Sunday, May 18, 2025
Subscribe
LatestTechnology

Pikom ICT Strategic Review 2012/2013 Part 6

By EITN

By Brandon Teoh

 

Chapter 6: Internet Security Threat Report,
Chapter 7: Essence of Personal Data Protection (PDPA) Act 2010 Malaysia,
Chapter 8: Embracing the consumerisation of IT to Enable Workplace Transformation,
Chapter 9: Social Busiess: Advent of A New Age,
Chapter 10: 2012 State of mobility survey: Malaysia Findings


Chapter 6: Internet Security Threat Report
by Alex Ong, Country Director, Symantec Malaysia, Nigel Tan, Director, Systems Engineering, Symantec Malaysia.

APT (Advanced Persistent Threat) has been the buzz word all over places and according to Symantec, it is most often subjected to misuse especially by media.

Fair enough. In the report, Symantec enlightened us with the definition for APT which they acknowledged that such attacks represent real danger.

APTs differ from conventional targeted attacks in significant ways:

1.) They use highly customised tools and intrusion techniques.

2.) They use stealthy, patient, persistent methods to reduce the risk of detection.

3.) They aim to gather high-value, national objectives such as military, political or economic intelligence.

4.) They are well-funded and well-staffed, perhaps operating with the support of military or state intelligence organisations.

They are more likely to target organisations of strategic importance, such as government agencies, defense contractors, high profile manufacterers, critical infrastructure operations and their partner ecosystems.

APT is considered to be targeted attack which it relies on vectors such as drive-by-downloads, SQL injection, malware, phishing and spam.

Looking back at 2011, targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks.

What is zero-day vulnerabilities ?

A zero-day attack exploits and unreported vulnerability for which no vendor has released a patch. This makes them especially serious because they are much more infective. If a non-zero-day attack gets past security, it can still be thwarted by properly-patched software.

In 2011, Symantec found vigorous attacks against a vulnerability in Adobe Reader and Adobe Acrobat that lasted for more than two weeks. It peaked at more than 500 attacks a day before Adobe released a patch on Dec 16, 2011.

Nonetheless, year 2011 had the lowest number of zero-day vulnerability attacks in the past 6 years.

Malware or malicious (or malevolent) software consists of 1.) Infectious type (virus, worm), 2.) Concealment type: Trojan horses, rootkits, and backdoors, 3.) Rootkits and Backdoors.

Some malwares exist as hybrid type.

By definition, a rootkit is a malware that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality.

Comparing with trojans, Rootkits are basically more advanced type of trojans with capability of evading detection because they embed themselves as part of the core operating system processes. For instance, modifying they master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded.

Malwares are propagated through 3 main channels. 1) website, 2) Removable storage such as USB drive and 3) Email.

Apart of these, Border Gateway Protocol (BGP) hijacking had been observed in 2011.

For instance, there was a case where a Russian telecommunications company had its network hijacked by a spammer. They ware able to subvert a fundamental Internet technology – the Border Gateway Protocol – itself to send spam messages that appeared to come from a legitimate (but hijacked source. Since spam filters rely, in part, on blacklists of known spam senders, this technique could allow a spammer to bypass them.

By category, the top 5 most infected websites are:

1.) Blogs & web communications.

2.) Hosting/personal hosted sites

3.) Business/ economy

4.) Shopping

5.) Education & reference.

Looking back at 2011, the following trends have been observed.

1.) Malicious attacks skyrocket by 81%

2.) Targeted attacks target everyone and rose steadily – 50% of attacks focused on companies with less than 2500 employees, and 18% of attacks were focused on organisations with less than 250 employees.

3.) Mobile phones under attack.

4.) Certificate authorities and transport layer security (TLS) v1.0 are targeted

5.) 232 million identities stolen

6.) Botnet takedowns reduce spam

Another interesting trend is polymorphism technique where by constantly varying the internal structure of a piece of malware, it makes it much more challenging for traditional pattern-matching based anti-malware to detect. This is a clear challenge which intensified the race between malware authors and vendors of scanning software.

And Looking at recent updates, the following threats, be it APT or not, have joined the hall-of-fame for being most menacing:

 

  • Koobface
  • OSX.FalshBack.K
  • Flamer
  • Android.Opfake
  • Gauss
  • MiniFlame
  • Malnet
  • Gozi Prinimalka

 


Chapter 7: Essence of Personal Data Protection (PDPA) Act 2010 Malaysia
by Pagee Harpajan Kaur Khera and First Principles Sdn Bhd.

The Personal Data Protection Act 2010 (PDPA) was passed by Parliament in May 2010.

The Sun reported on Oct 23 2012 in the article ‘End to data abuse’ by Pauline Wong that Information, Communications and Culture Minister Datuk Seri Rais Yatim has confirmed via sms reply that the Personal Data Department has been setup up finally and will be enforced by Jan 2013.

In a fully connected world where huge amounts of information is collected, manipulated, use and shared, personal data protection must be perceived as a basic right of the individual that deserves the full protection of the law.

It enforces that ‘personal data’ manipulation is subjected to legal consequences when it comes to commercial activities, only. It applies to all sectors of the economy including healthcare, financial services, telecommunications, motoring, property, retail, including human resource departments and etc.

The act is however not applicable to the following 5 scenarios:

  1. Federal & states governments
  2. Credit reference agencies
  3. Data processed outside Malaysia
  4. Personal and family
  5. Non-commercial transactions


It is applicable to the following 7 activities which relate personal data:

  1. Collecting
  2. Recording
  3. Holding
  4. Storing
  5. Organising
  6. Publishing on the Internet
  7. Making available


There are a total of 7 principles to take note in the event of exemptions (when personal data protection is to be breached):

  1. General principle
  2. Notice and choice principle
  3. Disclosure principle
  4. Security principle
  5. Retention principle
  6. Data integrity principle
  7. Access principle


For example, in the event of crime prevention, the following principles must be upheld (at least):

  • General principle
  • Notice & choice principle
  • Disclosure principle
  • Access principle.


And depending on the 5 scenarios stated earlier, when we say exemption, it consists of:

  • Crime prevention/detection – partial exemption
  • Offenders apprehension/prosecution – partial exemption
  • Tax/duty assessment/collection – partial exemption
  • Physical/mental health – partial exemption
  • Statistic/research – partial exemption
  • Court order/judgment – partial exemption
  • Regulatory functions – partial exemption
  • Journalistic/literary/artistic – partial exemption
  • Personal and family – full exception


Also, take note that in the event of potential personal data breach, data subject has the following 6 rights:

  1. Right to be informed
  2. Right to access
  3. Right to correct
  4. Right to withdraw consent
  5. Right to prevent processing likely to cause distress
  6. Right to prevent processing for direct marketing purposes


In corporate sense, a director, CEO, COO, manager, secretary; or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management – may be charged severally or jointly in the same proceeding with the body corporate; and

If the body corporate is found to have committed the offence, he shall be deemed to have committed the offences unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves:

  • that the offences was committed without his knowledge, consent or connivance;and
  • that the had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence. (s.133)


Enforcement mechanism can consist of one or a combination of the followings:

  • Data protection commissioner
  • Advisory committee
  • Appeal tribunal
  • Codes of practice
  • Enforcement notice
  • Prosecution
  • Revocation of registration


Moving Forward
It is crucial that employee data must be treated separately from customer/consumer data with the human resource department performing its own assessment, reports and training as well as customer and human processes and operational issues involved.

Therefore, PDPA compliance should be implemented in phases where employees should be provided with proper education on the rights and obligations as stipulated by the Act.

First Principles Sdn. Bhd. proposed the following modules for education of PDPA.

Module I – Awareness training
Module II – Initial risk assessment
Module III – Risk assessment workshops and formulation of PDP policy
Module IV – Implementation of PDP policy and compliance training
Module V – Compliance audit

Malaysian businesses are given only a 3 months period to become compliance with the Act

Chapter 8: Embracing the consumerisation of IT to Enable Workplace Transformation
by Dr. Dzaharudin Mansor, National Technology Officer, Microsoft Malaysia

Industry experts agree that the term consumerisation of IT is the same as the trend of BYOD – it is not just about bringing-on-device to work, or that mobile devices are as powerful as PCs for work, partly it is also driven by the trend where employees are increasingly spending more working hours outside office – a mobile workforce which premises on the concept of social business.

By embracing the workforce and empowering it with the latest and greatest technologies, IT can help businesses unleash productivity, reduce costs, and stay competitive. In fact, in a recent study, 83% of IT decision-makers welcome this trend positively.

However, the act of embracing this trend is not an easy task; many plannings are pre-requisite.

Companies should evaluate how to ensure productivity anywhere, while still protecting data, maintaining compliance, and enabling adequate PC and device management. This all puts pressure on IT to provide compelling solutions for end users while maintaining a secure and well-managed environment.

There are two group of enabling technologies when it comes to implementing consumerisation of IT.

1.) Cloud-based applications and services
2.) Desktop virtualisation

Challenges for enterprises

1.) Enabling a diverse set of devices and management of devices
2.) Operating system platforms
3.) Compliance
4.) Private cloud versus public cloud
5.) Security

Microsoft Solutions for enterprises
The best approach for managing consumerization of IT depends on the types of device that IT is expected to manage.

1.) PCs and tablets

1.1) Using Windows Optimised desktop

The windows optimised desktop combines Microsoft solutions for desktops through to data center management across physical and virtual environments. At the ase level is client infrastructure, including Windows 7 as the desktop operation system, Windows IE 8 as the browswer and MDOP.

The infrastructure for Windows 7 Enterprise and Windows Server 2008 R2 supports client features such as BranchCache and DirectAccess. In addition, through Hyper-V, it supports VDI environments.

Management tools in System Center and security technologies in Microsoft ForeFront support the client and server components. Management tools, such as System Center and MDOP, provide the security, access, and application optimisation tools for locally deployed systems, and for systems and applications that are hosted on-premises in the data center.

Features include application management, local data security, removable storage, backups, network access, network security,

1.2) Windows with Windows Intune

For organisations that do not have the resources or infrastructure to support the complete Windows Optimised Desktop strategy, Windows Intune can help deliver the management and security essentials.

Windows Intune is a cloud-based management solution that brings together Microsoft cloud services for PC management and endpoint protection with upgrade rights to Windwos 7 enterprise and future versions of Windows.

Using Windows Intune, IT can give workers the best Windows experience with the latest Windows-based operating systems and keep those PCs current and protected with the Windows Intune cloud service.

1.3) VDI (Virtual Desktop Infrastructure)

For devices that cannot provide full Windows 7 experience and security environment, VDI-based strategy can be deployed which enables secure access to a server-hosted, Windows-based desktop.

This approach is the most effective one for non-Windows-based portable computers and slates, such as Macintoshes, iPdas, and Linus-based netbooks.

However, the VDI approach can also be useful where employees bring their own Windows-based portable coputers into the workplace. In this case, VID is used to deliver a secure enterprise desktop, with all personal data and softare being kept out of the corporate network.

2.) Smartphones

The are various ways to manage smart-phones in the enterprise. For example, you can use Exchange ActiveSync to manage a wide range of Microsoft and non-Microsoft devices.

Exchange ActiveSync is a Microsoft Exchange synchronisation protocol that is optimised to work over high-latency and low-bandwidth networks – it is HTTP and XML based.

The common smartphone management or Mobile device management (MDM) requirements in the enterprise include :

  • Remote device wipe
  • Personal locking
  • Idle time-out value
  • Autodiscover settings
  • Troubleshooting exchange
  • Local data security
  • Removable storage
  • Backups
  • Security
  • User authentication
  • Application management
  • Device management


Microsoft has always been interested in delivering software that empowers poeple at work and at home.

Workers increasingly want to be able to use their own devices, such as tablets and smart-phones, at work and many are also prepared to purchase their own portable computer or other device as part of the consumerisation trend

Hence, IT must be able to embrace consumerisation where it is appropriate, while minimising the risks associated with it – Microsoft can help!

Chapter 9: Social Busiess: Advent of A New Age
by IBM Institute of business value

Social business is about using enterprise social networking tools to improve the way organisations operate.

IDC predicts the emerging social platforms category, which includes enterprise social software products, will reach nearly $2 billion by 2014.

According to IBM, the definition of social business is that a social business embraces networks of people to create business value. It has three underlying attributes:

  • Engaged – A social business connects to people to expertise.
  • Transparent – A social business strives to remove unnecessary boundaries between experts inside the company and experts in the marketplace.
  • Nimble – A social business leverages these social networks to speed up business, gaining real-time insight to make quicker and better decisions.


The most effective approach to enabling a social business centers around helping people discover expertise, develop social networks and capitalise on relationships.

Ideally, the objective of social business is to enable organisations to become more efficient and better in terms of managing information. It is however, not able to making more money out of the social relationships.

An effective social business embodies a culture characterised by sharing, transparency, innovation and improved decision making.

Three technologies social business for social business adoption:

1) Social networking tools – for social communication, enable quicker response to business opportunities and to reciprocate with qualified expertise.
2) Data management tools – for security (i.e DLP solution) and compliance.
3) Business analytics – Apply business analytics to unlock the potential of information that emerges within a social network.

Case study
This case study explores the importance of optimising workforce through adoption of social business which seeks to empower employees with social communication. There are two trends driving organisations to adopt these capabilities.

1.) Millennials are entering the workforce – they are well versed in a social culture of sharing and transparency.
2.) More and more teams are geographically distributed

The subject of this case study is Sogeti; one of the world’s leading providers of IT consulting services and solution integration.

As it expanded across 15 countries , information silos made locating ad collaborating with the vast expertise in the company difficult. Sogeti needed new ways to foster teamwork and peer communication among its many business groups and locations. To tie together over 20,000 people across 200 locations, Sogeti deployed an enterprise-wide social networking and collaboratio platform for finding and leveraging expertise, knowledge transfer, close teaming across distances and sharing of best practices. Now, integrated multiple active directories provide a unified approach to identifying expertise wherever it may be.

Easier access to the tacit knowledge of others helps co-workers developer their skills, ad fast identification of people’s skills supports efficient staffing with the right people for any project of mission. Together, accelerated knowledge transfer, better use of expertise and the ability to staff the right people quickly is preparing Sogeti to enter new markets. And being able to share rather than having to reinvent key processes is yielding significant savings in project startup costs.

To get started, the followings outlined a way to create personalised social business agenda:

A – Align your goals and culture to be ready to become more engaging and transparent.
G – Gain social trust by focusing on finding your fans.
E – Engage through experiences with your clients and employees.
N – ‘Social’ Network your processes.
D – Design for reputatio and risk management.
A – Analyse your data.

The report concludes that due to market forces, traditional hierarchical enterprise, built on rigid structures and compartmentalisation, will give way to a socially synergistic one which premises on continually evolving communities and a culture of sharing and innovation.

In 2008, IBM Shared a vision for smarter planet which aspires to maintain and improve better quality of life through usage of technology. It serves as an opportunity to infuse intelligence into every system through which the world works. IBM Smarter Planet initiative leads the way for social business adoption.

Chapter 10: 2012 State of mobility survey: Malaysia Findings
by Symantec Malaysia

Businesses adopt mobility to improve efficiency and increase workplace effectiveness.

Nonetheless, mobility comes with a price. Mobility often introduces unnecessary risks such as data leakage and security threats.

Globally, businesses are losing a significant amount of money to incidents relating to mobile devices – as much as USD $429,000 annually in the case of large enterprises.

Three significant findings were uncovered from surveys.

1.) Tipping point in mobility adoption.

The most important benefits of adopting mobile computing are increased efficiency, increased sales, and reduced time required to accomplish tasks. All these benefits can be categorised as business agility.

2.) Mobile initiatives significantly impacting IT resources

30% of IT staff is involved in some way with mobile computing. The top challenges being the costs and complexity of managing mobile computing, security and supporting different platforms.

In terms of security, the top challenges are device lost, date leakage, unauthorised access and security threats.

Spam, phishing and malware were identified as the top security threats of mobile computing.

3.) Mobile risks impacting organisations.

Security threats are real and affected businesses of all sizes. Within the last 12 months, the average cost of these losses was a surprising US $247, 000 overall, US $183,000 in Malaysia.

Large enterprises and small businesses are largely experiencing the same kind of loss, but to a very different degree – globally, small businesses averaged US $126,000 of loss, while enterprises averaged US $429,000.

The average losses also varied widely according to region, from a low in Asia (US $199,000) to a high in Latin America (US $385,000).

These findings were compiled from a survey commissioned by Symantec to gauge how organisations are copying with mobile computing trend.

EITN
EITN

Table of contents [hide]

Read more

News

Entrepreneurial. Innovative. Technology. News

Company

Trending

Categories