If you are having trouble viewing this email, click here to view this online

 

VOLUME 83

   ISSUE 83

26 June 2018

Article of the Month Around the World

 

National Information and cyber security strategy
 

Previously discussed topics:

1. Cyber Security Landscape in Sri Lanka

2. Overview of the National Information and Cyber Security Strategy

3. Thrust #2: Legislation, Polices, and Standards

4.Thrust #3: Development of a Competent Workforce
 

The Fourth pillar of the strategy:

Thrust #4: Resilient Digital Government Systems and Infrastructure

Our Strategy
 

Sri Lanka has advanced rapidly over the past decade in developing various digital government initiatives. Multimillion investments made on various digital government initiatives have helped Sri Lanka to advance from 101st (2008) to 79th position (2016) in the e-Government Development Index4. To date there are about 500 government websites and more than 50 e-services facilitating citizens to obtain services through the Internet. e-Administrative applications have been developed by public organizations that maintain critical infrastructure with the aim of increasing the organizational efficiency thereby providing better services for citizens. Lanka Government Network, and Lanka Government Cloud provide the necessary digital infrastructure for e-services and e-administrative services.


Although digital government initiatives promise tremendous benefits for citizens and government, they also bring threats of various cyberattacks such as malware attacks, unauthorized access, and denial of service attacks. Cyber-attacks on digital government services can cause significant disruptions to the public service delivery, and thereby destroy public confidence. Our citizens will not embrace digital government if their information cannot be securely kept in the government systems. It is, therefore, essential to adopt appropriate strategies to ensure security of digital government systems and critical information infrastructure.
 

 

Our Initiatives

4.1. Information and Cyber Security Risk Assessments

4.1.1. We will conduct a survey to identify the organizations (both private and public) which maintain critical information systems. An inventory of organizations shall be developed based on the criticality of the information infrastructure maintained by the relevant organization.
4.1.2. We will facilitate relevant stakeholders to conduct information and cyber security risk assessments to uncover weaknesses and vulnerabilities in digital government systems and infrastructure, and to prioritize and implement appropriate security controls to mitigate those identified weaknesses.

4.2. Security Policy for Organizations that Maintain Digital Government Systems

We will facilitate the organizations maintaining digital government systems and organizations maintaining critical infrastructure to develop and implement the Information Security Policy based on international standards.

4.3. Digital Government Infrastructure Protection Unit

4.3.1. To effectively defend the digital government systems and infrastructure from emerging threats, we will setup the Digital Government Infrastructure Protection Unit under NICSA. This unit will be responsible for detecting and analyzing cyber threats and vulnerabilities, disseminating cyber threat alerts, and coordinating incident response activities.

4.3.2. We will coordinate multi-sector cybersecurity exercises with the involvement of this unit. Through these exercises, we aim to identify vulnerabilities arising from cross-sector interdependencies and stress-test coordination and communication across sectors.

4.4. Awareness and Capacity Building of Staff Working with Digital Government


4.4.1. It is widely believed that the awareness of Sri Lankan public officers’ on information and cyber security should be improved. We will, therefore, first conduct information and cyber security readiness surveys on public sector employees periodically to assess their readiness to work in a digital government environment.

4.4.2. In line with the Competency Framework, CIOs and Technical staff working in digital government environment will be empowered with appropriate skills and knowledge on information and cyber security.

4.4.3. As per the Information and Cyber Security Competency Framework (Thrust Area 3), we will, conduct information and cyber security awareness activities across all levels of government staff.
4.5. Chief Information Security Officer and Information Security Officers

4.5.1. We will work with the Department of Management Service to establish a “Chief Information Security Officer” position in the public service, which will be the highest level position in the information and cyber security domain in the public service.

4.5.2. Depending on the usage of ICT systems at public organizations, we will appoint Information Security Officers for government organizations and develop their capacity through comprehensive knowledge building exercises.

4.6. Security-by-Design in Digital Government Systems Development

4.6.1. Security-by-Design is a best practice which can be adopted to secure digital government upfront and throughout its life cycle. By integrating risk assessment into the system development life cycle, trade-offs between security, cost and functionalities can be balanced. We will encourage solution developers to incorporate security-by-design principles when developing digital government systems and digital infrastructure.

4.6.2. We will work with the National Procurement Commission of Sri Lanka to incorporate such conditions to standard government bidding documents.
 

To be continued.....

Invitation to Public Comments on Cyber Security Strategy. Please add your thoughts here:

 

By:

Dr. Kanishka Karunasena,

Research and Policy Development Specialist, Sri Lanka CERT



 

 

 

 

 

 

 

 

 

 


 




 

 

 

 

 

 

 

 

 

 

 

 

References

1 Statistics on the Internet growth in Sri Lanka
http://www.trc.gov.lk/images/pdf/
statis_sep_2012.doc
2.The Dragon Research Group (DRG)
http://www.dragonresearchgroup.org/
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
https://www.jpcert.or.jp/english/tsubame/
4.Shadowserver Foundation
http://www.shadowserver.org/wiki/
5. Team Cymru
http://www.team-cymru.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
  
  APPLE REMOVES IPHONE USB ACCESS FEATURE, BLOCKING OUT HACKERS, LAW ENFORCEMENT
  

  

"...Apple said an upcoming iOS software update will remove the infamous iPhone USB access feature, blocking out both hackers – and law enforcement – from accessing a locked phones’ data via the device port.

Apple confirmed that new upcoming default settings will disable the iPhone’s Lightning port, its charging and data port, an hour after the iPhone has been locked....."

 

Google lays groundwork for secure offline app distribution

  

"...Google will start adding security metadata to Android application packages (APKs) distributed via Google Play, so that users with limited internet access can check whether the apps they get via peer-to-peer app sharing are legitimate

The move, announced late last year, is part of a wider push for improving app security and will surely benefit a lot of users....."

  Eyes Closed in Photos? Facebook AI Can 'Open' Them
   

 

'...Say Cheese! Click! It's a common problem with having your photo taken: Your grin is wide but your eyes are shut tight as soon as the flash goes off.

A pair of Facebook engineers have developed a solution to this common annoyance, an artificial intelligence tool that can open closed eyes in photographs, Mashable reports.

The Facebook engineers revealed the details of how they developed the tool in a research paper released this week.....'

New Telegram-abusing Android RAT discovered in the wild

   

  

'...ESET researchers have discovered a new family of Android RATs (Remote Administration Tools), that has been abusing the Telegram protocol for command and control, and data exfiltration.

Investigating what at first seemed like increased activity on the part of the previously reported IRRAT and TeleRAT, we identified an entirely new malware family that has been spreading since at least August 2017. In March 2018, its source code was made available for free on Telegram hacking channels, and as a result, hundreds of parallel variants of the malware have been circulating in the wild......'

Here comes BYOSD (bring your own smart display)

  

'....A smart display is like an Amazon Echo- or Google Home-style virtual assistant appliance, but with a screen that can show visual results, rather than just spoken ones, and facilitate video calls.

Right now, the only smart displays you can buy are Amazon’s creepy Echo Look, an appliance whose main function is to watch you get dressed, and the Echo Spot, which looks like a bedroom alarm clock with a tiny screen...'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in May 2018
     
  Statistics - Sri Lanka CERT|CC

Tariff war of words with China resulting in cyberattacks against the U.S.

'...President Trump's threat last week to place additional tariffs on Chinese made goods have not only led to counter threats being made by China's leadership, but Stealthcare CEO Jeremy Samide believes the trade situation has spurred China to launch cyberattacks against the United States.

The attacks Samide's firm detected and attributed to China came from the LuckyMouse group, also known as, Emissary Panda, APT27. These were found pushing a new malware strain based on the HyperBro Remote Access Trojan RAT. Another incident involved an espionage campaign dubbed MirageFox, attributed to APT15, also known as Vixen Panda, Ke3chang, Royal APT and Playful Dragon....'

Official La Liga App Caught Spying on Users to Detect Illegal Match Broadcasts

"...La Liga, the official app of the Spanish football league, has been caught snooping on Android users by tracking their GPS location and listening to their surroundings with the built-in microphone.

The purpose? To detect illegal match broadcasts and prevent those without a license from making money with La Liga matches.

As weird as this may sound, the surveillance campaign, which the league swears was introduced on June 8, spies on users exclusively during match times in an attempt to detect whether locations like bars broadcast games without a license.. .."
Google Will Make Biometric Authentication Mechanisms in Android P More Secure

“...Google announced today that it plans to improve existing biometric authentication mechanisms available in its Linux-based Android mobile operating system in the upcoming Android P release in an attempt to offer users better security and privacy.

As biometric authentication mechanisms like fingerprint scanning and face unlocking are becoming more and more popular among Android users, Google has to make them more secure and improve them to offer users better privacy. The company announced today that it plans to define a better model to measure biometric security......”
Employee negligence still poses major security concerns

."...With one-third of working adults in the U.S. admitting to potentially risky behavior at work, employee negligence poses major security concerns for U.S. businesses, according to a Shred-it survey conducted by Ipsos.

When assessing the cause of data breaches, the report found that employee negligence or accidental loss is a main cause. Nearly half of C-Suite Executives (C-Suites) (47 percent) and Small Business Owners (SBOs) (42 percent) reported that human error or accidental loss by an employee was the cause of a data breach. ...."

 
Notice Board
  

Training and Awareness Programmes - June  2018

  
DateEventVenue

Brought to you by: