Friday, August 25, 2006

Does .gov.my take security as concern?

We have Mycert, Gcert and all kind of Certs, that for sure indicating Malaysia Boleh! However I would like to ask again - Does Malaysia Government takes Internetwork Security as its one of primary concern?

I don't have to mention any, but after working in network security field for quite sometimes, I figure out our Government generally not taking this virtual world for real.

- Government Internetwork is considered decentralised, they are not actually fully managed and monitored. Outsourcing is seriously bad idea for the network that contains critical data, unless you find a promising and respectable vendor.

- This is a joke, while I found it amusing, however hackers found it as easy target. There are many .gov.my sites are built upon Content Management System. It is fine to deploy CMS but without proper patching and update management, it can be a total screw up.

- No strong policy enforcement - Yes, you can install anything on your laptop and bring it to work even you are working for .gov.my, on the other hand, you can't count how many rookits & viruses reside in .gov.my network happily.

- No human education - Inpersonating is good way to gain access to .gov.my, it works all the while since no one is educated about cyber threats even for those who working closely with .gov.my.

- Faulty implementation & deployment - No DMZ, no network screening and strong network control. What can I say about this? If you don't build defensible network, blame yourself for intrusions and extrusions.

I'm not representing any party, while I'm not ranting(I don't think I'm), I'm just trying to figure out and criticize on what I see as unnecessary. Pointing out the weakness can lead to correctness. I'm not who working for government, however I'm just here pointing out all the risks that we have encountered.

While our country is on the way to establish Multimedia Super Corridor(MSC), surprisingly Security is not putting into main concern. Do they need to re-think about it?

Electronic Government, I hope this is not a joke.

Peace :]

3 comments:

Anonymous said...

I don't think gov didn't take security as a concern. I work in ict security also and deal with many gov agency, they still take the security as a big issue. But not all agency. A big agency like MAMPU etc are take seriously about this ict security. Just my 2 cent. :)

Anonymous said...

i think that MCMC is supporting the event that you're training at should tell you that not all gomen department is the same. I can see from past is that MCMC and MAMPU is taking security seriously. At least they are aware of the threats.

C.S.Lee said...

They do, but not all of them, remember it is still more of state implementation here, I think Government should come out with a standard guideline where all the deparments need to follow when comes to the implementation. Maybe they should have ISO for that too.