Constant vigilance ensures information security
13 - 04 - 2003

The recent unexpected break from school coupled with the coming Easter holidays is likely to see an upsurge in young people's visits to cyber space. Parental guidance is most needed to ensure students get the most out of the Internet and avoid the many pitfalls awaiting them in the virtual world.

The more academically inclined will find a treasure trove of supplementary material, complete with motion and sound on websites created by reputable academic organisations. Such sites will enhance their knowledge and scholastic achievements as well as encourage extra-curricular interests.

One of the most useful resources in helping parents to provide the necessary guidance can be accessed through the Information Technology Services Department's INFOSEC website (http://www.infosec.gov.hk), Assistant Director, Mr John Wong Shak-chuen, said.

"Our department set this up as a one-stop portal to facilitate the public's access to various information security-related resources and updates," Mr Wong said. "It also gives specific advice to all comers on how they can upgrade their information security and the counter-measures they can adopt in case of a breach.

"As hackers sometimes take advantage of the holidays to launch their malicious programmes by concealing their viruses in festive greeting notes, parents should show their children how to guard against unauthorised intrusions into their system and ensure that they abide by the ethics and regulations on the proper use of computers and access to the cyber world on the Internet. They should surf the Internet with their children, alert them to the undesirable material on it and warn them not to divulge any personal particulars to any online contacts.

"Tips on Internet safety targeted at children, parents, teachers and commercial establishments are carried on the INFOSEC website. The site carries resources on keeping your computer virus free and secure, on filtering software, on enhancing information security awareness among the young and on what individuals and organisations can do to protect themselves against computer crimes in cyber space."

Mr Wong said the section geared towards parents and teachers covered, for example, keeping children safe on the Internet; keeping the computer virus-free; protecting personal computers, computer systems and networks; use of filtering software for home computers; and a presentation on information security and cyber crimes.

Other groups that can obtain relevant resources from the website include students, information technology professionals, and small and medium enterprises.

Stressing the need for everyone to act responsibly to ensure not just their own information security, Mr Wong said the highly interconnected nature of the information world meant we were dependent to a large extent on each other to assure the security of our data and systems. "For instance, while e-mail is becoming a common and efficient way of communication, it also poses potential threats to all it touches. And a likely tangible consequence to any laxity in our information security could be a costly negative impact on the conduct of our e-business."

According to a survey jointly conducted by the Hong Kong Productivity Council, the Police and the Information Technology Services Department on information security among Hong Kong companies, in 2002, financial loss resulting from computer crimes totalled $1.8 million, up from $1.5 million in the previous year, while the number of personal computers affected in the same period increased from 5,366 in 2001, to 5,460 last year.

"Although experts may regard such statistics as reflecting positively on our information security consciousness, considering that 62 per cent of our households, and 55 per cent of all establishments now possess personal computers, we should never let down our guard. This is crucial as we endeavour to create a secure environment for the continued expansion of e-business and e-government.

"On the whole, Hong Kong does enjoy relatively high information security. But we are also realistic enough to realise that it is well-nigh impossible to claim complete immunity against virus and hacker attacks and other untoward cyber incidents," Mr Wong said. If information security-related incidents are encountered, assistance can be sought from the Hong Kong Computer Emergency Response Team Co-ordination Centre, (e-mail: hkcert@hkcert.org; tel: 8105 6060), which handles reporting of security incidents, co-ordinates response and recovery actions, helps monitor and disseminate information on security-related issues, and provides advice on preventive measures against security threats.

Mr Wong said information security for enterprises and public organisations was a prerequisite for the development of e-business and e-government. "To this end, the Government has launched a number of initiatives. One that every local resident can relate to is the replacement of some 7 million identity (ID) cards with smart ID cards starting from mid-2003.

"The smart ID card employs sophisticated cryptographic techniques so as to protect users' data and to ensure that it cannot be fraudulently altered or accessed by unauthorised parties. It will provide a secure platform to facilitate the development of e-business and e-government.

"An optional feature for the new card is a digital certificate to be embedded in it. This will be offered free of charge for one year. The certificate will enable cardholders to conduct electronic transactions in a secure manner," Mr Wong said.

The legal framework regulating the conduct of online activities and e-business is spelt out mainly under the Computer Crimes Ordinance and the Electronic Transactions Ordinance. The latter aims to facilitate the use of electronic transactions for commercial and other purposes. It gives electronic records and digital signatures used in electronic transactions the same legal status as that of their paper-based counterparts. It also enables the Postmaster General to provide the services of a certification authority.

Including the first Recognized Certification Authority (RCA) established by Hongkong Post in January 2000, there are now four RCAs operating in Hong Kong, providing the public with the choice and flexibility of services to meet different e-business requirements.

They are the major components of an important architectural framework, the Public Key Infrastructure, established by the Government to enhance the security of electronic transactions. The department has also set up a website to help the public understand the concept:

http://www.info.gov.hk/digital21/eng/ecommerce/pki/pki.html

For safer computing practices, Mr Wong advised operators to take the following steps:

- Install anti-virus software and scan personal computers (PCs) regularly using the latest virus signatures;
- Scan all e-mail attachments, downloaded files, floppy discs and compact discs before use;
- Keep PC operating systems and software up to date with the latest security updates and patches;
- Perform online transactions only at reliable websites that offer security protection, such as use of encryption, security socket layer or security electronic transaction techniques;
- Choose passwords that are difficult to be guessed by others and change them regularly;
- Enable the password function for screen savers and power-on sequences; and
- Disconnect the computer from the Internet when it is not in use.

Equally important, Mr Wong advised against:

- Visiting suspicious websites or downloading files from doubtful sources;
- Opening or forwarding e-mails and e-mail attachments from unknown sources;
- Enabling automatic processing of e-mail attachments;
- Disclosing or submitting personal information unnecessarily;
- Using system default passwords;
- Saving login passwords into PCs; and
- Disclosing Internet accounts and passwords to others.

- END -