ISLAMABAD - In a significant move designed to prevent any breach of official data after a US security agency broke into national security systems, Cabinet Division’s National Telecom & Information Technology Security Board has issued necessary policy directives/guidelines to government departments, ministries and divisions to stop misuse of official business/files.
Pakistan is at the front line in war on terror and national security is at a greater risk of cyber attacks. Official entities have become increasingly vulnerable to hostile intrusion by unknown hackers or secret agents. The situation is alarming and calls for implementation of appropriate preventive measures.
To address the issue of misuse of official business/files, NTISB has issued policy guidelines/directives for protection of official business from possible cyber intrusions. Copies of the policy directives/guidelines have already been distributed to all the government departments/ministries/divisions for awareness about shielding official data.
The document gives 13 guidelines for individual/personal perusal and 25 for collective/organisation perusal. These directives/guidelines are to be adopted personally by users as well as by organizational and departmental authorities.
As per policy directives/guidelines to be adopted at individual level, private e-mail address must be avoided for an exchange of official correspondence as already advised, vide e-mail & Internet policy for government departments issued in 2005 and available on www.cabinet.gov.pk.
Official data should not be stored/copied on personal computers/laptops and personal USBs especially those which are connected to Internet at home or office. No official/classified information should be placed on Internet via any means. Attachments/uploading of contents having sensitive/classified information on social media like ‘facebook’ and ‘twitter’ etc must be avoided and also discourage discussed such topics there. Avoid uploading of videos/photos on ‘YouTube’ etc regarding meetings/sessions of national importance and maps/visuals of strategic installations.
Discourage govt officials/officers exploring unnecessary and undesirable contents/adds containing freeware/malware free software solutions/cracks. Downloading of unknown and unnecessary software available on Internet may be avoided as far as they may contain some spy ware programmes etc. Any doubtful activity observed in this regard should be reported to the concerned authorities immediately. Exercising extreme care by the users in handling, supervising and managing their passwords used for protection of networks/websites/mailing addresses etc and full compliance of existing policies/directives, guidelines and rules on the subject. Use of virtual keyboard) an anti key logger technique), a very effective anti-hacking tool/tip is suggested to protect Login ID and password. More, phishing/spear phishing is one of the most successful methods of hacking through e-mail/social NWs employed personally. Enhanced filtering on official governmental e-mail servers be performed centrally before delivery to users inboxes and users be educated not to click on links embedded in e-mails and on how to spot a phishing scam. And, P2P networking is free and pervasive throughout Internet users. Usually tools such as free movies online, U Torrent, Bit Torrent etc are used to download movies and games from other Internet users’ computers. These entertainment applications pose big security hazard and allow full access to the intruder for snooping and uploading whatever is desired. Installation of such clients on any computers containing confidential data should be prohibited.
According to policy directives/guidelines to be adopted at collective/organizational level, Internet connection must be obtained from NTC as policy in vogue. In areas where NTC infrastructure is not available, proper time bound NOC for hiring services of private ISPs must be taken from NTC, prior to usage/installation. Official PCs having confidential /sensitive data must not be provided with internet connection as per policy already intimated and separately provided standalone PCs should be used for internet purposes. Contents placed on official websites must be properly scrutinised/approved by the competent authority before its uploading and passwords used for updating the official websites must not be disclosed to authorised persons and registers/diaries containing such information must be properly secured. Internet usage in govt departments be regulated and access be provided with limited user privileges and Internet computers be isolated and the network security must be ensured by installing proper firewall coupled with licensed Antivirus and other protective software systems.
Cabinet Division’s National Telecom & Information Technology Security Board has further advised to conduct 1st Layer IT Security Audit of IT systems/network infrastructure by the ministries themselves, must be carried out at regular basis and report share with Cabinet Division (NTISB) for timely conduct of 2nd Layer IT Security Audit by its technical team. Similarly, national IT Security Policy needs to be drafted /revised and enforced strictly. Departmental Information Security policies must also be integrally defined and enforced in compliance with national IT Security Policy to protect government official data. Cyber Crime and Cyber Security laws need to be enacted and enforced. The role of mobile operators/ISPs, Telecom operators and Internet users in government departments in specific and public in general must be specified, violations must be strictly dealt.
It has also been advised to establish Cyber Security Intelligence Response Teams (CSIRT) under respective govt organisations in all departments comprising key personnel with IT experts to enforce IT/cyber security response in case of any accident. Also, adopt regular update Antivirus and Operating System Service Packs be installed by the network administrator and Internet provision be controlled by the highest administrative authority in the ministry/division/department. Similarly, proxy server with IDS/masking/firewalls be used in bigger organizations for internet gateways.
Govt e -mails be sent and received through govt officials servers instead of free mail services. HTTPs should be configured and used to access email servers through web interface. More, officials should be advised to avoid free downloads and installations on un-necessary programs/softwares and to avoid chat-room sessions on social medias and opinion forming activity unless they have been officially mandated to do so. Moreover, never run a programme unless it is trusted. Use of portable devices like USBs/MSDs must be controlled to stop virus/torjan spreading, resulting into hacking of vital data in a computers/websites. Similarly, uploading of data /files on networked computers be done through protected network entry points.
Last but not the least, it is also mentioned in the policy directives/guidelines that media can equally play an important role on national level cyber security awareness program for the public and the private education, generally in the form of spot and prompt reporting, short commercials, editorials, journals, and talk shows to increase public awareness among masses.