Welcome Speech by Mr. Stephen Mak, Deputy Government Chief Information Officer at the 5th Info-Security Conference 2004
07 - 07 - 2004
Distinguished Guests, Ladies and Gentlemen,
Good morning! I have great pleasure to be invited to deliver the welcome speech for the 5th Information Security Conference 2004. Riding on its past success, this conference has become an important forum for IT professionals and industry players to exchange views and share knowledge and experience on best practices in information security.
Since the turn of the 21st century, the use of ICT has penetrated into every facet of our daily lives and changed the way we do business. The electronic mode of information dissemination and performing transactions is now a commonly available channel for providing customer services both in the private sectors and for government. To name a few e-Government services, the electronic filing of tax returns and the appointment booking to renew the Hong Kong smart ID card should sound familiar to you. According to a recent survey conducted by AC Nielsen, about 70% of Hong Kong Internet users have used e-government services. To give you a better idea of what this means: the Government's Electronic Service Delivery Scheme delivered through the ESDlife portal is currently processing some 190,000 transactions a month.
Indeed, the electronic channel is a more convenient and efficient option. Taking advantage of the any time and any place characteristics, there is ample opportunity for extending e-Government services to bring more benefits to citizens and businesses at large. In order to encourage more use of electronic transactions, it is important that our service consumers vote their confidence as well as preference in adopting the electronic means in their daily activities wherever applicable. In fact, the HKSAR Government has made great strides in establishing a robust ICT infrastructure and continuously enhancing it to provide a secure, reliable, dynamic and competitive business environment for electronic transactions.
In the cyber world, there are always good guys and bad guys. The bad guys propagate computer viruses, worms and spam-emails to contaminate the Internet and to infect, congest or corrupt networks, servers and workstations. As if these are not enough, they hack into computer systems by exploiting software vulnerabilities, implanting Trojan Horse codes, or employing fake websites to deceive the recipients and cause the leaking of sensitive or personal credential information of their victims as well as to commit various cyber crimes. The problem of cyber attacks has become a high priority daily concern for law enforcement agencies, IT professionals, computer users, system owners and developers, and in fact all of us. Conversely, information security management has become critically important.
I will try to use two common information security threats, namely, computer virus attack and email spamming to highlight the importance of information security management.
Since the first PC virus was found in 1986, the number of viruses discovered has continued to grow at a shocking rate. Last May (in 2004), it was reported that 959 viruses were found on the Internet, representing more than the total number found in the preceding 30 months. On a yearly basis, 2,636 new software vulnerabilities had been documented during 2003, i.e. roughly 7 per day, of which 70% were easily exploitable. If you remember the recent "Sasser" worm attack, you will agree that even a single attack can bring chaos and a big loss to businesses worldwide.
"Sasser" was reportedly created by a boy who had just turned eighteen, but the worm had hit 18 million PCs worldwide within only a few days. It caused serious network congestion and system outages globally. There was even report that some air flights had been suspended due to network and system failures as a result of the attack. The estimated damage done by "Sasser" was as much as US$500M.
People are also concerned about the shrinking time lapse between the reporting of software vulnerabilities and spreading of corresponding exploit codes. It is also worrying that by abusing the good intention of reporting vulnerabilities, attackers can launch exploits more easily, and the potential of zero-day attacks in the near future is not overstated. Worse still, hackers can issue fake reports to trick good users into doing something stupid, thus unknowingly providing openings for further malicious intrusion. Computer users must be vigilant at all times of potential virus attacks and foul plays. Although computer users can install anti-virus solutions to automatically apply patches to ensure that the latest virus protection is in place, there is still the risk of having loopholes without patch or the genuine vendors sometimes releasing faulty patches that do more harm than good.
Apparently, patch management is no longer an ad hoc process, but must be performed consistently. The Carnegie-Mellon University's Computer Emergency Response Team/Co-ordination Centre had advised that proper patch management can help installations avoid as much as 95% of network intrusions. Patch management involves policies, procedures, patch selection to avoid unexpected disruption, testing, system monitoring and performance of risk assessments. Some companies are also beginning to take more proactive approaches in preventing IT security attacks, e.g. by exploiting and fixing their own vulnerabilities before the malicious codes and hackers find them. Other companies immediately isolate suspected machines from their main network until the problems are fixed.
Email spamming is another headache to the computer users, and has become a significant overhead to the IT operation. It is reported that about 75% of e-mail traffic are spam e-mails that incur about US$2,000 per employee to deal with them annually. As this overhead cost will continue to rise, different measures are required to control the problem. Specifically, virus infected spam e-mails containing falsified e-mail addresses can easily deceive the recipients and do much harm. The ability to masquerade their identities over the Internet is a blow to our effort of continuously enhancing the trustworthy environment that would help people to participate in e-commerce with confidence.
Increasingly, Internet scams are making use of fake e-banking websites in their "phishing" activities. "Phishing" is now the fastest growing stealing crime. By sending spam emails, they had succeeded in luring victims to access fraudulent websites or web pages and then inadvertently disclose credential information leading to the illegal transfer of money or disclosure of other sensitive information assets. For example, the estimated loss of money due to cyber cheating in the past 12 months by one major credit card was US$2.4 billion.
Not too long ago, a 30-year old engineer was arrested for the suspected creation of the Peep Trojan that was used by hackers from mainland China to steal government documents and other sensitive data. Another well known case is the sentencing of someone otherwise known as the "Buffalo Spammer" by the New York court to imprisonment of 7 years for 14 counts of identity theft and forgery. The spammer was said to have operated 343 email accounts under a variety of false names from early 2002 to May 2003 and had sent out 825 million spam messages. A number of major IT service providers in the US are also taking legal action against more than 100 spammers who have falsified email addresses to hide their identities, and used open proxies through innocent third party computers. Notwithstanding this, the amount of spam emails received by computer users worldwide is still climbing dramatically.
To help combat spam emails, computer users may install effective email filters, and discipline the usage of e-mails. Some organisations are beginning to take proactive steps to prevent or even track down potential intruders or criminals as soon as the suspects appear on their websites. While we continue to raise public awareness and education in IT security, the HKSAR Government is carefully reviewing the problem of spamming and the Office of the Telecommunications Authority has initiated a public consultation exercise last month.
IT security is not just a fire-fighting activity. From expert advice and the cases cited above, it is obvious that the development of a secure and reliable e-community requires the concerted effort of everyone because we all play a critical role in ensuring the security of our network and system assets. It is not exaggerated to warn that one bad user can easily subvert the best security we put in place. Therefore, besides installing protective measures, it is important that we also accord high priority to the promotion of IT security awareness, education and ethical practice to our staff and the public. The Government has been pursuing a range of initiatives in these areas.
The InfoSec website has been set up to facilitate the access to information security related information and current updates by the public. Companies can also find relevant advice for the protection of their business IT infrastructure as well as useful references that include sample security policy and management framework, and technical guidelines for implementation of IT security solutions. In addition, we have launched a new series of radio education programme to remind businesses and citizens about software vulnerabilities and preventive measures in their daily application of IT.
There is no doubt that a better understanding of information security not only enhances protection and deterrent effects against security violation but also ensures that e-commerce will be accelerated. I am glad to see that the 5th Info-Security Conference has again garnered the support of a large number of reputable industry players and has provided an effective forum for the promotion of IT security to the community. I wish the conference a major success.
Thank you.
- END -
|