Investment in information security systems by local organisations and companies requires greater attention and awareness among Vietnamese users about information security needs to improve.
Dangerous counterfeit software and applications that place viruses into mobile phones will continue to be a major threat for years to come as malware attacks on Vietnamese users occur with increasing frequency. Viruses are being implanted by counterfeit versions of popular apps like Instagram, Angry Birds and anti-virus software, and browsers like Firefox and Google Chrome. With a low level of awareness among users regarding information security protection, connecting smartphones and computers is no longer safe as the risk of a virus moving between devices is high, according to local security solutions provider Bkav.
Mobile e-banking services provided by both local and foreign banks have become hugely popular in Vietnam and provide a great deal of convenience to customers, but come with information security threats and potential financial losses for banks and customers. The more advanced technologies banks have introduced into their operating systems, the more cyber hackers consider attacking it a challenge. According to the Internet Security Threat Report 2014 (ISTR19) released by the Symantec Corporation, banking and finance, trade, industry and manufacturing are the most vulnerable sectors in Vietnam. Vietnam now ranks 12th on the list of countries facing maximum cyber attacks. “Vietnam has jumped nine points compared to 2012 as the rapidly increasing number of internet subscribers and users who lack good cyber security skills lead to cyber systems being hacked,” said Mr Raymond Goh, Director for Systems Engineering, Asia South Region, at Symantec.
The Information Security Index prepared by the Vietnam Information Security Association (VNISA) and the Vietnam Computer Emergency Response Team (VNICERT) under the Ministry of Information and Communications in 2013 found results similar to the Symantec report. Last year saw Vietnam face a high risk of information security attacks with the goal of stealing information from organisations and companies, including transaction providers. The core of the problem is loopholes in websites’ systems, with many enterprises fixing their system after being subject to a spyware attack. “But most enterprises aren’t even aware they’ve been attacked and had important information stolen, and hackers just watch and wait until it’s the right time to attack,” said Mr Nguyen Minh Duc, Security Manager at the FPT Corporation’s Information and Technology Department.
Two major types of cyber attacks face enterprises and organisations in Vietnam: distributed denial of service (DDoS) and theft of sensitive or secret information of individuals and businesses. Many enterprises were the victims of DDoS attacks in 2011 and 2012. The favourite means of hackers is for them to forge an email from a person in the targeted company and send files as attachments. Recipients unwittingly open these files, allowing malicious codes to exploit holes in the Windows operation system to install spyware onto users’ computers. Hackers are then able to collect information and conduct destructive activities, like intervening in transactions with banking and finance institutions or e-commerce providers.
According to Dr Nguyen Chi Thanh, Director of the Institute of Information Security Technology under VNISA, hackers target victims primarily for financial reasons and the instances of leaders such as CEOs being hacked to collect secret company information is increasing. “IT and security staff at major companies have also been victims,” said Mr Duc from FPT. ICT enterprises like FPT are also primary targets of hackers, as well as financial and banking institutions. Aware of the need to invest in information security, FPT has built a comprehensive system covering servers, network infrastructure, equipment, security software, and security policies. “Most enterprises only fix loopholes in their systems after an attack has taken place, because they lack a professional security system,” said Mr Ngo Tuan Anh, Vice President - CSO at Bkav Security (Bkis). “Enterprises haven’t been proactive in quickly detecting and preventing cyber attacks.”
The Symantec report showed that Vietnam ranks 6th in malicious code attacks, accounting for 2.8 per cent of the global total. Its position in regards to spam has also risen, from tenth in 2012 to seventh in 2013, accounting for 5 per cent of the total global spam compared to 2.6 per cent in 2012. In terms of the volume of IPs joining botnet networks (which includes zombie computers hacked first and then attacking other computers), Vietnam jumped 17 spots in 2013 compared to its 23rd position in 2012. Bkav cyber security experts conducted research on measuring and assessing risks from website loopholes from July last year to February this year on 516 websites in 25 countries, including Vietnam. Vietnam was found to be among countries with security systems at the middle level in the region but at the low level globally. The proportion of vulnerable websites due to existing loopholes stands at 40 per cent in Vietnam, higher than in Asia as a whole, with 36 per cent, 33 per cent in Africa, 15 per cent in Europe, and 5 per cent in the Americas. “The results reflect the level of technological development and ICT applications in each region in the world,” said Mr Tuan Anh from Bkis.
In recent years the government has paid greater attention to building policies on information security, such as proposals approving the Law on Information Security, a project supporting organisations and enterprises in applying standards such as CMMI and ISO 27000, and a project training and developing human resources in information security by 2020. VNISA said that Vietnam’s information security index has improved significantly, general cyber safety standing at 37.5 per cent in 2013 against 26 per cent of 2012. However, as cyber attack technologies are becoming more advanced, the risks and potential losses from high-tech hackers are immense. “The effect of attacks is immeasurable in terms of finance and brand, especially for large-scale organisations and companies, and the cost of these attacks could amount to more than ten-fold the initial inves