I just read an article in TheStar that touches on information security and our government. Okay, regular readers will know that I just have to say something when our government decides to dabble in technology. I shall quote two portions of the article.
He said the Cabinet decided on Feb 24 that these agencies must obtain the Information Security Management System (ISMS) certification within three years to ensure that they were ready to face cyber threats and attacks.
What this means, once it passed through my BS filter is: Our Cabinet has mandated that certain agencies must now spend some money to enrich certain parties in order to hire security consultants, conduct security training, hold security certifications and what nots. This might be a good opportunity for certain applied research institutes that shall remain nameless, to get a slice of the pie and provide secure infrastructure to these agencies.
Any certified information security professionals should start picking up the phone and making calls to their friends, and friends of friends, to secure contracts to provide security training. Unfortunately, it seems that all the pie is going towards one security agency – Cybersecurity Malaysia – who are our local agents for various international security certifications and training.
CyberSecurity Malaysia chief operating officer Zahri Yunos said the most worrying threat was distributed denial of service (DDOS) attacks.
This almost made me fall off my chair in Secret Recipe. I know for a fact that this is not the most worrying security threat faced by our government, or any other large organisation for that matter. A DDoS attack is the most basic of all potential threats and the solutions to handle the problem are already widely known – all it takes is more money as the solution is an arms race between attacker and defender.
The most worrying threat to all security systems is internal – human beings. All major technology companies take great pains in locking information down. Anyone who has worked in a major technology company will have stories about glued USB ports, removed CD-writers, restricted network access and more. Some organisations even fire employees that bring in mobile phones and cameras.
So, I think that it is scary for the COO of Cybersecurity Malaysia to talk that way. Granted, he’s not the CTO but maybe he should have picked up a little about security from his colleagues before mouthing off.