Following is the speech by Mr Alan Wong Chi-kong, Director of Information Technology Services, at the Integrated Security Conference and Expo 2004 today (February 17):
Mr. Fung, distinguished guests, ladies and gentlemen,
Good morning. It is my pleasure to be invited to give the opening speech for the Integrated Security Conference and Expo 2004.
Over the past few years, Hong Kong has achieved significant results in the establishment of a secure and reliable environment for the conduct of electronic transactions. We will continue to improve our ICT infrastructure in order to sustain Hong Kong's capability as a leading digital city.
While we enjoy the convenience and benefits of conducting e-business, we must pay full attention to IT security at the same time. CIOs around the world have placed this issue high on their agenda for 2004. IT security managers and computer users should be well-prepared to deal with periodic and unexpected hacking, spamming or virus attacks. A single virus attack may trigger off bulk email spamming, causing widespread network congestion, or embed in the victims' computers Trojan codes that will open up backdoors for future intrusion. The new attackers may be equipped with even more sophisticated tools to disguise themselves and spread the virus even faster. As many of you will recall, the recent 'Mydoom' worm has infected millions of personal computers worldwide in a very short time.
To safeguard our information systems and assets, it is necessary to ensure that our software is up-to-date by applying the latest patches or upgrading them to the current version as appropriate. One of the common software vulnerabilities is the use of obsolete software. Normally, the developers will not provide new patches for obsolete software to deal with existing or future security deficiencies.
Spamming, defined as bulk unsolicited email, is becoming a grave concern. Worldwide, spam is estimated to comprise up to 50% of all e-mail traffic. A survey conducted by HKISPA last December indicated that half of the e-mail in Hong Kong was spam. Spam causes network traffic jams, and consumes bandwidth, memory and storage capacity. A damn nuisance. Spam could also be used as an instrument of computer crimes! In a number of reported cases, fictitious emails had been used to lure bank customers to visit fake websites and disclose their credentials. Some people were unfortunately cheated and money was illegally transferred out of their accounts.
Indeed, computer criminals are becoming more and more sophisticated. Recently, it was also reported that remotely controlled, tiny digital cameras installed at ATM points had been used to peek into account and access control information leading to unauthorized money withdrawal. The Hong Kong Police Force, the Hong Kong Monetary Authority and banks have taken the necessary measures to strengthen the security of their information systems, especially ATM points and websites, and alert the public to the risks concerned. For the prevention of cyber crimes to be effective, users should be more vigilant and verify the authenticity of the websites whenever they transact on the Internet.
Enterprises should regularly conduct risk assessments on their IT assets and implement appropriate measures to satisfy their security policies and requirements. IT security cannot be left to IT professionals alone. Users also play a significant part. A business continuity plan should also be made available and ready for use. Special attention should be given to those systems that are directly connected to the Internet or the wireless networks.
The advent of wireless technologies like GPRS and 3G has fuelled the adoption of wireless networks and mobile devices for communication and e-business. The number of wireless access points (hot-spots) has significantly increased in popular public locations. At present, mobile computing in business is taking off and users must be aware that wireless networks are fundamentally insecure for confidential information transmission. In collaboration with various information security associations and industry players, we have posted on the web information and advice on wireless LAN security strategies as well as related research findings and best practices for public reference.
With proper security management and technical measures in place, business disruption can be prevented or minimized, thus saving the time and money that would otherwise be required due to the occurrence of security outbreaks. Within Government, we have established a security management framework to ensure IT security by overseeing, facilitating and monitoring the formulation and updating of security policy and guidelines, as well as the implementation of security programmes by all offices and departments.
In September 2002, we set up the 'InfoSec' website (at www.infosec.gov.hk) that provides IT security information and free access to our published security policy, guidelines, procedures and best practices. The website has been well received by the general public. Besides posting relevant information on the Web, we also appeal to the public regularly for their attention to IT security and computer crime matters through radio broadcasts and TV programmes.
In addition, the Hong Kong Police Force and ITSD are working closely with the Hong Kong Computer Emergency Response Team/Coordination Centre (HKCERT/CC) to help the public handle cyber attacks. We also encourage the development of industry specific information security standards that recognize the characteristics of different industries. On the feasibility of introducing audit mechanisms to certify information security standards for different industries, we are currently consulting various professional organizations and business associations.
IT has become the basis of many of our daily activities. We should equip ourselves with the necessary skills in order to handle effectively cyber attacks, computer crimes and other challenges. IT security technology can only be effective with the proper application by the users. Public awareness, education and adoption of good security practices are crucial in maintaining a secure and reliable electronic business environment.
I am glad to note that this conference has gathered a group of knowledgeable information security experts and professionals to share their valuable experience with participants. I believe you would value this opportunity and enjoy the presentations and discussion panels, as well as the chance to see the latest products and solutions on show at the Expo. I wish the organizing parties every success in this Integrated Security Conference & Expo Asia 2004!
Ends/Tuesday, February 17, 2004