Key words: system, cyber security protection, cyber threats, Nuclear Malaysia

Transcription

1 Enhancement of Security in Nuclear Malaysia Mohd Fauzi Haris, Raja Murzaferi Raja Moktar Saaidi Ismail, Mohd Dzul Aiman Aslan, Mohamad Safuan Sulaiman, IT Center, Technical Support Division, Malaysian Nuclear Agency, Kajang, Selangor Task to protect network and data security is not simple and easy. The more advance ICT technology available in the market, the more dependability to the knowledge, skills and appropriate tools would be in order one to cater these threats. Cyber security threats can be considered almost impossible to be demolished or at least to be avoided totally and what we really need is technical capabilities that may include appropriate knowledge and tools to reduce the cyber threats in the organization. is one of the important today s application that is being used by many people all around the globe either they are in corporate organizations, government bodies, students and teachers. The total number of worldwide accounts is expected to increase from 3.3 billion accounts in 2012 to over 4.3 billion accounts by year-end This represents an average annual growth rate of 6% over the next four years [1]. Parallel with the increment of the usage, number of abusive and misuse of the is also reported either in the form of spamming, delivery of malicious file attachments, phishing and others. These show the importance to tighten up the security of the . This paper will discuss and share actions that have been taken by IT Center to enhance the security of official application. Key words: system, cyber security protection, cyber threats, Nuclear Malaysia 1

2 1.0 Introduction 1.1 usage statistic in Nuclear Malaysia Network and data on the net are conceptually vulnerable unless appropriate security protection is applied. The advancement of ICT creates highh dependency to latest tools and IT knowledge to overcomee the rapid evolved and new born cyber security threats. The Threats are almost impossible to be totally demolished except with genuine technical experience and accurate tools. As far as as important communication and management tool for the modern world is concerned, it has been globally used across governments and other sectors all over the world. accounts are expected to increase from 3.3 billion in 2012 to over 4.3 billion by end of This represents an average annual growth rate of 6% over the next four years [1]. In the agency itself, usage and dependency is very high and further usage when it is also permissible to be used as a standard and formal document in government agencies. Below are some statistics showing the usage in Nuclear Malaysia: Figure 1: Agency s mail usage statistic for May 2013 Figure 2: Agency s mail usage statistic for July

3 Figure 3: Average Specific Rate for Agency s for One Week 1.2 Government Policy Malaysian Government though one the agency which is called MAMPU has produced a formal document to be followed by all government agencies. The document so called Pekeliling Kemajuan Pentadbiran Awam Bil. 1 Tahun 2003 with titled "Garis Panduan Mengenai Tatacara Penggunaan Internet dan Mel Elektronik di Agensi Kerajaan". Another document which is also a formal instruction from the Director General of MAMPU dated on 1 st Jun 2007 with titled Langkah also from Director General of MAMPU dated on 23 rd November 2007 titled Langkah Langkah Pemantapan Pelaksanaan Sistem Mel Elektronik di Agensi Agensi Kerajaan. All these documents and orders has only one purpose which is to give a guide regarding safety of usage, guidance and stepss to be taken for ensuring good governance in the government agencies. In order to tighten up the good governance and usage of system throughout all government Langkah Mengenai Penggunaan Mel Elektronik di Agensi Agensi Kerajaan and A letter of order servants, MAMPU has introduced 40 steps to be taken out by users and administrator in all government agencies. The steps include handling of s by users, administrator, network administrator and also term of reference related to that should be followed by Information Management Division. 3

4 1.3 E mail Vulnerabilities There are quite a number of vulnerabilities comes from application. It may be divided into three main components: i. User User ignorance is one of the biggest problems faced by the system or network administrator in any organization. We can put as many security perimeter appliances in our setup, but it will fail if the user do not do what they suppose do as a user. It is as simple as using a guessable or simple password for their . Report from Cyber Security Malaysia [8] proved the importance of user action. People: the weakest link "These are the reported incidents and not yet considered as cyber crime cases. The incidents came from the public who wish to seek our technical assistance in resolving cyber security issues that they encountered while using the Internet," "We found that incidents involving technical aspects like Intrusion (mostly involving web defacement), intrusion attempts (such as attempts to hack networks) and vulnerability reports have decreased slightly," "On the contrary, attacks that rely on 'human weaknesses' such as fraud, spams, cyber harassment and content related incidents have increased significantly." "This confirms that cyber criminals are targeting 'people' instead of 'machines', because people are the weakest link in cyber security". "Furthermore, advanced technical measures such as three tier security verifications are making it more difficult to penetrate machines and networks. Therefore, we advise the public to be wary of 'social engineering', a tactic used by criminals to befriend their victims before deceiving them." Dr. Amirudin Abdul Wahab, CEO, CyberSecurity Malaysia 4

5 ii. iii. Mail Client Software (e.g Microsoft Outlook, Thunderbird, Zimbra Desktop) Patches either it is Operating System or the software itself ( especially for Windows machine). It needs to be updated every now and then to make sure the performance, accessibility and security is not being compromised with viruses and malware. Mail Server Software (e.g Zimbra, Microsoft Exchange) Besides the complexity of installing and configuring the mail server, system administrator or whoever is in charge for the server need to maintain the facility. Ensure the server is secure by installing or configuring proper internal firewall or appliance based security defense as well as installing antivirus software and making sure it is updated (especially for Microsoft based product) on the server. Figure 4: Top 10 malicious programs spread via in March 2012[9] 5

6 2.0 Methods and Practices of Security in Nuclear Malaysia Security companies and experts in the field have thrown out and share their ideas and effort to come out with ways, methods and best practices on how to handle system safely either as a user or as an administrator. Some are very common and easily adopted by most of organizations in the world. Basically, simple adoption does not require any additional money and only by simple tweaking to the existing system and appliances we already had. However, the adoption and implementation success story sometimes does not come together as a result of the adoption. In Nuclear Malaysia, what we have practiced and implemented are as follows: i. Establish Secure Socket Layer (SSL) for Access. Two obvious benefits of implementing SSL are: I. We can be sure that we are connecting to the right server. II. Communication between client and server is through a secure channel. SSL Certificates are small data files that digitally bind a cryptographic key to an organization s details. It is (generally) issued by third party agencies that will do a background check on the company requesting the certificate and only issue it if the company has a right to the certificate. In our case, we got SSL Digital Certificate from Digicert.Com. As what procedure has been mentioned, after registration and payment is done, confirmation of information validity is done by Digicert. These include a number of s to be answered as well as by phone call. Standard Features All DigiCert SSL Certificates come with the following standard features: Unlimited Free Reissues 2048 bit SSL Secure Sockets Layer with TLS Encryption Compatible with all major browsers Solid vetting to ensure strong Authentication Secure Site Seal Phone, , and Chat Support Compatible with Apache, IIS, Tomcat, Exchange Server, and other servers Compatible with Linux, Windows, and other operating systems 6

7 ii. Establish a standard operating procedure (SOP) Figure 5: SOP for monitoring 7

8 SOP for account management (Creation and Deletion) Each of account provider has their own policy and guideline to be followed in term of creating and deleting of account. Below are samples of policies for certain famous account provider: Hotmail A free Hotmail account becomes inactive if you do not sign in for 30 days, or within the first 10 days after signing up for an account. Once an account becomes inactive, all messages, folders, and contacts are deleted, but the account name is still reserved. If the account stays inactive for a further 90 days, it is permanently deleted. RtYWlsUElNX0ZBUSZmb3JtYXQ9)/help.aspx?querytype=topic&query=PIM_PROC_CloseAcct.htm Gmail Google may terminate your account in accordance with the terms of service if you fail to login to your account for a period of nine months. Yahoo Mail Yahoo! Mail accounts are deactivated and removed after six months of not being used, plus an additional two months for each year you held the account. When an account is deactivated, you can t access it, regardless of whether an has been received in the account during that time. After an account is deactivated, Yahoo! can't retrieve any of the information that was formerly stored in that account, such as and images. Note: With Yahoo! Mail Plus, your account never goes dormant due to inactivity. Check it out! 04.html Why is it important? Reason 1: accounts which are no longer active should be deleted or at least closed to reduce the security threat. Usually, those inactive accounts will not be monitored by the owner or the user actively. So if there is any spam or hacking activity is being done through , nobody will realize it until it has became severe and could attack the whole agency system. Reason 2 : Deleting unused will reduce the number of client license required. 8

9 As for Nuclear Malaysia, we do have guidelines in creating and deleting of account. i. For creating an account; a. All permanent staff is eligible for an account (primary server). b. Contract staff can be given a secondary account (cc.nuclearmalaysia.gov.my) which is located on virtual server. The separation of this account is simply because in primary server is based on client license whereas secondary is based on free version of system. It so happen because of limitation of the budget and for the reason of duplication of the system. ii. For deleting of an account; a. Staff who are retired, transferred (to other agency) or died should be informed to administrator by Administration Department. b. administrator should take appropriate action when receive the acknowledgement. c. Without proper / formal request (by the user an approved by top management), an account (and user domain account) would be closed immediately (up to 3 months) and will be deleted after 3 months. d. If the request is approved by top management, the account will be held active based on the request. iii. Follow the SOP Problems often appear to arise from a failure to follow Standard Operating Procedures. One can write a very good procedure and best practice but the problem will always be there if it is not followed by the person in charge. Failure to follow procedure can lead to the problem re occur in the future. These procedures are written to ensure that proper action is taken and if any modification is needed for a better output, it always can be done from time to time. iv. Create user awareness and make it a culture in the organization. Security Policy enforcement could be done through technology such as firewall, Active Directory features and other security tools. However, those security tools, features and appliance can easily being compromised if the user take the security matters for granted and don t bother about it seriously and finally jeopardize the whole system. Familiarization of the importance for security to the users should be done from time to time as the technology also grows very fast. Apparently, when any new technology is introduced it will always come with a loophole. 3.0 Issues and Problems Nuclear Malaysia is currently using Zimbra Collaboration Suite Network Edition (Professional), Version with Perpetual License for 1200 user. Even though Perpetual license means a license with no expiration date, it is only a license for a major release version we are buying. There are no rights to any updates, upgrades or extensions or enhancements to the Software developed by VMware. In order to ensure the system is up to date, we need for an extra budgetary to pay for maintenance and support. Support entitles us to major and minor release updates, portal access and 9

10 more. Since we are now running the mail system without support services, we cannot make an update for the current version of the software (which is now version 8) that leads to another problem as follow (existing version is not supporting below features): i. Advanced search and file indexing for large inboxes ii. Integration with Unified Communication iii. Microsoft Outlook , Contact, Calendar and Task sync iv. Blackberry , Contact, Calendar Sync v. Zimbra Mobile (ActiveSync) for , Contact, Calendar and Task Sync vi. Real time backup and restore vii. Clustering/High Availability viii. Multi tenancy ix. Domain Administration & Role based Delegate x. Archiving & Discovery xi. Advanced compliance xii. Professional Services access for customization and migration We also realized the problem when to manage account deletion. For some unknown reason so far, it does not synchronize with the existing Microsoft Windows 2000 Active Directory Mixed mode. B. Issues and problem related to hardware capacity and capability. i. Hardware not sufficient to support workload for 1000 users (load balance server and storage) spam filter can t work efficiently using the same resources. ii. Backup only can handle up to 3 weeks. iii. Existing Microsoft Windows 2000 Active Directory Mixed mode need to be upgraded to the latest version available. iv. Untangle spam filter, using free version of spam filter with limited features to cater enterprise level of network and users C. Issues related to the user Users experience and simple maintenance guide There are still users will old school thought, which says this is IT thing and let only IT people solve their problem even though the problem comes from own personal settings and simple customization on the client side application. This also include to archive personal and to manage personal rules for their account. 10

11 4.0 Conclusion and Way Forward Figure 6: Key obstacles to information security effectiveness Based on Figure 6 above which is a survey done by Ernst@Young 2012[8], it shows budget constraint is a number one problem in information security effectiveness. With refer to the finding of this survey, we would like to make a conclusion and propose some idea to be brought forward for a better future in the aspect of security. i. Existing IT infrastructure need to be upgraded parallel with the fusion of ICT technology globally. The statement saying we do with what we had is no longer valid and need to be reviewed seriously since security is not something that we can compromise on. ii. iii. iv. To reduce the amount of burden to administrator, an recovery solution must capable to allow for individual, message level items, including; messages, appointments, tasks, contacts, and attachments to be quickly restored from regular backups and information stores without setting up a dedicated recovery server. User education for sharing the shared valued regarding system as a whole. is not owned by IT center as a unit under a division but everybody should take a serious responsibility for managing their own account. It includes backup or archive the , strengthen the password and proper usage of system. Data Leak Protection facility need to be on the system. It serve as a security guard to ensure that any that has been sent and received complies with business policy and protect any confidential data from going out to inappropriate body or individual. Proving who has sent or received is a lawful requirement for many industries and can often be used as evidence in fraud and human resource court cases. v. Advice for user: a. Not to use an organization to be registered to unofficial discussion forum on the internet. This would somehow make the agency s server and spam filter do unnecessary job to ensure the agency system safe. b. Disable the automatic downloading of graphics in HTML mail Many spammers send HTML mail with a linked graphic file that is then used to track who open the mail message 11

12 5.0 References when your mail client downloads the graphic from their web server, they know you've opened the message. Disabling HTML mail entirely and viewing messages in plain text also prevents this problem. c. Always beware and alert for any message from Administrator. It always happened to be that phishing comes in this way, acting as an administrator and ask the user to change a password. d. If we feel that your has been compromised or hacked, do the following; 1. Change into stronger password 2. Report the incident to the admin 3. Scan computer with an up to date antivirus program 4. Don t fail to review your personal settings 5. Change password or security questions for other sites 6. Check your folders 7. Monitor the account quite frequently to see the pattern or any weird activity. 1. Statistics Report, , Editor: Sara Radicati, PhD, THE RADICATI GROUP INC, April Security Threats, Pam Cocca, SANS Institute, Pemantapan Penggunaan Dan Pengurusan E Mel Di Agensi Agensi Kerajaan, MAMPU.BDPICT.700 2/36 (1) 4. Garis Panduan Mengenai Tatacara Penggunaan Internet dan Mel Elektronik di Agensi Kerajaan, Pekeliling Kemajuan Pentadbiran Awam Bil. 1Tahun Langkah Langkah Mengenai Penggunaan Mel Elektronik di Agensi Agensi Kerajaan, Surat Arahan Ketua Pengarah MAMPU, 1 Jun Langkah Langkah Pemantapan Pelaksanaan Sistem Mel Elektronik di Agensi Agensi Kerajaan, Surat Arahan Ketua Pengarah MAMPU, 23 November Fighting To Close The Gap: Ernst@Young 2012, Global Information Security Survey in Computer World Forum Summit 2013, KL 8. H1 2013: Cyber security scene in Malaysia; Avanti Kumar; cyber security scene inmalaysia/ ; Access date: 3 rd September Spam report: March 2012; Maria Namestnikova ; Access date 28 th July