INTERNET SECURITY | Gov’t servers allegedly became tools for hackers

Gilbert Chan, Manetic’s executive director

Gilbert Chan, Manetic’s executive director

The Macau New Technologies Incubator Centre (Manetic) revealed that local web servers, including those owned by government departments, were turned into “zombie servers” and were used by hackers to attack other networks. Gilbert Chan, executive director of Manetic, said that it is important for institutions to be aware of information security measures, in order to prevent possible damages caused from attacks.
The executive director spoke yesterday during the media conference about the releasing of the Macau Information Security Survey 2014 Report. He said that the Manetic-run Macau Computer Emergency Response Team Coordination Centre (Mocert) has already received more than 60 requests from local and foreign entities to resolve computer-related issues this year, such as their servers being attacked or hacked, and the number is rising.
“Although 2014 [has] yet to finish, we have already noticed that there are one to two cases [of cyber attacks] each week. There are two major categories of cases. The first and more frequent one is that by overseas institutions who contact [Mocert] and say that some Macau servers might have been hacked, becoming part of a botnet, and are now attacking them… What we will do is we will contact the owners of the local servers and notify them of the issue. It is often that the owners were not aware of the attack,” he said.
Chan also revealed that among the institutions whose servers were hacked, some actually belonged to government departments. He did not disclose which departments were involved.
Meanwhile, 92 public and private institutions have participated in the online survey of the Macau Information Security Survey 2014 Report. Manetic found that among the 10 measures of information security, a lot of the participating institutions failed to implement security awareness and training, establishment of security policy, risk assessment and incident response.
Chan suggested that the low implementation rate can be attributed to the fact that institutions do not know which measures of information security they should implement, which is because they lack information technology (IT) experts. In fact, among those entities that said they did not have a documented information security policy, 70 percent of them did not have an IT expert.
Moreover, the report revealed that 35 percent of the participating institutions’ web servers are unpatched and vulnerable. This means that those server owners did not update the servers’ system, leaving themselves more vulnerable to hacker attacks.
Furthermore, although Chan pointed out that staff members of an institution are actually the weak link in a system – thus resulting in attacks – around 35 percent of public institutions have still failed to implement any information security education or awareness program for their staff over the past 12 months.
The executive director recommended that if an institution does not have the financial resources to hire a dedicated IT expert for the maintenance and securing of its information system and web server, they should find some trustworthy website developers or solution providers to handle these issues.
He concluded that hackers usually go after easy targets. At a minimum, he said, institutions must regularly update their systems to patch up any possible loopholes. He also believes that the key to preventing attacks is to be aware of the risks and to have an appropriate contingency plan. “There are many loopholes [in the systems] and there will always be security issues. Therefore, the most important thing is to understand the contingency plan of one’s institution in order to mitigate the negative effect of an attack,” he said.

about manetic

Manetic was established in 2001 with the support of the Macau government and several major local and overseas enterprises. The Macau government owns 15 percent of its shares. According to its website, the institution states that its objectives include the establishment of new technological industries in the city and the maximizing of Macau’s utilization of professional human resources. This is the fifth year Manetic has published the Macau Information Security Survey 2014 Report.

Categories Macau