losses and users’ inconveniences, they dilute businesses and users’ confidence and
trust of technology over time.

To address the challenges of cyber security, in January 2002, Microsoft launched a

companywide Trustworthy Computing Initiative to help ensure a safe and reliable computing
experience that is both expected and taken for granted. Microsoft’s Trustworthy Computing is
designed to deliver the level of trust and responsibility that people expect from the computing
industry: Security, Privacy, Reliability, and Business Integrity.

This article describes the security initiatives and approaches taken to address both short and
long term security challenges faced by businesses and users, the progress to date, and the
roadmap ahead covering people, process, and technology involved in building trust in computing.

NEEDS FOR TRUSTWORTHY COMPUTING

Proliferation of the Internet since the early 1990s and the evolution of technology over the past
three decades have brought many benefits to both businesses and computer users around
the world. Beside closing geographical distances, enabling online communications and
collaboration across the globe in near real-time, vast volumes of digitized information could
now be stored, searched and retrieved efficiently over the Internet, through both wired and
wireless connectivity at various end points. Online banking, electronic bill payments, auctions,
shopping, and the usual e-mail and instant messaging are but just few examples. At the user’s
ends, this could take place seamlessly through not only PC systems, but also Personal Digital
Assistant (PDA), and mobile phone devices.

Along with these advancements in information technology and global connectivity, we saw a
similar development in malicious software. With the Nimda and Code Red viruses, which
caused fast and massive slow down of the Internet (more than 250,000 systems within nine
hours, up to 40% degradation, according to some news reports), denial of services to many
businesses online, and incurring substantial financial losses (which some research firms
estimated it to be over US$ 3 billions), we have entered a new era where cyber security has
become a critical issue. It is an era where identities can be stolen, breaches occur, and where
malicious hackers can wreak far more havoc than ever before, making computing seem less
productive, more frustrating, and a lot less pleasant.

Such malicious software exploits weaknesses not just in computer systems and software, but
also those relating to the social aspects of human beings. In addition to causing short term
financial losses and users’ inconveniences, they dilute businesses and users’ confidence and
trust of technology over time. To address the challenges of cyber security, in January 2002,

215
 Microsoft launched a companywide Trustworthy Computing Initiative to help ensure a safe and
reliable computing experience that is both expected and taken for granted.

The goals Microsoft set for Trustworthy Computing are designed to deliver the level of trust and
responsibility that people expect from the computing industry: Security, Privacy, Reliability, and
Business Integrity.

• Security means resilient to attack, and capable of

maintaining the confidentiality, integrity, and availability
of system and data, amid increasingly frequent and
sophisticated network attacks.
• Privacy means people can expect and demand control
over access to and use of their personal information,
when they use computers to manage information
important to their everyday lives.
• Reliability means people can look forward to a
consistently trouble-free computing experience, as
computers become increasingly central to how they
work and live.
• Business integrity relates to the way the industry behaves
in terms of addressing issues and finding solutions to challenges. Belief in technology is
stronger when the industry is responsive, responsible, and respectful.

Success with Trustworthy Computing (TwC) is not an easy task. It will take many years, before
technology is trusted.

Security is a core tenant in Trustworthy Computing, critical for building trust in computing. It is
also a key concern of our customers today. This paper describes the security initiatives that
Microsoft has taken and is implementing to address both short and long term security
challenges faced by our customers and the industry in general, our progress to date, and the
roadmap ahead. Similar initiatives have also been launched in the other three pillars of
Trustworthy Computing, which can be found in Microsoft Trustworthy Computing web site at
http://www.microsoft.com/twc/.

SECURITY ENABLED BUSINESS

Security is about the management of risk, balanced with the business value of our
interconnected systems. We want to move from a reactive posture with regards to security to
one that is more planned and proactive. We call this a “Security Enabled Business”.

Fundamentally, we start with the goal of reducing unacceptable risk through a combination of
three things – assessment, improving the isolation and resiliency of software in the presence
of malicious code, and by developing and implementing controls in environments to manage risk.

Complementing this, we can increase business value by investing and developing capabilities
based on new security technologies that enable automation of key business scenarios that

216
would not have been possible before. This can allow connections with customers, integration
with partners and empowering employees in totally new ways.

Security sometimes seems too simple a term for the many aspects of business and information
technology that it touches. Even just looking at security from an IT viewpoint, we want to
protect networks, systems, data, processes and users. For each of those areas, people,
processes and technology are necessary to manage the security business risk.

In technology, we’re focused on:

• Building greater isolation and resiliency into the computing platform

• Providing customers with the latest and most effective advanced updating methods

• Enabling new business scenarios through integrated authentication, authorization

and access control options

• Improving quality by enabling engineering excellence

Spanning across the efforts in these four technological categories is our underlying commitment
to delivering customer guidance and engagement: prescriptive security guidance,
supportive tools and responsiveness. This involves helping both business customers and
consumers to be both aware and empowered to help make their IT environments, their PCs –
and by extension the Internet at large – more secure.

ISOLATION AND RESILIENCY

In 2001, when the Nimda virus was released by its creator, it was after 331 days since the
security patch was available to remedy the security vulnerability that Nimda exploited. When it
comes to the SQL Slammer virus in early 2003, the period between the availability of patch
and the release of Slammer reduced to 180 days. In August 2003, the author of the Blaster
worm took just 25 days to reverse engineer the security patch involved in the vulnerabilities
that it exploited.

Today, on average, it takes about nine days for a perpetrator to reverse engineer a patch to
create an exploit and package it as a worm or virus. This is clearly a significant concern to all
of us, including Microsoft.

While implementing an effective and responsive patch management process to ensure critical
security updates are duly applied as an important step to manage this growing security
concern, it is clear that relying on patch management solution alone is insufficient. Firstly, it
takes time for security patches to be developed. Next, when the patch is available, business
needs to test it with its own applications to ensure that the application services are not affected
by the patch.

Finally, it takes another finite period for the patch to be installed before they could protect the
system from harm. While these activities are taking place, we need our computer systems to
be able to be protected against any potential exploit that could have been released before the

217
 patch is available or deployed. In other words, we need computer systems to be resilient in
the presence of worms and viruses, and at the same time able to isolate themselves from
unsafe networks. Greater computer resiliency will enable customers to communicate and
collaborate in a more secure manner. Microsoft is focusing on the development of security
technologies designed to make this vision a reality.

This vision begins with new security enhancements in Windows XP Service Pack 2 including
technologies to address threats from port-based attacks, malicious e-mail attachments,
malicious web content, and buffer overruns. Following are a summary of the key isolation and
resiliency capability that is delivered in Windows XP Service Pack 2.

• Network protection: Windows Firewall will be enhanced with more granular policy controls
and turned on by default to help stop network-based attacks by closing unnecessary ports.

• Safer e-mail and instant messaging: Default settings have enhanced security, improved
attachment control using the Attachment Execution Service (AES) API. Potentially unsafe
attachments that are sent through e-mail and instant messages are isolated so that they
cannot affect other parts of the system. This results in security and reliability enhancements
for applications such as Microsoft Outlook, Outlook Express and Windows Messenger.

• Attachment Manager: Stronger default protection against viruses spread through

Outlook® Express, Windows Messenger and Internet Explorer by isolating potentially unsafe
attachments during the opening process.

• Safer web browsing: Installs code-level changes in Internet Explorer that help protect
against certain types of exploits.
– Restricts script-initiated windows that are used to fool users by hiding Internet Explorer
controls and concealing malicious activity.
– Limits a hacker’s ability to attack a PC by restricting HTML in the local machine zone
from running with elevated system privileges; and warns customers about potentially
harmful downloads and helps them block unwanted software.

• Centralized management of Windows Firewall

and Internet Explorer, which provides system
administrators with more configuration options
for Windows Firewall and Internet Explorer, such
as Group Policy, command line, multicast support
and unattended setup. Windows XP SP2
also enables administrators to better manage
applications and increase compatibility with
Windows Firewall by allowing only ports needed
by an application to be open.

• Internet Explorer Add-on Manager, which

allows administrators to easily manage and enforce
a list of add-ons to Internet Explorer that are either
permitted or disabled to enhance security and
reduce the potential for crashes.

218
• Internet Explorer Pop-up Blocker, which is enabled by default, makes browsing the
Internet more enjoyable by enabling people to reduce unwanted ads and content.

• Internet Explorer Information Bar, which is a new toolbar provides better information
about Internet Explorer settings and alerts customers to unsigned controls and downloads.

• Internet Explorer download monitoring, a new feature that identifies and warns
customers about potentially harmful downloads and helps them block unwanted and
unauthorized code.

• Enhanced memory protection: This will reduce the threat of buffer overruns through
compiler check improvements. Buffer overruns result from adding more information to a
buffer than it was designed to hold. An attacker may exploit this vulnerability to take over a
system.

• Windows Security Center, which provide the ability to automatically check the status of
crucial security functionality such as firewall, automatic update and anti-virus. The feature
will tell a customer whether key security capabilities are turned on and up-to-date. When a
problem is detected, they will receive a notification and recommended actions to help
protect their computer.

These security capabilities in Windows XP Service Pack 2 is the first step towards a new vision
for active protection technology that will proactively adjust computer defenses based on state
changes or security readiness, contain the impact and spread of viruses and worms, and
greatly reduce the risk from attacks from compromising the system. This protection technology
will be designed to run on clients and servers and will have the following capabilities:

• Dynamic system protection to proactively adjust defenses on each computer based on

changes in state, reducing the likelihood of a successful attack.

• Behavioral blocking to limit the ability of viruses and worms to cause damage once on
a computer, containing attacks and acting as a last line of defense.

• Application-aware firewall and intrusion prevention to identify malicious traffic and

stop it, helping to prevent infection.

Another important technology investment in the area of Isolation and Resiliency is client
inspection, sometimes also referred to as “quarantine.”

Many companies have been using Internet firewalls and have pretty good perimeter security
policies and procedures. However, we’ve found that even with good perimeter security, there
are several scenarios where machines either connect to or cross the perimeter and
dynamically move from an unsafe network into corporate networks – users connecting from
home, returning laptops, or vulnerable desktops that have been turned off, perhaps during an
employee vacation.

219
 The concept for client inspection involves two steps:

1. Health checkup. A health check for the machine, to ensure that the system meets the
company policy for connecting to the network. The server at the point of connection could
check update level, check that anti-virus is on and up to date, and that there is no other
unprotected network connections bridging into the corporate network.
2. Advanced Isolation. Machines that do not pass the health check can be blocked and
isolated, completely or possible on a restricted network. Isolated clients can then be given
access to updates or restricted machines to get healthy.

The base capability of client inspection for Virtual Private Network (VPN) connections shipped
in Windows Server 2003 (WS2003) and is enabled with the WS2003 resource kit. Customers
can implement VPN client inspection using WS2003 and custom scripts.

We have a white paper at

http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

describing how to do VPN client inspection. Our research and development teams are looking
at other protocols, beyond VPN, to determine how to advance this concept further and deliver
it to customers.

ADVANCING UPDATES
While isolation and resiliency would provide additional protection to computer systems and
networks against new attacks, they do not close the security vulnerability involved. Applying
security patches is still necessary to remove the vulnerability that is being exploited. It is
therefore critical that we continue to make improvements and advance the quality of our
updating technology and associated processes to make it simple for users and enterprises to
update efficiently, reducing downtime and improving manageability.

In October 2003, we moved to monthly releases of updates to improve predictability and

manageability, and to reduce the burden on IT administrators (although we will continue to
release updates out-of-cycle to protect customers in the case of an active threat).

We are making improvements in update packages in several ways based upon extensive
interaction with customers:

• Reduce Complexity – In the pursuit of innovation in the past, product teams developed and
were using eight different installation packages. We are in the process of converging all of
those down to two installers, one for operating systems and one for layered applications,
both providing a single update package experience with a single set of command line options.

• Reduce Risk – We continue to improve our quality assurance processes to reduce any
possibility of recall and further, as we move to the single patch experience, each package
will also have rollback capability.

• Reduce Size – As we move to new update package, we are also improving our backend
update infrastructure and update agents to implement “delta updating”, so that we only

220
 have to send down DLL differences, rather than full DLLs. Our test shows that packages
will be reduced in size by 30% to 80%, saving both space and bandwidth during deployment.
This is a huge improvement for both business users as it should speed deployment especially
for dial-up users with lower connection speeds.

• Reduced Reboots – We understand that reboots are a disruptive issue for the enterprise
and have implemented standards to reduce any unnecessary reboots. Existing architecture
limits our ability to improve this beyond about 10–30%, but we are implementing architectural
changes in the longhorn wave of products that will take this progress significantly further in
reducing reboots.

• Extend Automation – Our update tools currently span Windows Update for home and SMB
users, SUS, an enterprise server that allows administrators to approve a patch for agents
to apply, and SMS our systems management product.

We are also improving testing processes to minimize update inconsistencies and recall rates,
and by the time this article goes to print, most of our updates will have full rollback capabilities.

On the back end, we currently have Office Update, Windows Update, the Download Center
and Visual Studio Update. On the front end for users, we have Windows Update, Software
Update Server (SUS) and System Management Server. In addition, assortments of tools like
the Office Inventory Tool and MS Baseline Security Analyzer – that are integrated with these
back-ends. But, with these multiple scan tools, and multiple back-ends, we increase our
chance for inconsistent experiences that are operationally expensive, or worse – inconsistent
results from multiple scan tools for the same patch. So, driving toward a common repository
in the sky, and a common scan tool is critically important to Microsoft and our customers.

By the end of the year, we will be rolling out a new common infrastructure based upon a “single
update experience”.

A new repository to contain all updates from Microsoft will be formed called Microsoft Update.
There will still be a Windows Update site where Windows systems are sent by default to stay
up to date, but MS Update will become a superset of all MS update content.

Secondly, we will consolidate to a single product scanner in this timeframe. The Windows Update
Services client will form the basis for all patch compliant scans from MS, and has a rich set of
API’s so that all vendors in this space can use it to determine compliance on Windows today.
SMS 2003 will move immediately to this new scan tool as a replacement for the MBSA it relies
upon today for enterprise compliance, and our MBSA tool will be rebuilt to use the output from
the WUS agent to ensure consistency for our customers in scanning Windows.

Finally, we will be releasing updates to our many solutions for corporations like Software
Update Services and SMS 2003. Windows Update Services (WUS) will be released as the
next version of SUS. This will allow WUS to retrieve updates for other products like SQL,
Exchange and Office from the MS update cloud, as well as add some extra functionality
necessary for many companies that just need simple updating to be successful.

221
 SMS will continue to be our systems management tool of choice for large enterprises and
complex patching needs, and will integrate with the new WUS scanner for consistency across
update management from Microsoft. SMS 2003 will also continue to be updated with
improved vulnerability assessment, reporting and update deployment capabilities.

AUTHENTICATION, AUTHORIZATION, AND ACCESS CONTROL

While addressing the issue of external attacks through exploitation of software vulnerabilities,
we should not lose sight of other security breaches that could take place if inadequate security
controls are implemented across the IT infrastructure, from network, platform, application, to
data. A strong mechanism for authentication, authorization, and access control is essential to
help ensure an organisation’s security in an era where there are many potential opportunities
for unauthorized individuals to gain. This is one of the most basic security needs in any given
business situation.

There are many enabling security features that are available today in products or product
updates, and upon which we are researching further advances for the future. Let’s discuss four
important scenarios for customers where security technology is enabling businesses and
users to do more:

• Network Security: Deep Windows integration of IPSec is helping provide capabilities for
easy-to-manage virtual network segmentation for secure, private projects. Microsoft uses
this technology internally to wall off the development and source code servers and only
allow access to project team members. Any other internal employee, even armed with a
network sniffer, would not be able to access or modify those servers. Similarly, investment
in SSL and RPC over HTTP are helping to enable secure access to specific common
applications, like e-mail or file systems, without opening up the rest of the network. Security
advances in Internet Security and Acceleration Server 2004 include much deeper
content inspection, which enables customers to better protect their Microsoft applications
and fortify remote VPN connections. An enhanced user interface and management tools
make it easier for customers to implement and manage security policies, reducing the
potential for misconfiguration – a common cause of network breaches.

• Secure Wireless: WPA, 802.1X and PEAP represent recent industry advancement of
standards to add strong security to wireless. Deep integration of these standards into
Windows helps make it easier to design and deploy practical security enhancements for
wireless networks.

• Access Control Management: Single sign on has been a security area of focus for a
number of years that continues to evolve as new credential types are introduced. Companies
typically have many different directories supporting identification and authentication to
different systems. With active directory and Microsoft Identity Information Server, we are
providing new capabilities for directory synchronization, and one-time provisioning for
multiple credential types. Augmenting that capability is advances in login replacements,
with both smartcards and biometrics, together providing improved single sign-on.

222
• Data Protection: Right Management Services (RMS), which is now part of Microsoft
Office 2003, represents a milestone in the area of controlling access to data, offering a new
kind of protection for vital information. Microsoft will continue to invest in this important field
and work to develop simple ways to help protect sensitive information. Microsoft envisions
strong business-to-business and business-to-consumer scenarios that will provide better
privacy, security and confidentiality for all customers.

Microsoft has additionally invested in several technologies representing a comprehensive

authorization and access control infrastructure including Active Directory, Encrypting file
systems (EFS), and Access control lists.

ENGINEERING EXCELLENCE
Without quality, there’s no security. Similarly, we cannot claim that a product is of quality if it is
not engineered with security. Part of the Trustworthy Computing initiative is to inculcate a new
security life cycle process and framework internally, mandating ongoing process changes to
improve the security and quality of our software.

Products go through our improved Trustworthy Computing release process, based upon the
concepts of secure by design, secure by default, secure in deployment and great
communications, commonly known within Microsoft as the SD3+C framework.

• Secure by Design. Implementing threat modeling and other key security considerations in
design and development stages. These considerations include: mandatory training in writing
secure code; code reviews and penetration testing; automated code diagnostic tools; and
redesigned architecture to maximize software resilience.

• Secure by Default. Maximizing security in default configurations of shipped software. To

reduce risk of attack, Microsoft has changed default configurations so that service settings
are not enabled at delivery.

• Secure in Deployment. Promoting more secure deployment and management of our

software. These efforts include scanning tools, services – including patch management
with configuration verification functions, and localized versions of security bulletins and
tools, such as Software Update Services and Baseline Security Analyzer.

• Communications. Keeping customers informed. These efforts include timely communication

about software update releases and our worldwide Security Response Process. In addition,
we are working with government, partners, and academia to deliver security education,
offer security certification programs for IT professionals, and conduct consumer protection
campaigns worldwide.

These processes have begun to pay off with measurable improvements in the security of
newer versions of its software. For examples:

• Exchange 2000 Server. Went from 7 bulletins rated critical or important prior to the
release of SP3 to just 1 in the 23 months following the release of SP3.

223
 • SQL Server 2000. SP3 had 3 bulletins rated critical or important release in the 17 months
following SP3 release versus 13 prior to the release of SP3.

• Windows Server 2003. 13 bulletins rated critical or important in the 365 days followings
its release, compared for 42 for Windows 2000 Server in the year following its release.

While we are always our first test cases, we are also productizing our successful innovations
and deliver them to the development community. Some of the ways that we’ve been able to
do this so far include but not limited to the following:

• Secure Platform: We’ve delivered the .NET framework that encapsulates many fundamental
security mechanisms making it simpler for developers to add security to their applications.
Cryptographic APIs and integrated PKI round out the tools for building from a more secure
platform.

• Development Tools: Visual Studio .NET 2003, in conjunction with security tools like
FxCop help enable your ability to develop line of business applications with inherent security.
Work on the WS-I standards process and work to implement web services security
enhancements help developers as well.

• Developer Guidance: One of our best security websites is the Microsoft Security
Developer Center at msdn.microsoft.com/security, centralizing books, guidance, training
and articles to help the development community. Go there and check out the many
technical developer Webcasts.

CUSTOMER GUIDANCE AND ENGAGEMENT

Improving our internal processes, and enhancing the security and quality of Microsoft’s technology
are insufficient as they only address one side of the security challenges that we are facing
today. Through our experiences in helping customers to resolve security issues from Nimda to
Blaster, and our work with law enforcements assisting them in various computer crime related
investigations, it is clear that many enterprises and IT professionals are still not ready to deal
with the current security challenges effectively. The main hurdles, besides the availability of
tools, are inadequate security processes, and insufficient security know-how and practices.

In October 2003, Microsoft therefore launched a worldwide security mobilization initiative

focusing on helping enterprises and IT professionals to close this gap. The initiative entails building
more security guidance, deliver more security training and seminars, engaging the security
partner community, improve and increase proactive security communications, and prepare our
staff, partners, and customers to response more reliably and effectively to security incidents.

Between October 2003 and June 2004, more than 500,000 IT professionals have attended
at least a security training provided by Microsoft.

In addition to a new Security Guidance Center web portal providing a centralized site for
locating security contents in Microsoft web site, a CD that includes much of the guidance that
are posted online, i.e., the Security Guidance Kit CD was also published. The CD provides

224
valuable security information and resources to help support IT administrators in small, medium
or large organizations.

Monthly security webcasts are also designed to inform participants about the latest developments
on the security front. They include monthly webcasts with Mike Nash, the Corporate Vice
President of the Security Business and Technology Unit and a monthly webcast to cover the
security bulletins.

For consumers, Microsoft is working on a worldwide education campaign with computer

manufacturers, retailers, ISPs and other partners to create broader awareness of best
practices to protect their PCs. This has three aspects:

• installing anti-virus software

• using an Internet firewall
• using the Automatic Update features in Windows to automatically download the latest
Microsoft security updates.

As part of Microsoft’s IT Showcase, white papers relating to how Microsoft secures Microsoft’s
internal IT environment, how Microsoft manages security vulnerabilities and incident responses,
and how Microsoft implements various business enablement technology, such as Wireless
LAN, securely are also published in the Security Guidance Center, and discussed in security
webcasts and seminars openly.

CONCLUSION
As we progress towards the future, we will continue to face with new security challenges. Our
proactive steps taken insofar are to continue advancement of the isolation and resiliency
through Active Protection Technologies, and Network Access Protection. New security technology
will also continue to evolve in the area of advancing updates, and providing for enforcement of
information security policies and controls needs. This includes improvements and new
releases in Windows Update Services, Microsoft Update, Windows Rights Management,
Microsoft Operation Manager, Microsoft Identity Integration Server, and Internet Security and
Acceleration (ISA) Server. To help third parties and enterprise developers to develop more
secure applications, new and enhanced tools in threat modeling and code security review and
analysis have also been planned, including the next generation of Visual Studio.

Trustworthy Computing is our vision of technology of the new era, to provide safe, secure, and
reliable computing experiences as expected by the users. One of the goals of Trustworthy
Computing is to build the most secure software we can, while still building products that
customers will want and be able to use. Beyond that, we take steps to help protect our
customers in a world where vulnerabilities are inevitable and the threats are evolving. This
means investing in new technologies; investing in training, guidance and communications to
help our customers get the expertise they need; and partnering with industry leaders, customers,
governments, and law enforcement to address the challenge.

225
 REFERENCES
Useful URL for consumers, IT professionals, enterprise IT managers, and security professionals:
• Microsoft security portal – http://www.microsoft.com/security
• Security portal dedicated to consumers’ needs – http://www.microsoft.com/protect
• Security Guidance Center – http://www.microsoft.com/security/guidance
• Security Tools – http://www.microsoft.com/technet/Security/tools
• How Microsoft IT Secures Microsoft – http://www.microsoft.com/technet/itsolutions/msit
• Security E-Learning Clinics – https://www.microsoftelearning.com/security
• Security Events and Webcasts – http://www.microsoft.com/seminar/events/security.mspx

226
LIST OF PARTICIPANTS

Information Network Security Department

Monitoring and Enforcement Division
Malaysian Communications and Multimedia Commission

Ronald Yap
Ixaris Sdn Bhd

Dhillon Andrew Kannabhiran

Hack In The Box Sdn Bhd

Info-Security SIG
PIKOM

Deepak Pillai
Rajes, Hisham Pillai and Gopal,
Advocates & Solicitors

Yvonne Oung
MSC Trustgate Sdn Bhd

Joshel Woo
Digicert Sdn Bhd

Mohamed Shafri Hatta

Madihah Mohd Saudi
NISER

Murari Kalyanaramani and James Tseng

PricewaterhouseCoopers

Basri Zainol
SIRIM Berhad

Dr. Nah Soo Hoe

Independent Consultant

Meng-Chow Kang
Regional Chief Security & Privacy Advisor
Microsoft Asia Pacific

227
 FURTHER ENQUIRIES

For further enquiries please contact:

Information Network Security Department

Monitoring and Enforcement Division
Malaysian Communications & Multimedia Malaysia
63000 Cyberjaya
Selangor Darul Ehsan
Tel: 8688 8000
Fax: 8688 1000
www.mcmc.gov.my

228
 138112mcmc B+cover new20-1b6.ai 63.25 lpi
66.67
70.71 71.57° 2/10/2006
18.43°
0.00°
45.00° 2/10/2006 12:09:40
12:09:40PM
PM
Process Cyan Process Magenta Process Yellow Process Black

CM

MY

CY

CMY