Mr Vu Quoc Khanh, Director of the Vietnam Computer Emergency Response Team (VNCERT) under the Ministry of Information and Technology, tells VET's Ngoc Anh about the steps taken to prevent or resolve information security errors.
What does VNCERT do when information security errors are identified? How should banks and e-commerce websites react to alert their customers and fix these errors quickly and effectively?
The first thing we do is verify information on any errors, which can come from international organisations,
|Mr Vu Quoc Khanh, Director of the Vietnam Computer Emergency Response Team (VNCERT)|
information security experts or information security systems providers. Internationally, when errors are discovered, software manufacturers are notified so they can provide updates to correct them. Errors are then officially announced to the public, as it would be dangerous to announce the errors prior to updates being provided.
VNCERT keeps track of information relating to security errors and assesses the potential impact on banks, international organisations, and State offices. We immediately check whether a security error actually exists, how significant it is, and the risk it poses, and then provide warnings and recommendations.
Normally VNCERT will notify the public via different channels, such as the media and the national computer troubleshooting network, whose members include localities, ministries, and enterprises. When discovering or being informed about information loopholes or errors, experts, managers, technical staff and bodies such as banks, enterprises, organizations or State offices should report the matter to VNCERT so that we can share this information.
When receiving notifications and warnings from VNCERT about loopholes or security errors and the solutions to fix them, these bodies are responsible for immediately implementing those solutions. In particular, if the errors affect customers or other enterprises they must also be notified. In the recent OpenSSL HeartBleed case, it was important for banks and online payment gateways to make contact with customers or other enterprises, regardless of whether they were affected or not.
It’s important to have a quick response, but providing information to resolve any problems is also crucial.
Is there any way to alert banks when security errors are about to occur?
There are different ways to alert banks about security errors, such as the media, which banks can monitor themselves. There are also separate, internal alerts. These alerts are not announced to the public and are only sent to bodies such as banks, State offices, and enterprises that have security errors or are members of the national computer troubleshooting network.
Banks in Vietnam will receive warnings via two channels, either from the central bank or from their own computer troubleshooting teams. Normally our notifications are sent to banks via an official dispatch from the central bank, so it may take several days for banks to handle any problems.
We suggest that banks establish their own computer troubleshooting teams (or departments or specialised teams relating to computer troubleshooting) and join the national computer troubleshooting network. When they are part of the network they will receive notifications and technical information regularly and we can directly send them notifications via email whenever any problems on information security occur. This will help them to troubleshoot the problem faster.
How should enterprises in general and banks in particular invest in information security in order to prevent hacking attacks?
To prevent hackers from attacking information data, we have to know how they attack. Therefore, we must check and evaluate our systems to determine strengths and weaknesses in order to protect the weaknesses according to national and international standards.
Vietnam follows several standards in information security, such as the ISO/IEC:27000 group of standards. Some standards in this group have been issued by the Directorate for Standards, Metrology and Quality to all enterprises and organisations, while others may be issued in the future. There are also other standards relating to information security, some of which may be accepted as international standards. Enterprises can therefore consider implementing and applying standards that are suitable to their needs, based on reviewing and evaluating their systems.
Each security system has different requirements regarding the frequency of checks and reviews, depending on the level of security needed and sensitivity and importance. For common systems, security should be evaluated at least annually, while more important systems should be reviewed every three or six months.
How would you assess the efficiency of warning systems from service providers on the risk of being attacked by hackers?
Around the world there are providers that send alerts regarding information security issues. But it is very difficult for these services to be effectively applied in Vietnam. Firstly, because such services cost a lot of money, only banks can afford to use them but most seem unwilling to do so. Secondly, service providers are foreign organisations, and this makes many domestic enterprises hesitate to use their services.
An alternative method is for local enterprises to purchase monitoring systems and conduct their own supervision. Some organisations and banks in Vietnam use this method. This is not efficient, however, because they generally lack the qualified personnel needed to analyse the information being provided and react quickly. These systems are also expensive, and are superseded within two or three years.
There are a number of different projects being conducted to resolve the difficulties facing enterprises in implementing measures to protect their information systems. A project building an internet supervision centre, invested by VNCERT, has been approved by the government and is in its first phase. Systems and sensors are being introduced onto several network nodes to quickly detect any signs of attacks and send out early warning alerts. The following phases will focus on improving the capacity to set up sensors for those needing protection or for those that need such a security service to be provided by Vietnamese providers and for their information security to be protected by professional Vietnamese experts.
What technological solutions will be studied and implemented by VNCERT to assist enterprises, especially banks, in preventing hacking attacks and protect their information systems?
VNCERT is conducting and building monitoring, early detection and early warning measures as well as a coordinated system to quickly analyse malware and provide measures against attacks on the internet. From this analysis, VNCERT will gradually adjust alignment systems to prevent and isolate any attacks automatically, not manually as now happens. For example, when detecting signs of an attack, we have to send notifications to various parties to study and check them, and they then report back to us. After that we send information to another department for study and then must send it to another department or request internet providers close this gate, open that gate, and so on. Therefore, it takes a few days at least to handle a major attack. If we can set up automated systems, troubleshooting will be conducted instantly and quickly, within hours or even minutes.
What would you advise users do to protect themselves from hacking attacks?
Firstly, users must be vigilant. They need to consider whether the computer they are using is secure or not. They should never enter important or sensitive information on computers at internet cafés because the risk of their information being hacked is much greater than on their computer at home.
It is particularly risky to conduct online payment on smartphones, because security levels are less than that of computers. Many smartphone users download software that may contain different malware, so their account information can be more easily stolen than if they were using their computer.
Most people use anti-virus software or other security systems, and this should be encouraged. But these should be purchased from reliable sources and be software from companies specialising in internet security.
Users need to be smart. To become a smart user they have to posses the information necessary to under the basic principles involved in protecting themselves from hacking attacks.