1) Cyber security in Singapore - has the recent hacking
episodes exposed a "weakness" in Singapore's cyber security?
I wouldnt call it
a weakness but an eye opener as to what else could be done by potential
skillful hackers. In one of the hacking movies back in the 80s called
'Wargames', David Lightman, the hacker stated that 'I dont believe that any
systems is totally secure' when someone told him that it was impossible to
gain access to the systems. Taking that quote, i believed that there is no way
to say that a system, a server or a website is totally 100% secure. There will always bound to have a potential issue, potential backdoor, security
misconfigurations, missing or outdated patches that can be taken advantage and
exploited. Before the much talked hackings of government sites lately, back in
2011, 17 of our govt sites were defaced by a hacker group called Brazil Hack Team
and fortunately, that was all they were able to do. The so called hacking of
the Istana and PMO website were not really a hack. It was a client side
exploitation of a vulnerability called XSS or Cross Site Scripting which do not
affect the server side and still maintain the confidentiality, integrity and
availability of the PMO's and Istana's website/server. In other words, nothing
was leaked or compromised.
2) As an Ethical Hacker and Security Consultant, what do
you think are the challenges in cyber security here, and worldwide?
One of the
challenges that we faced not just in Singapore but also in other countries is
investments in cyber security. Singapore, similarly like USA and Israel, we
invested billions in physical military warfare but not much in the technology
and manpower in cyber military. In my opinion, we should also invest not just
the F-16s jets but also in technology and skills that could potentially bring
down an F-16 jet by using a laptop. When i went to a security conference in
Amsterdam, a hacker managed to show how he can potentially hack the control
systems of an airplane. If we think that that is farfetched, in 2011, hackers
from China managed to hack and control a NASA satellite for approximately
11minutes. Needless to say, when it comes to hacking, nothing is impossible.
Another thing is
skillset. Before 2007, local instituitions, polytechnics and Universities do
not have courses that involves Ethical hacking. These ethical hacking courses
were mostly seen in private instituitions. In the US, schools are established
for future and potential hackers. Hacker schools, hacking academy are created
so that students are trained from young. In India for example, students are exposed
to security at such a young age and you have people like Ankit Fadia, an Indian
hacker who published a book on Ethical hacking at the age of 16. However, i am
glad that the government understand the gravity of the importance of cyber
security and since mid 2007 onwards, ethical hacking modules, courses are
introduced in majority of the local institutions. The graduates from these
faculties will be the ones who will safeguard our network and infrastructure.
The third thing is Security education and conferences. In
Singapore there are not many security conferences that are open to public. There is one that holds annually here called Syscan and i believed that such a conference will benefit the security community here in Singapore. There are also other conferences such as GovWare but such government sponsored conferences are not open publicly and can be expensive at times. If we look at countries such as US, in Europe and even in Malaysia, there are a number of conferences held every year and are affordable and open to the public. Singapore must learn from such countries and organize more conferences open to public that can educate the public in security awareness and the importance of the roles they play in the organizations. Remember that security is a shared responsibility.
3) Are companies here prepared to deal with cyber
challenges? Why or why not?
As long as the
company invests in cyber security, i believed that those companies are more or
less prepared for potential cyber challenges. Whenever there's a hacking
incident, security officers and management will question 3 important things: whether
the Confidentiality, the Integrity and the Availability of the information got
compromised. Therefore, even if the website got defaced at least the information or
data are not compromised, stolen or leaked.
4) What have been your experiences in ethically
"hacking" company sites? What more can be done?
One of the most
important things before ethically hacking company sites or servers is to ensure
we agreed on the rules of engagement, the DOs and the DONTs. Trust is a very
important matter. Just imagine if we are able to compromise a credit card
database, this is where the word ethical
comes into hacking. Such major findings will be alerted to the stakeholders and
we will assist them through recommendations on how to remediate such findings. Security managers in organizations must also understand the difference between performing a vulnerability assessments and a penetration testing assessment. Both may sound similar but totally different when applied.
Companies can
additionally invest on security services that perform vulnerability
assessments, risks analysis on a periodic basis instead of doing it just because
they have to abide by their policies and audit requirements.
No comments:
Post a Comment