information and network security – security …

Let’s collaborate @ MTSFB!

Nicholas NgVice ChairmanTrust & Privacy Sub Working GroupSecurity Trust & Privacy Working Group, MTSFB26 August 2021

INFORMATION AND NETWORK SECURITY –SECURITY POSTURE ASSESSMENT (SPA)

MCMC MTSFB TC G016:2018


Presentation Outline

123

Background and Introduction

Objective, Scope & Structure

Benefits of TC

4 Requirements and The Summary of Each Clause

5 Challenges

2


1 Background and Introduction

3


• This technical code was developed by Trust & Privacy Sub Working Group which supervised by

Security, Trust and Privacy Working Group under the Malaysian Technical Standards Forum Bhd

(MTSFB)

• This technical code for Information and Network Security – Security Posture Assessment (SPA)

was developed pursuant to section 185 of the Act 588 by the Malaysian Technical Standards

Forum Bhd (MTSFB) via its Application Security Sub Working Group.

• Registered date 15 Oct 2018

BACKGROUND AND INTRODUCTION

4


THE TECHNICAL CODE

Title Technical Code number Registration date

Information and Network Security – Security Posture Assessment

(SPA)

MCMC MTSFB TC G016:2018

15 Oct 2018

Information and Network Security – Security Posture Assessment

(First Revision) MTSFB2105R1 Under development

5

https://bit.ly/SecurityPostureAssessment


CONTRIBUTORS• Celcom Axiata Berhad• Kementerian Sains, Teknologi dan Inovasi• Pejabat Ketua Pegawai Keselamatan Kerajaan

Malaysia• Provintell Technologies Sdn Bhd• Telekom Applied Business Sdn Bhd• Telekom Malaysia Berhad• TIME dotCom Berhad• Universiti Kuala Lumpur• webe digital sdn bhd

6

Let’s collaborate @ MTSFB! 7

KEY CONTRIBUTORS


2 Objective, Scope and Structure

8


OBJECTIVE

Support CMI organisation in the planning and implementing a cost-effective and quality SPA programme.

Support the technical vulnerability management requirements to regularly assess the cyber security risks, vulnerabilities and threats imposed on the critical infrastructure.

Support the information security assessors and auditors in managing a successful SPA programme.

9


SCOPE

10

GENERAL REQUIREMENTS

(Section 5)

PLANNING REQUIREMENTS(Section 6 to 9)

QUALITY ASSURANCE REQUIREMENTS

(Section 10 to 14)

What you can do?

How to do it right?

How to make sure it is right?

Y2021 TC revision is in progress


Benefits of TC


3

11


Benefits of TC• TC G016:2018 Security Posture Assessment (SPA) Technical Code is developed for Malaysia’s

Communications and Multimedia Industry (CMI). • The information provided herein is applicable and not limited to:

12

CMI service and technology providers;

Critical National Information Infrastructure (CNII)

operators;

Application service providers;

Digital content providers;

ICT supply chain vendors;

ICT security professionals and information security

auditors.

Presenter

Presentation Notes

Note: At the time of TC development, the drafting team was referring to the International Standard ISO/IEC 22301:2012 ISO/IEC 22301:2019 was published the following year, i.e., 2019-10.


4 Requirements and The Summary of Each Clause

13


Technical Code Structure (Y2018)

5. GENERAL REQUIREMENTS6. ENGAGEMENT OBJECTIVE, SCOPE AND LIMITATION7. SECURITY ASSESSOR QUALIFICATION8. ASSURANCE OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY (CIA)9. SECURITY POSTURE ASSESSMENT (SPA) PROGRAMME PLANNING AND

MANAGEMENT10. PROJECT MANAGEMENT11. REPORTING REQUIREMENTS12. PROTECTION OF TEST DATA AND SECURE INFORMATION TRANSFER13. COMPLIANCE TO LEGAL AND CONTRACTUAL REQUIREMENTS14. VULNERABILITY CATEGORY AND RISK RATING

PLA

NN

ING

QUA

LITY

A

SSUR

AN

CE


Source:https://www.gsma.com/security/wp-content/uploads/2020/02/2020-SECURITY-THREAT-LANDSCAPE-REPORT-FINAL.pdf

https://www.gsma.com/security/wp-content/uploads/2020/02/2020-SECURITY-THREAT-LANDSCAPE-REPORT-FINAL.pdf


THE MAIN THREATSSOFTWARE SUPPLY CHAIN ATTACK AND DATA BREACH

Source:https://www.gsma.com/security/wp-content/uploads/2020/02/2020-SECURITY-THREAT-LANDSCAPE-REPORT-FINAL.pdf

https://www.gsma.com/security/wp-content/uploads/2020/02/2020-SECURITY-THREAT-LANDSCAPE-REPORT-FINAL.pdf


GENERAL REQUIREMENTS (Section 5.0)

Data Network and Telecommunication Infrastructure

Security Configuration and Policy Compliance

TECHNOLOGY SECURITY PEOPLE AND PROCESS SECURITY

SPA PROGRAMME OVERVIEW


DATA NETWORK AND TELECOMMUNICATION INFRASTRUCTURE SECURITY ASSESSMENT

INFRASTRUCTURE PENETRATION TEST

APPLICATION SECURITY TEST

CUSTOMER PREMISE EQUIPMENT (CPE)

SECURITY TEST

TELECOMMUNICATIONS AND SIGNALING TECHNOLOGIES SECURITY TEST

SIM AND SMART CARD SECURITY TEST

• User interface;• Authentication mechanisms;• Network services;• Communication security;• Security configuration;• Software/Firmware security;• Hardware security;• Cryptographic key

management.

• Eavesdropping;• Data/Signal tampering;• Authentication mechanisms;• ID spoofing;• Denial-of-service;• Cryptographic key

management.

• Data tampering;• Authentication mechanisms;• Hardware security; • Communication security;• OS/Software security;• Cryptographic key

management.

• External Penetration Test (EPT)• Internal Penetration Test (IPT)

• Dynamic Application Security Test (DAST)

• Static Application Security Test (SAST)


SECURITY CONFIGURATION AND POLICY COMPLIANCE ASSESSMENT

HOST OS CONFIGURATION AND VULNERABILITY ASSESSMENT

- Secured operating system configurations;- Known vulnerabilities due outdated

system components;- Physical security.

PERIMETER SECURITY DEVICE CONFIGURATION AND

VULNERABILITY ASSESSMENT- Secured operating system configurations;- Access control; e.g. packet filtering policies- Communications security;- Known vulnerabilities due outdated system

components;- Physical security.

DATABASE SYSTEM CONFIGURATION AND VULNERABILITY ASSESSMENT

- Secured operating system configurations;- Secured database configurations; - Known vulnerabilities due outdated

system components;- Physical security.

SECURITY POLICY REVIEW

- Security policies and procedures review;- Security controls review;- Gap analysis and areas for improvement.


PLANNING REQUIREMENTS

•Define clear engagement scope and objectives.

6.0 ENGAGE OBJECTIVE, SCOPE AND LIMITATION

•Organization experience and service records.•Security Assessor qualifications and past experience.•Conflict of interest avoidance.

7.0 SECURITY ASSESSOR QUALIFICATION

Data protection and prevent service disruption.

8.0 ASSURANCE OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY

•Establish SPA Plan. •Managing SPA Programme phases (Pre-Assessment, Assessment and Post Assessment).

9.0 SPA PROGRAMME PLANNING AND MANAGEMENT



• Project team structure.• Project manager qualifications.

10.0 PROJECT MANAGEMENT

• SPA reporting requirements.

11.0 REPORTING REQUIREMENTS

Prevention of data leakage, loss and modification.

12.0 PROTECTION OF TEST DATA AND SECURE INFORMATION TRANSFER

• Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security.

13.0 COMPLIANCE TO LEGAL AND CONTRACTUAL REQUIREMENTS



• Define risk rating methodology to effectively determine the risk level of the vulnerabilities identified in the SPA Programme.

14.0 VULNERABILITY CATEGORY AND RISK RATING


Y2021 REVISION

1. New technical definitions for Attack Surface Analysis, Intelligence Gathering and Threat Modelling.

2. Updated with new technical guidelines, approaches and methodologies – Section 5.2 Vulnerability Assessment and Penetration Test (VAPT) and Section 11 Reporting Requirements.

3. New technical references:• Penetration Testing Execution Standard (PTES) Technical Guidelines;• OWASP Web Security Testing Guide (WSTG), Version 4.2; • Center of Internet Security, CIS Controls Version 8, CIS Benchmarks.

23


Y2021 REVISION

Important dates :• Public Comment exercise (1 month duration): Mid September 2021• Submission to MCMC: November 2021

MTSFB2105R1Information and Network Security –Security Posture Assessment (First Revision)


5 Challenges and Conclusion

25


Challenges and Conclusions1. Industry experts and academic researchers of the emerging technologies

especially on the 5G technology.

2. Support and participation of new team members especially from the CMIorganisations.

3. Timely revision and update with the latest industry standards, guidelinesand best practices.

26

MTSFBmtsfb_cyberjaya

Let’s Collaborate

information and network security – security …

Documents