DISCLAIMER - NIKZAFRI.BLOGSPOT.COM


Today, Knowledge Management today are not limited merely to : (A) 'knowing' or 'reading lots of books/scholarly articles' or (B) data mining, analysis, decision making, preventive actions, or (C) some Human Resources Management issue or (D) some ICT issue. Knowledge Management is about putting your knowledge, skills and competency into practice and most important IT WORKS! For you and your company or your business (Nik Zafri) Can I still offer consultancy or training? Who claims otherwise? Absolutely, I can.

The information comprised in this section is not, nor is it held out to be, a solicitation of any person to take any form of investment decision. The content of the nikzafri.blogspot.com does not constitute advice or a recommendation by nikzafri.blogspot.com and should not be relied upon in making (or refraining from making) any decision relating to investments or any other matter. You should consult your own independent financial adviser and obtain professional advice before exercising any investment decisions or choices based on information featured in this nikzafri.blogspot.com can not be held liable or responsible in any way for any opinions, suggestions, recommendations or comments made by any of the contributors to the various columns on nikzafri.blogspot.com nor do opinions of contributors necessarily reflect those of http://www. nikzafri.blogspot.com

In no event shall nikzafri.blogspot.com be liable for any damages whatsoever, including, without limitation, direct, special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue, or loss of use, arising out of or related to the nikzafri.blogspot.com or the information contained in it, whether such damages arise in contract, negligence, tort, under statute, in equity, at law or otherwise.


MY EMPLOYERS AND CLIENTELLES



BIODATA - NIK ZAFRI


 



NIK ZAFRI BIN ABDUL MAJID,
CONSULTANT/TRAINER
Email: nikzafri@yahoo.com, nikzafri@gmail.com
https://nikzafri.wixsite.com/nikzafri

Kelantanese, Alumni of Sultan Ismail College Kelantan (SICA), IT Competency Cert, Certified Written English Professional US. Has participated in many seminars/conferences (local/ international) in the capacity of trainer/lecturer and participant.

Affiliations :- Network Member of Gerson Lehrman Group, Institute of Quality Malaysia, Auditor ISO 9000 IRCAUK, Auditor OHSMS (SIRIM and STS) /EMS ISO 14000 and Construction Quality Assessment System CONQUAS, CIDB (Now BCA) Singapore),

* Possesses almost 30 years of experience/hands-on in the multi-modern management & technical disciplines (systems & methodologies) such as Knowledge Management (Hi-Impact Management/ICT Solutions), Quality (TQM/ISO), Safety Health Environment, Civil & Building (Construction), Manufacturing, Motivation & Team Building, HR, Marketing/Branding, Business Process Reengineering, Economy/Stock Market, Contracts/Project Management, Finance & Banking, etc. He was employed to international bluechips involving in national/international megaprojects such as Balfour Beatty Construction/Knight Piesold & Partners UK, MMI Insurance Group Australia, Hazama Corporation (Hazamagumi) Japan (with Mitsubishi Corporation, JA Jones US, MMCE and Ho-Hup) and Sunway Construction Berhad (The Sunway Group of Companies). Among major projects undertaken : Pergau Hydro Electric Project, KLCC Petronas Twin Towers, LRT Tunnelling, KLIA, Petronas Refineries Melaka, Putrajaya Government Complex, Sistem Lingkaran Lebuhraya Kajang (SILK), Mex Highway, KLIA1, KLIA2 etc. Once serviced SMPD Management Consultants as Associate Consultant cum Lecturer for Diploma in Management, Institute of Supervisory Management UK/SMPD JV. Currently – Associate/Visiting Consultants/Facilitators, Advisors for leading consulting firms (local and international) including project management. To name a few – Noma SWO Consult, Amiosh Resources, Timur West Consultant Sdn. Bhd., TIJ Consultants Group (Malaysia and Singapore) and many others.

* Ex-Resident Weekly Columnist of Utusan Malaysia (1995-1998) and have produced more than 100 articles related to ISO-9000– Management System and Documentation Models, TQM Strategic Management, Occupational Safety and Health (now OHSAS 18000) and Environmental Management Systems ISO 14000. His write-ups/experience has assisted many students/researchers alike in module developments based on competency or academics and completion of many theses. Once commended by the then Chief Secretary to the Government of Malaysia for his diligence in promoting and training the civil services (government sector) based on “Total Quality Management and Quality Management System ISO-9000 in Malaysian Civil Service – Paradigm Shift Scalar for Assessment System”

Among Nik Zafri’s clients : Adabi Consumer Industries Sdn. Bhd, (MRP II, Accounts/Credit Control) The HQ of Royal Customs and Excise Malaysia (ISO 9000), Veterinary Services Dept. Negeri Sembilan (ISO 9000), The Institution of Engineers Malaysia (Aspects of Project Management – KLCC construction), Corporate HQ of RHB (Peter Drucker's MBO/KRA), NEC Semiconductor - Klang Selangor (Productivity Management), Prime Minister’s Department Malaysia (ISO 9000), State Secretarial Office Negeri Sembilan (ISO 9000), Hidrological Department KL (ISO 9000), Asahi Kluang Johor(System Audit, Management/Supervisory Development), Tunku Mahmood (2) Primary School Kluang Johor (ISO 9000), Consortium PANZANA (HSSE 3rd Party Audit), Lecturer for Information Technology Training Centre (ITTC) – Authorised Training Center (ATC) – University of Technology Malaysia (UTM) Kluang Branch Johor, Kluang General Hospital Johor (Management/Supervision Development, Office Technology/Administration, ISO 9000 & Construction Management), Kahang Timur Secondary School Johor (ISO 9000), Sultan Abdul Jalil Secondary School Kluang Johor (Islamic Motivation and Team Building), Guocera Tiles Industries Kluang Johor (EMS ISO 14000), MNE Construction (M) Sdn. Bhd. Kota Tinggi Johor (ISO 9000 – Construction), UITM Shah Alam Selangor (Knowledge Management/Knowledge Based Economy /TQM), Telesystem Electronics/Digico Cable(ODM/OEM for Astro – ISO 9000), Sungai Long Industries Sdn. Bhd. (Bina Puri Group) - ISO 9000 Construction), Secura Security Printing Sdn. Bhd,(ISO 9000 – Security Printing) ROTOL AMS Bumi Sdn. Bhd & ROTOL Architectural Services Sdn. Bhd. (ROTOL Group) – ISO 9000 –Architecture, Bond M & E (KL) Sdn. Bhd. (ISO 9000 – Construction/M & E), Skyline Telco (M) Sdn. Bhd. (Knowledge Management),Technochase Sdn. Bhd JB (ISO 9000 – Construction), Institut Kefahaman Islam Malaysia (IKIM – ISO 9000 & Internal Audit Refresher), Shinryo/Steamline Consortium (Petronas/OGP Power Co-Generation Plant Melaka – Construction Management and Safety, Health, Environment), Hospital Universiti Kebangsaan Malaysia (Negotiation Skills), Association for Retired Intelligence Operatives of Malaysia (Cyber Security – Arpa/NSFUsenet, Cobit, Till, ISO/IEC ISMS 27000 for Law/Enforcement/Military), T.Yamaichi Corp. (M) Sdn. Bhd. (EMS ISO 14000) LSB Manufacturing Solutions Sdn. Bhd., (Lean Scoreboard (including a full development of System-Software-Application - MSC Malaysia & Six Sigma) PJZ Marine Services Sdn. Bhd., (Safety Management Systems and Internal Audit based on International Marine Organization Standards) UNITAR/UNTEC (Degree in Accountacy – Career Path/Roadmap) Cobrain Holdings Sdn. Bhd.(Managing Construction Safety & Health), Speaker for International Finance & Management Strategy (Closed Conference), Pembinaan Jaya Zira Sdn. Bhd. (ISO 9001:2008-Internal Audit for Construction Industry & Overview of version 2015), Straits Consulting Engineers Sdn. Bhd. (Full Integrated Management System – ISO 9000, OHSAS 18000 (ISO 45000) and EMS ISO 14000 for Civil/Structural/Geotechnical Consulting), Malaysia Management & Science University (MSU – (Managing Business in an Organization), Innoseven Sdn. Bhd. (KVMRT Line 1 MSPR8 – Awareness and Internal Audit (Construction), ISO 9001:2008 and 2015 overview for the Construction Industry), Kemakmuran Sdn. Bhd. (KVMRT Line 1 - Signages/Wayfinding - Project Quality Plan and Construction Method Statement ), Lembaga Tabung Haji - Flood ERP, WNA Consultants - DID/JPS -Flood Risk Assessment and Management Plan - Prelim, Conceptual Design, Interim and Final Report etc., Tunnel Fire Safety - Fire Risk Assessment Report - Design Fire Scenario), Safety, Health and Environmental Management Plans leading construction/property companies/corporations in Malaysia, Timur West Consultant : Business Methodology and System, Information Security Management Systems (ISMS) ISO/IEC 27001:2013 for Majlis Bandaraya Petaling Jaya ISMS/Audit/Risk/ITP Technical Team, MPDT Capital Berhad - ISO 9001: 2015 - Consultancy, Construction, Project Rehabilitation, Desalination (first one in Malaysia to receive certification on trades such as Reverse Osmosis Seawater Desalination and Project Recovery/Rehabilitation)

* Has appeared for 10 consecutive series in “Good Morning Malaysia RTM TV1’ Corporate Talk Segment discussing on ISO 9000/14000 in various industries. For ICT, his inputs garnered from his expertise have successfully led to development of work-process e-enabling systems in the environments of intranet, portal and interactive web design especially for the construction and manufacturing. Some of the end products have won various competitions of innovativeness, quality, continual-improvements and construction industry award at national level. He has also in advisory capacity – involved in development and moderation of websites, portals and e-profiles for mainly corporate and private sectors, public figures etc. He is also one of the recipients for MOSTE Innovation for RFID use in Electronic Toll Collection in Malaysia.

Note :


TO SEE ALL ARTICLES

ON THE"LABEL" SECTION BELOW (RIGHT SIDE COLUMN), YOU CAN CLICK ON ANY TAG - TO READ ALL ARTICLES ACCORDING TO ITS CATEGORY (E.G. LABEL : CONSTRUCTION) OR GO TO THE VERY END OF THIS BLOG AND CLICK "Older Posts"


 

Monday, April 01, 2024

CYBER SECURITY - Quick Overview - Nik Zafri




I had a chance to read the newly passed Cybersecurity Bill 2024 on March 27, 2024, after its first reading on March 25, 2024. Among the key provisions are formation of NCSC (National Cyber Security Committee), duties, authorities and responsibilities of Chief Executive of the NCSA (National Cyber Security Agency), critical information infra, handling security breaches etc. This act stands as a great support to other Malaysian Cyber Laws such as Computer Crimes Act 1997, Digital Signature Act 1997, Telemedicine Act 1997, Communications and Multimedia Act 1998, Electronic Commerce Act 2006, Electronic Government Activities Act 2007, Personal Data Protection Act 2010, Penal Code and Anti-Fake News (Repeal) Act 2020 Personal Data Protection Act 2010 etc.

I totally agree that cyber security services provider must hold the necessary licenses under the law. Despite this may not apply to providers of a company to its’ branches, I still think that the security providers despite internal, must have the necessary qualifications and licences. The company itself must practice a certain guideline or better be certified with ISO 27000 or its equivalent. (I find it interesting to know one of my clients, Petaling Jaya City Council (Majlis Perbandaran Petaling Jaya) has long been certified with (ISMS) ISO/IEC 27001 – perhaps this can serve as an example)

ISO/IEC 27001 is an international standard for information security management systems (ISMS), while ISO/IEC 27002 provides guidelines for implementing controls to address information security risks. These standards include requirements and recommendations for incident response planning, incident handling procedures, and coordination mechanisms to ensure a systematic and coordinated approach to managing cybersecurity incidents.

The bill should also be clear or have appendices on legal frameworks, regulations, and guidelines to enhance cybersecurity measures within Malaysia. Despite Personal Data Protection Act 2010 is in force, there are still concerns on Data Protection, Security and Privacy including clear guidelines for data collection, storage, and processing, as well as requirements and reporting for data breach notifications.

There is also a dire need to safeguard critical infrastructure sectors such as energy, transportation, healthcare (to be covered more in Telemedicine Act 1997) and the financial sectors from cyber threats, including mandatory security standards and incident reporting requirements. With reports of sophisticated breaches, hackers and scammers on the rise, we need a more robust cybersecurity measures TAILORED to the unique needs and challenges of each sector. We can’t depend on one system and think everything will be OK.

By adopting a collaborative and multi-stakeholder approach, investing in capacity building and training, leveraging advanced technologies and investigative techniques, and implementing strong legal frameworks and deterrent measures, stakeholders can enhance their ability to combat cybercrime effectively and protect individuals, businesses, and critical infrastructure from cyber threats.

Some systems, software, applications, and firewalls commonly used around the world to enhance cybersecurity in critical infrastructure such as (I know Malaysia do have most of the following but they were “scattered” rather than “integrated”) :

  • ICS (Industrial Control System),
  • SCADA (Supervisory Control and Data Acquisition) – which known to provide protection against cyber threats targeting operational technology (OT) environments,
  • Firewalls like ICS designed to filter and monitor network traffic of IT and OT,
  • IDPS and NIDS– Intrusion Detection and Prevention System and Network Intrusion Detection System – to monitor network traffic for suspicious activity or cyber threats,
  • Host-based Intrusion Detection Systems (HIDS) to monitor activities on individual computers or devices for signs of unauthorized access or malware.
  • Security Information and Event Management (SIEM) Systems - Collects and analyzes security event data from various sources within the infrastructure to detect and respond to cyber threats in real-time.
  • Provides centralized logging, correlation, and reporting capabilities for incident response and compliance purposes.
  • Next-Generation Firewalls (NGFW) incorporating traditional firewall features with advanced security capabilities such as intrusion prevention, application awareness, and deep packet inspection to protect against sophisticated cyber threats.
  • Endpoint Security Solutions  - Antivirus/Anti-Malware Software: Protects endpoint devices (e.g., computers, servers, medical devices) from malware infections and other malicious software)
  • Endpoint Detection and Response (EDR) - Monitors endpoint activities for signs of suspicious behaviour and provides advanced threat detection and response capabilities.
  • Secure Remote Access Solutions - Provide secure remote access to critical infrastructure systems for authorized personnel while mitigating the risk of unauthorized access or cyber attacks.
  • Implement multi-factor authentication (MFA) and encrypted VPN connections to protect remote access sessions.
  • Security Patch Management Systems - Automate the deployment of security patches and updates to operating systems, software, and firmware to address known vulnerabilities and reduce the risk of exploitation by cyber threats.

Another critical issue is Security Training and Awareness Programs despite they are available (at a very high price unfortunately) but the training awareness should cover the points mentioned above. I recommend training providers to INTEGRATE the above modules in their training. Rather than, punishing the security providers, why not help them with grants and perhaps allocation of CPD points should be awarded to cyber security companies that are serious in assisting the nation in protecting the infrastructure.

(Perhaps the Malaysian National Cyber Security Agency could have a hand on this one?)

Educate employees and contractors about cybersecurity best practices, policies, and procedures to mitigate the risk of insider threats and human errors.

Incident Response and Disaster Recovery Plans (IRDRS)

I have witnessed good practices of IRDRS – unfortunately when it comes to implementation, I would rate it a little low due to time consuming recovery which caused inconveniences to the end users and customers.

IRDRS should be regularly be tested on incident response and disaster recovery plans to ensure a timely and effective response to cyber incidents and minimize the impact on critical infrastructure operations. I could be wrong but I RARELY hear any drills being done to ensure effectiveness of IRDRS in Malaysia.

Frameworks for incident response planning should take into account coordination among government agencies, businesses, and other stakeholders, as well as mechanisms for sharing threat intelligence and best practices. It should also involve establishing structured processes, guidelines, and communication channels to effectively detect, respond to, and mitigate cybersecurity incidents.

  • Regulatory Requirements and Compliance Standards

All IRDRS should make reference to available cybersecurity standards and if none available, standards should be established for products, services, and organizations to ensure a baseline level of security and promote trust in digital technologies.

Regulatory requirements and industry-specific compliance standards should mandate the implementation of incident response frameworks and procedures.

Implementing these frameworks involves assessing organizational risks, procedures, conducting training and exercises, establishing communication channels and coordination mechanisms, and regularly reviewing and updating incident response capabilities will adapt to evolving cyber threats and operational requirements.

  • Risk Management

IRDRS is to also provide a set of guidelines, standards, and best practices for improving cybersecurity risk management across critical infrastructure sectors.

It should include a structured approach to incident response, with key functions such as Identify, Protect, Detect, Respond, and Recover (IPDRR), to help organizations prepare for, respond to, and recover from cyber incidents

The security should also include third-party vendors and suppliers that have access to critical infrastructure systems or sensitive data to mitigate supply chain risks. There is a need to implement a multi-layered cybersecurity approach that combines technical solutions, security best practices, and risk management strategies is essential to safeguard critical infrastructure sectors from cyber breaches and ensure the resilience of essential services and operations.

  • Computer Security Incident Response Team (CSIRT)

CSIRT frameworks, such as the CERT Resilience Management Model (CERT-RMM) and the FIRST (Forum of Incident Response and Security Teams) Framework for CSIRTs, provide guidance for establishing and operating computer security incident response teams.

They outline key capabilities, processes, and practices for incident detection, analysis, response, and coordination within organizations and across different stakeholders.

  • Information Sharing and Analysis Centers (ISACs)

ISACs are industry-specific organizations that facilitate the sharing of cybersecurity threat intelligence, best practices, and incident information among members within a particular sector or critical infrastructure.

They often collaborate with government agencies, law enforcement, and other stakeholders to enhance situational awareness, threat detection, and incident response capabilities.

Cybercrime Prevention and Enforcement

To effectively combat cybercrime requires a multi-faceted approach involving collaboration between law enforcement agencies, government bodies, private sector entities, and international partners.

All the cyber laws need to be summarized into a guideline on how the authorities to take action,

  • International Cooperation – this is extremely important where the influx of tourists, expatriates, legal foreign workers to Malaysia (which could be “person of interests” in another country) need a more effective screening system at point of entry (Immigration). Without international cooperation, the chances raise a “red-flag” or detect possible criminal background of visitors will not be effective. We need to establish mutual legal assistance agreements and extradition treaties to facilitate the investigation and prosecution of cybercriminals across jurisdictions.
  • Public-Private Partnerships – Government agencies must work together with private sectors, academia and civil society to hare threat intelligence, best practices, and resources in combating cybercrime. Formal partnerships and information-sharing mechanisms will enhance cyber threat detection, incident response, and mitigation efforts.
  • Cyber Forensics and Digital Evidence Handling – Things are getting more sophisticated nowadays. Perhaps more investment and attention is required. Procedures established must also ensure admissibility and integrity of digital evidence in court proceedings. Training is required on this subject matter.

Proactive Cybercrime Investigations

Employ proactive investigative techniques, such as undercover operations, infiltration of criminal networks, and the use of advanced cyber tools, to identify and disrupt cybercriminal activities.

Monitor online forums, dark web marketplaces, and social media platforms to gather intelligence on cyber threats and criminal activities.

Victim Support and Cybersecurity Awareness

Provide support services for cybercrime victims, including assistance with incident response, recovery, and mitigation efforts.

Raise awareness among individuals, businesses, and organizations about cybersecurity best practices, common cyber threats, and available resources for reporting and responding to cybercrime incidents.

Capacity Building and Education - Initiatives to enhance cybersecurity awareness, education, and training for individuals, businesses, and government entities to improve their ability to identify and mitigate cyber threats.

International Cooperation

By taking the following steps and actively engaging with other countries and international organizations, stakeholders can contribute to building a more secure and resilient cyberspace through collaborative efforts and shared responsibility for addressing global cybersecurity challenges.

  • Collaboration with other countries and international organizations to address global cybersecurity challenges, including information sharing, joint exercises, and diplomatic efforts to establish norms of responsible behaviour in cyberspace.
  • Beginning international collaboration to address global cybersecurity challenges involves building relationships, establishing communication channels, and fostering trust among countries and international organizations. Here are some steps to initiate and facilitate international collaboration in cybersecurity:
  • Initiate diplomatic dialogues and engagements with other countries and international organizations to raise awareness of cybersecurity challenges and the importance of international cooperation.
  • Advocate for the establishment of norms, principles, and agreements to promote responsible behavior in cyberspace, including respect for sovereignty, non-interference, and cooperation in addressing cyber threats.
  • Engage in multilateral forums, such as the United Nations (UN), the Group of Seven (G7), the Group of Twenty (G20), and regional organizations, to discuss cybersecurity issues, share best practices, and coordinate collaborative efforts.
  • Support initiatives such as the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, which facilitates discussions on norms and confidence-building measures in cyberspace.
  • Foster bilateral partnerships and cooperation agreements with other countries to exchange cybersecurity threat intelligence, share best practices, and collaborate on joint cybersecurity initiatives.
  • Establish formal mechanisms, such as memoranda of understanding (MoUs) or bilateral cybersecurity dialogues, to facilitate information sharing, capacity building, and joint exercises.
  • Join international information sharing platforms and cybersecurity alliances, such as the Cyber Threat Alliance (CTA), the Forum of Incident Response and Security Teams (FIRST), and regional Information Sharing and Analysis Centers (ISACs), to exchange threat intelligence and coordinate incident response efforts.
  • Contribute to and benefit from collaborative efforts to improve global cybersecurity resilience and response capabilities.
  • Organize joint cybersecurity exercises, workshops, and capacity building programs with partner countries and international organizations to enhance readiness, response capabilities, and coordination in addressing cyber threats.
  • Share expertise, resources, and training opportunities to strengthen cybersecurity capacity and build trust among participating stakeholders.
  • Provide technical assistance, capacity building support, and cybersecurity expertise to developing countries and regions to strengthen their cybersecurity capabilities and resilience.
  • Collaborate with international organizations, such as the International Telecommunication Union (ITU), the World Bank, and the Organization for Security and Co-operation in Europe (OSCE), to deliver targeted cybersecurity assistance and promote international cooperation.
  • Promote transparency and confidence-building measures, such as the exchange of cybersecurity policy documents, incident reporting mechanisms, and cybersecurity strategy reviews, to enhance mutual trust and understanding among countries.
  • Support efforts to increase transparency in cyberspace, including the attribution of cyber incidents and the disclosure of vulnerabilities, to promote accountability and deter malicious activities.

Sample System and Software

Ensuring data privacy and protection involves a combination of technical solutions, best practices, and organizational policies. Here are some tools, software, and systems commonly used to enhance data privacy and protection:

Encryption Software

  • Full Disk Encryption (FDE): Encrypts entire hard drives or storage devices to protect data at rest.
  • File/Folder Encryption: Encrypts individual files or folders to protect specific data.
  • Transport Layer Security (TLS) - Encrypts data transmitted over networks, commonly used for securing internet communications.

Access Control Systems

  • Identity and Access Management (IAM) Systems - Manages user access rights and permissions to ensure only authorized individuals can access sensitive data.
  • Multi-Factor Authentication (MFA) - Requires users to provide multiple forms of identification before granting access, adding an extra layer of security.
  • Role-Based Access Control (RBAC) - Assigns access rights based on users' roles and responsibilities within an organization.

Data Loss Prevention (DLP) Solutions

  • Content Filtering - Monitors and filters data transfers to prevent unauthorized transmission of sensitive information outside the organization.
  • Data Classification - Automatically identifies and classifies sensitive data to apply appropriate security controls and policies.



No comments: