Thursday, 12 December 2013

Cyber Security in Singapore - Opinions

Recently i was invited by a local radio station to give a talk about Cyber Security in Singapore but due to company and legal reason, i had to decline the opportunity. Nonetheless, these were the questions i was supposed to answer during the talk show.

1) Cyber security in Singapore - has the recent hacking episodes exposed a "weakness" in Singapore's cyber security?

I wouldnt call it a weakness but an eye opener as to what else could be done by potential skillful hackers. In one of the hacking movies back in the 80s called 'Wargames', David Lightman, the hacker stated that 'I dont believe that any systems is totally secure' when someone told him that it was impossible to gain access to the systems. Taking that quote, i believed that there is no way to say that a system, a server or a website is totally 100% secure. There will always bound to have a potential issue, potential backdoor, security misconfigurations, missing or outdated patches that can be taken advantage and exploited. Before the much talked hackings of government sites lately, back in 2011, 17 of our govt sites were defaced by a hacker group called Brazil Hack Team and fortunately, that was all they were able to do. The so called hacking of the Istana and PMO website were not really a hack. It was a client side exploitation of a vulnerability called XSS or Cross Site Scripting which do not affect the server side and still maintain the confidentiality, integrity and availability of the PMO's and Istana's website/server. In other words, nothing was leaked or compromised.


2) As an Ethical Hacker and Security Consultant, what do you think are the challenges in cyber security here, and worldwide?

One of the challenges that we faced not just in Singapore but also in other countries is investments in cyber security. Singapore, similarly like USA and Israel, we invested billions in physical military warfare but not much in the technology and manpower in cyber military. In my opinion, we should also invest not just the F-16s jets but also in technology and skills that could potentially bring down an F-16 jet by using a laptop. When i went to a security conference in Amsterdam, a hacker managed to show how he can potentially hack the control systems of an airplane. If we think that that is farfetched, in 2011, hackers from China managed to hack and control a NASA satellite for approximately 11minutes. Needless to say, when it comes to hacking, nothing is impossible.

Another thing is skillset. Before 2007, local instituitions, polytechnics and Universities do not have courses that involves Ethical hacking. These ethical hacking courses were mostly seen in private instituitions. In the US, schools are established for future and potential hackers. Hacker schools, hacking academy are created so that students are trained from young. In India for example, students are exposed to security at such a young age and you have people like Ankit Fadia, an Indian hacker who published a book on Ethical hacking at the age of 16. However, i am glad that the government understand the gravity of the importance of cyber security and since mid 2007 onwards, ethical hacking modules, courses are introduced in majority of the local institutions. The graduates from these faculties will be the ones who will safeguard our network and infrastructure.

The third thing is Security education and conferences. In Singapore there are not many security conferences that are open to public. There is one that holds annually here called Syscan and i believed that such a conference will benefit the security community here in Singapore. There are also other conferences such as GovWare but such government sponsored conferences are not open publicly and can be expensive at times. If we look at countries such as US, in Europe and even in Malaysia, there are a number of conferences held every year and are affordable and open to the public. Singapore must learn from such countries and organize more conferences open to public that can educate the public in security awareness and the importance of the roles they play in the organizations. Remember that security is a shared responsibility. 

3) Are companies here prepared to deal with cyber challenges? Why or why not?

As long as the company invests in cyber security, i believed that those companies are more or less prepared for potential cyber challenges. Whenever there's a hacking incident, security officers and management will question 3 important things: whether the Confidentiality, the Integrity and the Availability of the information got compromised. Therefore, even if the website got defaced at least the information or data are not compromised, stolen or leaked.
 
4) What have been your experiences in ethically "hacking" company sites? What more can be done?

One of the most important things before ethically hacking company sites or servers is to ensure we agreed on the rules of engagement, the DOs and the DONTs. Trust is a very important matter. Just imagine if we are able to compromise a credit card database,  this is where the word ethical comes into hacking. Such major findings will be alerted to the stakeholders and we will assist them through recommendations on how to remediate such findings. Security managers in organizations must also understand the difference between performing a vulnerability assessments and a penetration testing assessment. Both may sound similar but totally different when applied. 

Companies can additionally invest on security services that perform vulnerability assessments, risks analysis on a periodic basis instead of doing it just because they have to abide by their policies and audit requirements.

No comments:

Post a Comment