Following is the speech by Mr Alan Wong Chi-kong, Director of Information Technology Services, at the Information Security Showcase today (June 2)(English only):
Mr Yeung, distinguished guests, ladies and gentlemen,
Good Morning! I am very glad to be invited to officiate at the opening ceremony of the Information Security Showcase 2004.
The Hong Kong SAR Government (HKSARG) places great emphasis on securing the e-commerce environment of Hong Kong. We have done a lot to strengthen our information security infrastructure, inspire public confidence in electronic transactions locally, and help Hong Kong companies compete globally. Today, many government departments and business enterprises offer their goods or services over the Internet, and there is clear indication that more and more people use the e-options which have the advantage of being available round the clock, throughout the year, and accessible from almost any city in the world.
To minimise the risk of disruption to the delivery of electronic services, the Government has implemented a wide range of measures to guard against various types of cyber attack such as worms and viruses, hacking, spamming and computer crimes. The technologies we deploy include firewalls, anti-virus software, intrusion detection systems and other defensive mechanisms to monitor, detect and block suspected and potential attacks on our computer networks and systems. We also have management and control systems in place to ensure that program patches are applied properly to plug software vulnerabilities as and when they are discovered.
I would like to share with you our observations on some of the common threats to computer systems and users. First, virus and worms. Until the end of the 1990s, computer viruses were comparatively milder and easier to tackle. They corrupted data, displayed irritating screen messages and only occasionally paralysed the computers. Recovery from a virus attack was relatively easy then. Today, viruses are more ferocious and destructive. They penetrate network firewalls in many ways, multiply themselves and propagate at great speed. They search the address books of the victim computers, put on false identity to dispatch harmful emails to the victim's friends, and paralyse the computer and network services. For example, the recent attacks launched by Mydoom, Netsky, and Sasser had each affected millions of computers globally in just a few days, causing tremendous disruption, productivity and financial loss (amounting to billions of dollars). The time between the emergence of a software vulnerability in cyberspace, and the exploitation of that vulnerability to cause damage to computer systems, can be as short as 2 weeks. In some cases, computer users have only 24 hours to apply patches. Hence, it is necessary to have a highly effective and disciplined patch management policy and system in place.
Second, spams. Until recently, spam emails were mainly advertisements or propaganda material. Now spam emails are generated and sent out by automated tools in large quantity. Some of them spread viruses, congest network traffic or even facilitate cyber crimes such as phishing (to lure careless Internet users to divulge their credential information). The Government is reviewing the problem of spamming and a public consultation exercise will be conducted shortly.
Third, Spyware. Spyware has received a great deal of attention from CIOs, the industry and the mass media recently. Spyware is software that sits inside computers without the user's knowledge, let alone consent, and can be controlled remotely by the spy. Not all spyware is offensive, e.g. when it is deployed in automated remote system incident reporting and remedy, or in an intrusion detection system. However, spyware of the malicious kind may contain virus or hacking codes that try to leak out information to other parties without the owner's knowledge, or to steal credit card information, make illegal payments or fund transfers. Besides installing security systems, it is advisable to use only software of reliable sources. Don't use pirated software!
In recent years, the use of wireless LAN and mobile devices is increasingly popular. While enjoying the convenience of the wireless technology, the use of mobile devices entails a different kind of security risk. For example, it is known that some intruders have found ways to bypass certain common security standards such as WEP or IEEE 802.11, and eavesdrop the transmission of mobile phones using blue-tooth devices. Using the factory settings, or not properly configuring the access points, will also expose data transmission especially when sending sensitive information. Users are advised to employ the appropriate authentication, encryption and transmission technologies when using mobile devices.
To safeguard our information systems and to minimise the risk of disruption to the delivery of services, it is advisable to formulate a set of security policy, guidelines and good practices, covering such measures as applying software patches, upgrading obsolete software, performing periodic back up, security review and audit, implementing quality management to ensure that the software or service in use are matching the security requirement of the business. Moreover, it is important to continuously educate staff on security matters and require them to take proactive action against potential cyber security attacks.
Indeed, user education on information security plays a key role for the success of building a secure e-business environment. The Government has been doing a lot of work to promote public awareness of information security. Users may access the InfoSec web site to obtain security related information and relevant updates. We have produced publicity posters, information leaflets, and various TV informtainment programs and radio education series to widen the coverage of public education on information security. In addition, we also work regularly with various concerned bodies such as the HKPC to organise exhibitions, seminars and conferences addressing the needs of different sectors, i.e. large corporations, SMEs and the general public.
To combat cyber attacks requires the concerted efforts of the community. We have to be on the alert constantly and learn more about information security from time to time.
Finally, I would like to congratulate the HKPC for successfully staging this important event once again, which provides an excellent opportunity and platform for industry players and security experts to exchange views and help the community address their information security needs. I wish the Information Security Showcase 2004 every success.
Ends/Wednesday, June 2, 2004