Cyber Law & Ethics MIT2022 - UNITAR by Luqman Hakim

eMAGAZINE

APRIL 2022 Articles:

Cyberbullying Towards Children Phishing Cyber Scamming Ransomware Types of Cyberbully Cyber Attacks in MY Mobile Malware

Interview:

En Azlan from Delloitte CCID & NCSA

Guidelines:

Guideline and strategies to protect computer user 1

CONTENT

03 Preface 04 Cyberbullying Towards Children 11 Cyber Attacks in MY 17 Cyber Scamming 29 Cyberullying 40 Mobile Malware 48 Phishing 54 Ransomware 63 Delloitte 70 CCID & NCSA 81 Guideline & Strategies to protect computer user 87 Cyber Security Emerging Regulatory Landscape 88 Phishing 89 Cyber Security Awarness Ransomware 90 General Scams 91 Cyberbullying Awareness Program 92 Online Investment Scam 93 Cyber Hacking 94 Cyber Scaming 2

This electronic magazine (E-Magazine) is created as the final project for Cyber Law and Ethics course by UNITAR International University, Malaysia for the year 2022. This document comprises of four sections, In the first section we provide seven articles related to cyber security related issues, this section is aimed to present a comprehensive overview to the reader on the types of Cyber-attacks, Cyber threats and Cybersecurity risks. They issues discussed are as follow: Type of Cyber Attack in Malaysia Type of Cyber Bully Cyberbullying Towards Children Phishing Ransomware Mobile Malware Cyber Scamming Two interviews have been conducted and documented in the second section of the e-magazine, The first interview was conducted with the Delloite Malaysia and the second interview was conducted with the Department of Data Protection Ministry of Communication and Multimedia Malaysia (MCMC). The recording of the interview session is available in this section and by watching the interview yourself, you will get to hear what the professionals have say about it. The first two sections are focusing on helping the computer user to understand the type of risk involved when they are online and also to identify the Cybersecurity threats and risks. We have dedicated the third section for Cybersecurity risk management. This section will provide comprehensive rules and guidelines to ensure the safety and security of computer users when they are online. Finally, in the fourth section we present all the reports of the activities and events that were conducted throughout the course.

AUTHOR

Cyberbullying Awareness Program

MADHAN RAO A/L VANDASAN SURIA RAO A/L PAYADATHALLIE MATHANAN A/L MOHAN VIKNESVARAN A/L RAMACHANDRAN ARWINTHAN A/L SELVARAJA

2.2 Cyberbullying by Proxy Someone else is responsible for the majority of the cyberbullies nasty labor. Bullies may attempt to acquire access to a victim’s account or steal their credentials to harass them. If they wanted to, they could open a new account and pretend to be the victim. Friends grow furious at the victim’s misfortune. Unlike other forms of cyberbullying, this type of cyberbullying is very harmful since it involves many people, not simply the bully and the victim. For example. Mary wants Jennifer back for not inviting her. “I loathe Brittany, she is so stupid, unattractive, and overweight!” she writes on buddyprofile.com, pretending to be Jennifer. MARY MAY TELL BRITTANY AND HER FRIENDS SHE READ THE POST ON BUDDYPROFILE They may report Jennifer to buddyprofile.com or her school if she continues to attack them. They do Mary’s dirty work. Jennifer may be penalized by her parents, lose her buddyprofile.com account, and get in trouble at school. Brittany and her friends may start cyberbullying Jennifer.

Dangers Of Social Media - Cyberbullying

2.3 The Vengeful Angel

The internet is vital in our daily communication systems. Cyberbullying occurs on digital devices such as phones, laptops, and tablets. Cyberbullying occurs when people read, participate in, or distribute content via SMS, apps, social media, forums, or gaming. Cyberbullying is the act of sending, posting, or sharing harmful, misleading, or cruel content. Shared personal information can cause embarrassment or humiliation. Some cyberbullying is illegal or criminal. Cyberbullying is most common in Facebook, Instagram, Snapchat, and Tik Tok, mobile and tablet text messaging apps, instant messaging, direct messaging, and internet chatting, online forums and bulletin boards like Reddit, email, and online gaming groups.

Angel does not imply that it is a wonderful thing in this context of cyberbullying. By bullying the bully, Vengeful Angels hope to defend themselves or others against cyberbullies. They do not consider themselves to be cyberbullies (but they really are). The “Vengeful Angel” cyberbully frequently intervenes to protect a friend who is being harassed or cyberbullied. They attempt to give justice by being a larger bully. In today’s world, the best way is to report such activities.

Malaysia ranks second in Asia in 2020 for cyberbullying among youths, according to a United Nations Children’s Fund (UNICEF) report. Such behaviour could be projection of their own unhappiness due to being deprived of their basic needs. These needs are survival, belonging (to love, to be loved, and to be of value), power, freedom, and fun. Students from Universiti Sains Malaysia’s School of Communication have launched a campaign aimed at promoting social media etiquette and curbing cyber harassment. Narvinni Jayakumar, founder of Project #Cybercancelled, said cyberbullies are often socially incompetent individuals. Those with lower rates of global self-worth, social acceptability, and popularity were also likely to engage in cyberbullying.

2.1 Types of Cyberbullying - Direct Attacks Direct Attack is defined as direct communications sent from one person (the bully) to another (the victim). This category contains most cyberbullying cases. Here are some examples of direct cyberbullying: • Sending pictures (email and cell phones) • Harassment via instant messaging/text messaging • Passwords for “hacking” • Facebook/Twitter/Instagram/Myspace/Blogs • Gaming that is interactive (Xbox Live or PlayStation Network)

2.4 Trolling Trolling is the act of posting an insulting remark on the internet to irritate someone. One example is to enter an online astronomy conversation and assert that the world is flat to elicit an emotional and verbal response from community members. I am sure there are trolls among us if we troll someone at some point. It will be amusing at first, but what we tend to overlook is the victim’s reaction to it.

2.5 Cyberstalking Cyberstalking is the use of the internet and other technologies to harass or stalk another person online, and it is a potentially criminal offense in the United States. Online harassment, which is a cyberbullying and in-person stalking, can take the shape of e-mails, text messages, social media posts, and other forms. It is frequent organized, purposeful, and persistent. Even if the recipient communicates their disgust or asks the offender to stop, most conversations do not terminate. The substance of the target is frequently unsuitable and, in some circumstances, upsetting, leaving the user feeling afraid, distressed, apprehensive, and worried. It would be best if you took the proper procedures to protect yourself online to combat cyberstalking. Although it is impossible to eliminate cyberstalking, you can take steps to increase your security and lessen the chances of it happening.

2.6 Outing

4.1 Protect Accounts And Devices

Outing is a form of cyberbullying. This sort of cyberbullying is usually done on a bigger scale rather than one-onone or in a small group. By forwarding or posting private messages online, the bully typically shares confidential information about the victim. The victim is frequently familiar with the bully, and the repercussions of disclosing sensitive information might be serious. Outing occurs when a bully publicly shares private messages, images, or other information about the victim on the internet. Many bullies print down instant message exchanges containing personal or sexual material and show them to others. Even accessing stored texts on a person’s phone qualifies as an expedition. If the message contains sensitive material, the recipients may suffer substantial psychological trauma. The fact that the bulk of outings take place on social media, which has millions of subscribers, is an advantage. It reaches a bigger audience, allowing other cyberbullies to team up on victims. The FBI or any other law enforcement agency can trace down the cyberbullies’ Facebook account or any other social media site. They can follow the cyber bully’s online actions in the same way that forensics do. The negative is that victims are more susceptible since they may have to deal with more than one or two cyberbullies; they may have to deal with the entire world criticizing them for their actions without knowing the truth. In front of the public, the victims would be humiliated and embarrassed. Because the victims are likely to utilize social media, their accounts are likely to be inundated with comments and messages. In some circumstances, the entire community that knows and learns about that person through social media might mock and shame that person in person.

When it comes to preventing cyberbullying and other similar behaviours such as catfishing, it is critical that your child use passwords on everything. Passwords are one of the most effective methods of safeguarding accounts and devices.

3.0 How to Protect Your Child from Cyberbullying Because of the proliferation of connected devices and the ever-expanding Internet of Things, cyberbullying is a much bigger problem today than it was even a decade ago. Children and teenagers are spending more time online: 92 percent of children now use the Internet daily, with a quarter logging in “constantly.” According to a 2008 Rochester Institute of Technology survey of 40,000 K-12 students, cyberbullying is most common among middle schoolers, but it can begin as early as second grade. It is never too early to discuss cyberbullying with your child. Most children will not tell their parents if they are being bullied because they are afraid their parents will start seizing their Internet access or insist on complaining to the bully’s parents. Children who are bullied may feel ashamed and blame themselves. Assure your child that no one deserves to be treated unfairly. Tell her that some people actively hurt others to make themselves feel better or because they have been bullied themselves. Make it clear to your child that you need to know what is going on to assist her. Signs that your child is being bullied can be difficult to detect, but they may include: 1. Having a nervous or unusually quiet demeanour, particularly after being online. 2. Desiring to devote more or less time to online activities than usual. 3. I do not want to go outside or to school. 4. Sleeping and eating issues.

Make it clear to your child that they should never share their passwords with anyone, including their best friend. Even if they trust that friend implicitly, the reality is that friends come and go, and there is no guarantee they will remain friends indefinitely.

4.2 Make Use Of Privacy Tools And Settings Whatever your teen does online, make sure they are aware of the organization’s privacy settings and tools. Privacy settings are available on every social media platform, including Instagram, Twitter, Snap Chat, and TikTok. Go through each account with your child and assist them in setting their privacy settings to the most secure. Making accounts private, preventing people from tagging them, requiring others to obtain permission before sharing one of their photos, and so on are all examples of this.

4.3 Keep Personal Stuff Private Private children should never give out their address, phone number, or email address online. They should be cautious about disclosing too much information about where they go to school, especially if they have online friends or followers they do not know well. Remind them that people are not always who they are on the internet. Even though the profile photo is of a teenage girl, this does not imply that the person behind the account is also a teen. Someone could be impersonating a young girl to gather information on other teenagers.

4.0 How to Prevent Cyberbullying Cyberbullying increased during the COVID-19 pandemic. According to research, cyberbullying increased by 70% and toxicity on online gaming platforms increased by 40% during stay-at-home orders. 3 These figures show that, despite increased education and improved school bullying prevention programmes, cyberbullying incidents continue to rise. As a result, parents must do everything possible to prevent cyberbullying in their children’s lives.

4.4 Manage Location Sharing Users of some smartphones can share their location with friends. This means that if they share their location with others, those individuals will always be aware of where they are. Discuss with your child who they can share their location with and whether they can share it at all.

4.5 Teach Them To Think Before They Post

Cyberbullies may use what your child posts against them in some way, so it may be beneficial to encourage your child to think before posting. Of course, if someone wants to use something against them, it doesn’t matter what it is.

5.0 The Events Details And Feedback From The Event

The event was held on April 8th. We started at 8:00 p.m. and finished at 9:00 p.m. Mastura international college students and Unitar’s MIT students are joined in this event session via virtual event. The speakers are Madhan Rao, Madhanan, Vikneswaran, Arwinthan, and Suria Rao.

6.0 Conclusion

To summarize, cyberbullying has severe effects for individuals. It interrupts school life, causes significant emotional harm, and has the potential to be lethal. Though technology has opened new options for students and teenagers, it is critical that everyone learns how to utilize it appropriately. Policies must also be implemented to guarantee that technology is used appropriately. School administration should implement methods for detecting, preventing, and responding to cybercrime in schools. Parents should take on the responsibility of defending their children as well. Teenagers, on the other hand, should take the initial steps in preventing cybercrime and bullying.

7.0 References 1. Cyber-bullying Essay. (2013, November 9). Camillamahon. https://camillamahon.wordpress.com/psychology/cyberpsychology/cyber-bullying-essay/ 2. Malaysia is 2nd in Asia for youth cyberbullying. (n.d.). The Star. https://www.thestar.com.my/news/nation/2022/01/14/ malaysia-is-2nd-in-asia-for-youth-cyberbullying#:~:text=KUALA%20LUMPUR%3A%20Malaysia%20ranks%20second 3. Foundation, M. M. (2015, March 19). Cyberbullying: Direct VS. Proximity – What’s the Difference? Megan Meier Foundation. https://meganmeierfoundation.wordpress.com/2015/03/19/cyberbullying-direct-vs-proximity-whats-the-difference/ 4. STOP cyberbullying: Cyberbullying by proxy. (n.d.). Stopcyberbullying.org. Retrieved April 10, 2022, from http://stopcyberbullying.org/how_it_works/cyberbullying_by_proxy.html 5. STOP cyberbullying: What methods work with the different kinds of cyberbullies? (n.d.). Www.stopcyberbullying.org. http://www.stopcyberbullying.org/educators/howdoyouhandleacyberbully.html 6. Cambridge Dictionary. (2019). TROLLING | meaning in the Cambridge English Dictionary. Cambridge.org. https://dictionary.cambridge.org/dictionary/english/trolling 7. Outing - dealing with someone sharing your secrets online. (n.d.). The Cyber Helpline. https://www.thecyberhelpline.com/ guides/outing 8. Cuncic, A. (2021). The Psychology of Cyberbullying. Verywell Mind. https://www.verywellmind.com/the-psychology-of-cyberbullying-5086615 9. Cyber stalking, Cyber Harassment and Cyber Bullying – Astrea Legal Associates LLp. (n.d.). Retrieved April 10, 2022, from https://astrealegal.com/internet-harassment-cyber-stalking-cyber-harassment-and-cyber/ 10. Cyberbullying and Cyberstalking: stopping the epidemic. (n.d.). Www.linkedin.com. Retrieved April 10, 2022, from https://www.linkedin.com/pulse/cyberbullying-cyberstalking-stopping-epidemic-monique-morrow 11. CyberBullying Awareness Program Survey Form. (n.d.). Google Docs. Retrieved April 10, 2022, from https://docs.google.com/forms/d/1NkwJLzsnwDuDHLhERE0P8863KCnDUwf9vmvAtEdAZy4/edit?ts=6252a5f5#responses 12. Gordon, S. (2021, September 4). 10 Tips for Preventing Cyberbullying in Your Teen’s Life. Verywell Family. https://www. verywellfamily.com/how-to-prevent-cyberbullying-5113808 13. Pew Research Center. A majority of teens have experienced some form of cyberbullying. 14. Gordon, S. (2020, August 2). Beware Parents and Educators Cyberbullying Increasing During Pandemic. Verywell Family. https://www.verywellfamily.com/cyberbullying-increasing-during-global-pandemic-4845901

CYBERSECURITY CYBER ATTACK IN MALAYSIA The era of globalization of Information Technology and Communication, we can see that cyber attack have been used as an interesting weapon to attack a country. It’s because of it’s only need a very high skills in programming and networking to do so and it’s very low cost compared to conventional attacks using expensive material, especially deadly weapons. Attacker only need to recruit agents, spies and highly skilled hacker and expert in programming to launch an attack in groups to target several institutions such as government agencies, banking and private sectors in a country.

AHMAD NUR AFIF BIN CHE ALIAS MOHAMMAD HAZAL BIN HANIFAH SHAMSUDIN BIN OSMAN

Cyber Attack Cases in Malaysia

Statistic Of Cyber Attack In Malaysia

Malaysia is among the countries that have been involved in cyber attacks for the past few years. There are few reasons of why this country is always got attacked such as political issues, sports and also money scamming. These are the few examples of how the cyber attackers especially hackers tried to attack for their own interest.

Based on statistic provided by Malaysia Computer Emergency Response Team (MyCERT) under Cybersecurity Malaysia:For year 2022, from month January until March, there are 1785 incident were recorded for this past 3 months. All this incident were divided to a few categories as per result below:-

News from The Star, dated on 19th September 2021 reported that 7,495 cases were reported from month January until August 2021. Most of the cased are hacking and web defacement. Another top cyber threat are malicious code attack reported around 58 cases only for month of August. 30 of them targeted big companies and has caused a lot of data loss and also money. News from moneycompass.com.my reported that on cyber threat across South East Asia, for Malaysia part scammer usually used fake bank account to steal banking details of Malaysian last year. Example for the internal political issues on cyber attack is, a news from Sinar Harian dated on 1st February 2021 reported that local hacker named as Cyberpunk Team has attacked few government websites such as sabah.gov.my, perak.my, customs.gov.my, cidb.gov.my and mps.gov.my. This group claimed that cyber security level in Malaysia still low especially on government site causing them to do the attacks.

Another news reported on 29th December 2020, Malaysian Military (ATM) data networking was attacked causing portal can’t accessed , however the attacker failed to steal the information data of the army and only managed to hack the portal only, but quickly resolved by military cyber defence.

As we can see, most of the cyber incident are about Fraud, which is 1,242 incident. For the incident of cyber attack such as Intrusion, Intrusion attempt and malicious code we can see that malicious code incident are the most recorded for this past 3 months. Malicious code is a quite famous around the hackers since it’s ability to do security breach and data damage to the system. Most of the impact are whether the hacker can destroy some of the organisation’s important system or even stealing data of customers.

Let see the record for the year 2021. There were 10016 incident recorded as per showing below :-

Statistic Of Cyber Attack In Malaysia There are several laws can be applied based on the above cases and statistics, and other cyber attack that happened in Malaysia. For the cyber attack like hacking, intrusion, malicious code or any type of cyber attack, this law can be applied.

The Computer Crimes Act 1997

An Act to provide for offences relating to the misuse of computers. The Computer Crimes Act 1997, effective as of the 1st of June 2000, created several offences relating to the misuse of computers. Among others, it deals with unauthorised access to computer material, unauthorised access with intent to commit other offences and unauthorised modification of computer contents. It also makes provisions to facilitate investigations for the enforcement of the Act. For the cyber attack involve of content, this law can be applied.

The Communications and Multimedia Act An Act to provide for and to regulate the converging communications and multimedia industries, and for incidental matters. The Communications and Multimedia Act 1998 which came into effect on the 1st of April 1999, provides a regulatory framework to cater for the convergence of the telecommunications, broadcasting and computing industries, with the objective of, among others, making Malaysia a major global centre and hub for communications and multimedia information and content services. The Malaysian Communications and Multimedia Commission was appointed on the 1st November 1998 as the sole regulator of the new regulatory regime. For the cyber attack that involved data breach or data stealing, this law can be applied.

Personal Data Protection Act 2010

An Act to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto.

From 10,016 incident recorded, Fraud still the highest incident recorded while Intrusion was the highest recorded for the cyber attack types. Intrusion also quite dangerous because of the hacker don’t need to do damage to the system , they can enter into some organisation’s system and steal all of the information without anyone know about it and used it whether for money purposes, blackmail or even for political gain. Based on the statistics above we can see also the decreasing trend of the attacks showing that now more Malaysian’s are aware about these threats and has taken the necessary actions and precaution to fix and prevent their organisations from all kind of cyber security issue. It’s important for every organisations to enhance their security system in order to prevent any big losses whether in terms of money, data privacy and organisations reputation.

Protection Against Cyber Attack There are several ways we can do to protect from all these kind of cyber attack, and it’s very important for all level of person in an organisation. It’s not just a responsibility of IT team only, cyber attack usually will aim for the person or any organisation have a very low security measures. For a person, usually people that low knowledge of ICT. Firstly, for an organisation, it’s very important to have a very latest cyber security technologies such as latest updated of Firewall system. It’s main purpose is to protect any attacks from outside and inside of the organisation. Second, the organisation must make sure all their staff devices are well protected with antivirus and the latest Operating System such as Servers, Laptops, PC’s, Tablets, and Smartphone devices. This is to ensure we can minimum the risk of getting attacks at any level in the organisations. Thirdly, every person whether in the organisation or not must be responsible of all kind of information that they kept. Any password to access the system must use a very strong password and do not use openly public internet wifi to access such as banking or any system that involve data management. Fourth, always alert when checking emails or any notification on the website. Make sure it’s a legit one before click. Avoid to respond any unknown emails unless already confirmed it’s the correct one from the sender. Five, always backup your data and stored in other place that no one can reach. This can be done either personal or an organisation. This is very important because once we got data damaged because of the attacks, we always have backup data to restore anytime.

SANTHANANTHAN GOPAL KRISHNAN PHAVITRAN A/L SELVA MOHAN KESAVAN A/L VARADHAN MOHD SOUFI BIN YUSSOF

Six, access management. The organisation must have a proper way for access management. By doing the right access of management, we can prevent any wrongdoing form unrelated person in an organisation. Lastly, always train all staff in organisation or a person must always train themselves to get the latest knowledge of cybersecurity information. This is to ensure that all of us will know what’s the latest issue on cyber security and how to prevent them.

Conclusion Cyber attack has caused loss of millions dollars in Malaysia for the past few years until know, whether loss in person or in a organisation. Surprisingly we still have a lof of cases happened in Malaysia every year even though we got news reported in all kind of Social Media. The government and each one of us must work together to reduce this kind of attacks since it involved all layers of community in Malaysia. Government must always spread the awareness of cyber threat in all kind of media. News (online and newspaper), Website, Facebook, Twitter, Instagram and any kind of media so that all community will aware and be more careful in the future. Every citizen of Malaysia must always up to date on the Cyber security awareness. We don’t have to always depend on the government to know about all kind of cyber crimes. Now most of the people in Malaysia has at least 1 smartphone and internet. This information can be searched easily on the internet and we can always be prepared if similar attacks happened to us. To conclude, if every one of us and government work together, we can see a very drastic of decreasing of cases in Malaysia starting next year because of every level of community is aware and always take care of each other to face all kind of cyber attack.

Introduction The term cyber law can be used to define all the respective sets of legal issues and consequences associated with this respective nation. It will also describe the legal cases related to the use of different communication technologies such as the Internet. Thus, this respective assignment will be critically analysing different cyber scamming in Malaysia. It will also highlight numerous latest issues in the cyber law of this nation. Various ways cyber issues are affecting the ethical consequences will get analysed as well. Different comparisons will be made in the latter parts of this assignment that can help in formulating the most suited set of strategies to mitigate cyber scamming in this respective country in the forthcoming future ahead.

CYBER SCAMMING ISSUES ISSUES IN CYBER SECURITY, CYBER LAWS & ETHICS

Cyber scamming

Cyber security scams (commonly known as cyber scams), can be referred to as different scams that are likely to take place over the internet. As per the words of Shukor and Shukor (2019), it can be considered with different methodologies of online frauds and other criminal activities on the internet. It has culminated that this respective nation has been witnessing such issues for the last couple of years. Malaysia has already witnessed approximately 7593 online frauds in the year 2020 (Statista, 2022). On top of that, this respective nation has also faced cyber scams such as approximately 1444 intrusions and roughly 596 cyber harassment cases.

>> Types of cyber scamming in Malaysia (Source: Statista, 2022)

Cyber scamming It has been highlighted that approximately 31.1 percent of the respective citizens in this nation got exposed to different online malicious codes in the year 2016. This got hiked to approximately 593 issues by the end of the year 2020 (Statista, 2022). Consequently, it can be presumed that the overall cyber security of this respective nation is extremely weak. Factors such as complex coding and the evolution of this respective cyber security are almost negligible. Numerous other respective citizens in this nation also claimed that they end up facing denial in online services approximately 16 times out of 50 (Statista, 2022). Other factors such as frequent intrusion attempts, identity theft and spamming are also considered to be extremely common in this respective nation. It has been found that 33 percent of the industrial giants in this respective nation confessed to witnessing different kinds of cyber frauds. On top of that, approximately 30 percent of the individual did not even get notified when their respective organizations got victimised by cyber scams in the year 2020 (Statista, 2022). On the contrary, approximately 36 percent of these respective industrial giants confessed to not facing any kind of cyber scams between the years 2015 to 2017. Thus, it has culminated that the frequency of cyber scams has boosted drastically in

this respective nation. It was also stated that approximately 22 percent of these Malaysian industrialists witnessed a cyber scam in their respective organizations due to the implementation of the most prevalent sets of technologies. Additionally, approximately 2 percent of these Malaysian firms were targeted by different kinds of brute force attacks between the years 2015 to 2017 (Statista, 2022). Consequently, the frequency of cyber scamming has been increasing proportionally with the implementation of different technologies in the Malaysian market. It will be beneficial for these respective Malaysian enterprises to incorporate a strong and effective set of cyber laws in order to mitigate these respective cyber issues. According to the views of Amiruddinet al. (2021), it will be favourable to highlight as well as understand the different causes of cybercrimes in this respective nation. This can be considered to be the primary condition for strengthening the pre-existing set of cyber laws in this respective nation. This will tend to play an extremely prospective role in reducing the frequency of cyber scams in Malaysia.

Cyber security

It has been highlighted that approximately 31.1 percent of the respective citizens in this nation got exposed to different online malicious codes in the year 2016. This got hiked to approximately 593 issues by the end of the year 2020 (Statista, 2022). Consequently, it can be presumed that the overall cyber security of this respective nation is extremely weak. Factors such as complex coding and the evolution of this respective cyber security are almost negligible. Numerous other respective citizens in this nation also claimed that they end up facing denial in online services approximately 16 times out of 50 (Statista, 2022). Other factors such as frequent intrusion attempts, identity theft and spamming are also considered to be extremely common in this respective nation. It has been found that 33 percent of the industrial giants in this respective nation confessed to witnessing different kinds of cyber frauds. On top of that, approximately 30 percent of the individual did not even get notified when their respective organizations got victimised by cyber scams in the year 2020 (Statista, 2022). On the contrary, approximately 36 percent of these respective industrial giants confessed to not facing any kind of cyber scams between the years 2015 to 2017. Thus, it has culminated that the frequency of cyber scams has boosted drastically in this respective nation. It was also stated that approximately 22 percent of these Malaysian industrialists witnessed a cyber scam in their respective organizations due to the implementation of the most prevalent sets of technologies. Additionally, approximately 2 percent of these Malaysian firms were targeted by different kinds of brute force attacks between the years 2015 to 2017 (Statista, 2022). Consequently, the frequency of cyber scamming has been increasing proportionally with the implementation of different technologies in the Malaysian market. It will be beneficial for these respective Malaysian enterprises to incorporate a strong and effective set of cyber laws in order to mitigate these respective cyber issues. According to the views of Amiruddinet al. (2021), it will be favourable to highlight as well as understand the different causes of cybercrimes in this respective nation. This can be considered to be the primary condition for strengthening the pre-existing set of cyber laws in this respective nation. This will tend to play an extremely prospective role in reducing the frequency of cyber scams in Malaysia.

Cyber law Cyber law can be defined as a suitable set of rules and regulations associated with information technology. This will be concerned with different online activities. It is going to be related to legal informatics as well as supervision of the digital circulates of all the pieces of information, activities such as e-commerce and data security. As per the words of Hamin and Rosli (2018), implementing a storing set of cyber law will tend to play a key role in this regard. It will end up providing all the required competitive advantages that will be required to mitigate cyber scams in Malaysia. It will be conjectured that the implementation of this improved set of cyber laws is going to open the door for the entry of numerous corporate enterprises in this respective nation. On top of that, it will tend to boost the utilization of advanced and secured features such as digital signatures and other forms of certifies authorization that will be competent in terms of lessening cyber scams in this country. Implementation of a strong set of cyber laws will be beneficial in this regard due to the fact that it will tend to touch almost all the aspects of digital transactions. As per the words of Hamzah (2021), this will end up strengthening the overall digital transaction process. The probability of data loss or other fraudulent activities will tend to be lessened as well. Consequently, any activity over the internet will end up getting comparatively more secure. Every set of actions as well as reactions in this cyberspace will be inspected from one angle of legal and cyber law or the other. Cyber laws such as the “Cyber Security Information Sharing Act 2015” or “Gramm Leach Billey Act 1999” can be implemented and also improvised in order to design a comparatively stronger cyber law that will be likely to reduce cyber scams in this respective nation. It can be speculated that this respective cyber law is going to be competent in terms of identifying the respective standard of acceptability of the human behaviour for information as well as communication technology. According to the views of Yassinet al. (2019), it can also establish a socio-legal sanction for different cyber scams that will be extremely beneficial for this respective nation. Furthermore, it will also tend to protect this overall digital information and communication system. All these respective factors will be competent in terms of preventing any kind of malicious harm to the people or infrastructures of this country.

Cyber Ethics

Ethics can be likely to play a key role in this regard as well. As per the opinion of Mat et al. (2019), it can be considered to be an effective risk management strategy. It can be presumed to be significantly important for all the organizations in this respective nation. This is due to the fact that ethics will be associated with the required set of knowledge that can determine the right and wrongs of utilising these digital communication platforms. As an outcome, this respective set of cyber ethics will be associated with the capability of adhering to different sets of ethical principles as well as practices while utilising the cyber laws. It has culminated that the implementation of an effective set of cyber ethics will also be competent in terms of disclosing different types of cyber scams prior to its implementation. This will give the respective people the opportunity to decide the most suited set of decisions in order to mitigate the respective cyber scam.

Approximately 51 percent of the respective citizens in this respective nation agreed to the fact that the implementation of an effective set of cyber ethics will be capable of preventing cyber scams such as account hacking and identity theft. This will be likely to save approximately 29 million citizens who prefer different means of digital transactions for one means or the other. Additionally, approximately 64 percent of Malaysian citizens also believe the fact that any leakage of vital pieces of personal information can be prevented by the implementation of an effective set of cyber ethics (Statista, 2022). This is because it will tend to strengthen the cyber laws that will ultimately play a significant role in mitigating cyber scams from this nation. It can be presumed that the number of internet users in this respective country has been increasing drastically. According to the ideology of Rosli et al. (2021), the number of internet users in Malaysia in the year 2013 was approximately 18.5 percent of the total population. This has increased to approximately 29.03 percent by the end of 2021. It will be expected to reach approximately 30.77 percent by the end of 2025. Thus, strengthening the cyber laws in this respective nation will be a mandate. The implementation of a strong set of cyber ethics will be required for this reason.

>> The number of internet users in Malaysia (Source: Influenced by the view of Rosli et al. 2021)

It can be speculated that ethics can play a key role in terms of separating the security personnel from the respective groups of hackers. As per the opinion of Zakaria et al. (2019), it will be the respective knowledge of rights and wrongs that will separate the respective security personnel from these hackers. This will tend to enhance the security of the overall cyberspace in Malaysia. Some basic ethical factors can be considered to be maintaining personal privacy and granting the right to access data. On top of that, other factors such as looking for harmful and suspicious actions on the internet can be presumed to be another significant ethical action. All these cyber scams can be solved effectively with the utilization of these respective sets of cyber ethics. This will be carried out with help of applying different advanced sets of tools and techniques that can determine cyber scams prior to the commencement. These tools and techniques will be inclusive of different kinds of encryptions, SSL, digital Ids, firewalls and so on. Cyber ethics can be concerned as well as associated with different kinds of codes. As per the opinion of ISA et al. (2021), these codes will be responsible for determining the different sets of the behaviour of all the different internet users of this nation. This will play an extremely prospective part in regard to aligning the right set of internet behaviours in their everyday lives. This will result in lessening the frequency of cyber scams in this respective nation. Thus, a significantly noticeable difference is likely to be witnessed in this country. Maybank in Malaysia for example is presently considered to be the safest bank in this respective nation. It has total equity of approximately RM 85,811.42M (nikkei.com, 2022). this respective bank has an international network of over 2200 branches in 20 different countries serving approximately 22 million customers. This is due to the incorporation of an extremely strong set of cyber ethics that further intensifies all the respective cyber laws associated with this bank. This respective bank in Malaysia decided to strengthen all the associated cyber laws so as to prevent any probable loss of prospective customers. As per the opinion of Hamzah et al. (2018), other factors such as preventing data theft and fraudulent banking transactions were also taken care of by implementing cyber ethics.

It has been analysed that there was approximately a 40 percent increase in the tendency of contactless digital transactions in Maybank. This boosted the annual market value of this Malaysian enterprise by approximately 29.8 percent by the end of 2021. It is also expected to grow at an extremely steady rate till the end of the year 2028. Furthermore, digital transactions got comparatively more secured by approximately 71 percent. Technical issues became rare than before. Leading to a favourable set of consequences, approximately 73 percent of the people in Malaysia started to prefer this respective bank over the other ones (Hassan et al. 2018). All these factors took place due to the strong set of cyber laws that were associated with the Maybank. It mitigated cyber scams and made the overall process of digital transactions more secure for all the prospective groups of customers.

Comparison Malaysia cases to SEA country

There are numerous cyber laws in the Malaysian market. According to the words of Khairunnissa (2018), all these respective sets of laws are playing a key role in terms of boosting the pre-existing level of online security for the citizens in this respective nation. These cyber laws are inclusive of the “Copyright (Amendment) Act 1997”, Computer Crimes Act 1997 and Digital Signature Act 1997. On top of that, there are certain other acts such as the “Telemedicine Act 1997” as well as the “Communications and Multimedia Act 1998”. It can be presumed that these laws incorporate a suitable set of cyber ethics that tend to highlight the rights and wrongs associated with the utilization of the cyberspace. All these respective factors are presumed to amplify the pre-existing level of cyber security in this respective nation. Additionally, this respective nation also implemented a certain new set of cyber laws and acts in order to further enhance the pre-existing level of security of the cyberspace. Acts such as “Electronic Commerce Act 2006”, “Personal Data Protection Act 2010” and “Electronic Government Activities Act 2007” will tend to fall in this respective category. There are other cyber security laws for the health sector of Malaysia. This is due to providing different profitable health insurance coverage to the respective groups of citizens in need. Thus, as per the words by Rosliet al. (2021), it can be speculated that these respective laws are going to play a key role in terms of improving the overall lifestyle of everyone in this respective nation. On the contrary, different south-east Asian countries (SEA countries) such as Singapore and Indonesia incorporate, apply and utilise different data protection acts and laws. These laws can be presumed to be inclusive of the “Personal Data Protection Act 2012” (commonly known as PDPA), the “Cyber security Act 2018”and the “Computer Misuse Act, 2018”. That way these respected SEA countries claim to ensure the protection of different vital pieces of personal information. As per the opinion of AbdJalilet al. (2020), this is done through the establishment of different frameworks based on these respective laws and acts. Leading to a ramification it tends to amplify the pre-existing level of security of these SEA countries. Similarly, there can be a difference in the ethical practices between Malaysia and these respective SEA countries. As per the words of Bhattacharyya (2018), the Singapore statement is going to be inclusive of 4 basic ethical principles. These will be honesty, professionalism, stewardship as well as accountability. It can be presumed that it will improve the overall process of data integrity that will ultimately end up improving the cyber security in the respective SEA countries. The overall process of data sharing is likely to become comparatively more secure due to the implementation and abiding of these basic ethical principles. The overall process of digital record-keeping also gets improved. Consequently, these respective principles can be considered to be the basic pillars of all ethical conduct in nations such as Singapore and Indonesia. On the other hand, the ethical practices in Malaysia are slightly different from that associated with these respective SEA countries. As per the views of Ibrahim et al. (2019), there are 5 ethical principles in Malaysia. These basic principles are going to be justice, autonomy, beneficence, fidelity as well as nonmaleficence. All these respective sets of factors play a key role in the overall process of ethical decision making in this respective nation. These respective pillars of ethical conduct in Malaysia can play a significant part in identifying different unethical conduct on the internet. It can be presumed that these ethical principles will be likely to identify different cyber scams such

as identity theft and fraudulent transactions prior to their respective commencement and can formulate the most effective set of strategies to mitigate them efficiently. Thus, this nation can be free from any kind of cyber fraud in the forthcoming future ahead. It can be presumed that the concept of cyber security has already gained quite a popularity in this modern era. It can be presumed that cyber security in Malaysia has already become a priority across the majority of economic sectors in this respective nation. As per the opinion of Shukor and Shukor (2019), this is due to the fact that the number of internet users in this respective nation has been rising drastically with every passing day. Furthermore, most of the people in this respective nation are willing to opt for online and contactless modes of transaction in order to manage their respective day to day transactions. Thus, this respective nation has already allocated approximately 1858.39 million RM in order to improvise the pre-existing level of cyber security from a national level. On the contrary, a cyber security agenda was recently formulated in the year 2015 in different SEA countries such as Singapore and Indonesia. As per the views of Hamin and Rosli (2018), the primary mission of formulating this respective cyber security agency can be considered to further improve the overall level of security in the respective cyberspace of these countries. On top of that, it can also play a key role in terms of securing the overall national security of all these different SEA nations such as Singapore and Indonesia. Leading to an outcome, the power of the digital economy in these respective SEA countries will tend to get boosted. Additionally, it will play a vital part in protecting the digital way of living of the respective citizens of these SEA countries. Digital transactions are likely to get comparatively more secure. All the important pieces of personal information can be stored with the utmost level of security. This will lessen the growing number of cyber threats commencing these respective SEA countries. All these key factors will assist these SEA countries such as Singapore and Indonesia to get enrolled as smart countries that can be extremely secure in every aspect of living. The “Information and Communication Technology (ICT)” growth and development has been rapid in the specified country over the past three decades. In 1996, with the launching of “Mediterranean Shipping Company” the cyber related development transferred the concerned country into a regional IT hub, and this resulted in increasing cyber crime in this country (Jerome, 2019). It has been found that 70 percent of the commercial cases now fall under cybercrime cases.

Case Example 1: From the case “Malaysia Airlines website ‘compromised’ by hackers”, it can be observed that the home site of the Malaysian Airlines got compromised due to having a weaker set of cyber security laws. But it has been observed that implementation of an enhanced set of cyber law can be competent in terms of tracking all the activities done in this respective website. Leading to a favorable set of outcomes, such incidents can be avoided in this respective nation.

Case Example 2: From the case “Malaysian data breach sees 46 million phone numbers leaked”, this respective nation witnessed a leak of data from more than 46 million mobile subscribers. This will be likely to be mitigated with the help of implementing effectives set of cyber ethics. This is due to the fact that cyber ethics will play a key role in highlighting all the rights and wrongs in the cyber space. Thus, anyone planning to do certain misconducts in the internet can be identified prior to the activity and can be punished as per the law.

Malaysian technology and computer crime cases (Source: mcmc.gov, 2020)

From the above figure, it can be observed that most of the cyber crime cases in the specified country are related to Malware, spoofing, e-commerce fraud, and High yield investment programs (mcmc.gov, 2020). In addition, there are other cyber crimes also such as online gambling and user generated content or personal journalism. On the other hand, in the Southeast Asian countries most of the cybercrime includes malware, phishing, data breaches, ransomware4, DDoS attacks (Singh et al. 2021). Moreover, credit card fraud, financial data fraud and romance scam also included in cybercrime cases of Southeast Asia. The number of cyber crime has been increasing over the past year in both Malaysia and southeast countries. According to the report from the Department of Statistics Malaysia, it has been found that cybercrime complaints have increased by 99.5 percent to 20805 last year from 10426 cyber crime complaints in the year 2019. On the other hand, according to the statistics from the police department of the specified country it has been found that there are around 67552 cybercrime cases reported from 2017 to 2021.

Number of cyber threat incidents in Malaysia (Source: Statista, 2021)

From the above graphical representation, it has been found that in the year 2020, most of the cyber threat’s incidents come from online fraud with 7593 cases. This case has been reported by the cyber security of the concerned country. In addition, there are around 1444 intrusion incidents and 596 cyber harassment cases have been faced by the people and different organizations of the country (Statista, 2021). Therefore, in order to prevent cyber crime in the specified country, the government of Malaysia has proposed different cyber laws such as “Computer Crime Act, 1997”, Communication and Multimedia act of 1998 and Malaysian Communication and Multimedia commission act of 1998. In addition, there are other cyber laws present in the chosen country such as “Digital Signature Act 1997”, “Copyright Act 1997”, and “Telemedicine Act 1997”. At last, in order to stop cyber crime in the online transaction process the concerned country has implemented the electronic transaction act of 2006. All the mentioned acts and laws of the specified country helps the government to reduce the number of crimes in the future and it also helps in maintaining personal and country information safe. On the other hand, Southeast Asia remains the hotspots of cybercrime in the world. During the covid-19 pandemic situation the rate of cyber crime in the concerned countries has increased exponentially. Various cyber crimes have been observed in different countries of Southeast Asia.

Cyber crime cases in Malaysia (Source: mcmc.gov, 2020)

geographical cyber crime in Southeast Asia (Source: ASPI, 2020)

The above figure shows different types of cyber crime that have been observed in different Southeast Asian countries. For example, online gaming theft is one of the most common cyber crimes faced by the people of china. On the other hand, credit card fraud and cyber crime has been most in Brazil. While North Korea, China and South Korea rank higher, at the same time the rate of cyber crime in Vietnam is also increasing and they are the top of general hacking capability in Asia. It has been found that even if the local hackers of Vietnam turned towards cyber crime then they would be the most serious cybercriminal threats in Southeast Asia. For example, in the year 2016, the hackers of the specified country extracted around 500 million dong from the customer’s accounts of vietcombank (ASPI, 2020). In the specified countries most of the organizations are affected because of the cyber attack in their business process. Cyber crimes have affected the growth and development process of the organization which decreases the productivity of the organization. For example, in the year 2018, there is around 12.2 billion US dollars lost because of the cyber attack in the country, which is around 4 percent of the total GDP of Malaysia.

ARTICLE DISCUSSED For more than three decades, this region’s ICT development has been rapid. As a result of these cyber-related developments, Malaysia has become a regional ICT Centre since the MSC was established in 1996 (Zainudin, 2022). Government and commercial portals have sprung up to meet practically every demand, including administrative information, interactive and online interactions, and financial transactions. As a result, risks associated to rapid ICT innovations have appeared and evolved in practically every element of society, posing a significant threat to the country’s well-being. These cyber-related threats have provided significant hurdles to any government, especially law enforcement agencies, in maintaining law and order. ICT progress has resulted in rapid and, in some circumstances, unregulated growth. Therefore, following closely behind rapid ICT developments are related risks that have emerged and evolved in almost all aspects of life posing a real threat to country’s well-being. These cyber-related risks have posed serious challenges to any government and in particular to the law enforcement agency in keeping law and order (MCMC, 2022). Though rapid and in some cases, uncontrolled ICT development have created challenges in the form of loopholes in current laws, economic development, political stability and social/ racial well-being. The new millennium law enforcement agency is now faced with the task of enforcing law in cyberspace that transcends borders and raises issues of jurisdiction. With all these information in the palm of our hands, let us discuss the two most famous or most recorded cyber scam issues in Malaysia and globally. In the recent years, money scams through social media and other internet platforms have been viral. To add up, love scams are also increasingly becoming a threat in today’s modern world whereby youngsters and adults have been prey to online scammers in the name of love or dating apps. Very lately, there have been two cases that caught the attention of netizens on the news headlines whereby Malaysians suffered

RM2.23 billion losses from cyber-crime frauds and another issue relating to love scams. As for the issue related to love scam, Police in Singapore and Malaysia bust Internet love-scam syndicate based in Selangor (Kai, 2021). It is clear that both these issues shared are not only a national problem but an international problem to take note off. According to statistics from the police, a total 67,552 cyber-crime cases were reported between 2017 till June 20 this year. Of the total, e-commerce scams topped the chart with 23,011 cases, followed by illegal loans (21,008) and investment scams with 6,273 cases (Basyir, 2021). To put an end to this, the Commercial Crime Investigation Department (CCID) and Facebook Malaysia, in partnership with government agencies, industry players and consumer associations have launched a nationwide #TakNakScam awareness campaign. The campaign is to educate the public on how to identify, check and report against the highly deceptive tactics employed by scammers. It is equally important for measures to be taken in order to curb the issues in the bud. Domestic Trade and Consumer Affairs Deputy Minister Datuk Rosol Wahid said that the development of eCommerce was akin to a double edged sword where frauds, scams and other cyber-crimes via digital platforms has increased in line with the success of digital businesses (Zainudin, 2022). All of these programmes are critical in terms of educating the public and making them aware of the many scamming trends that have been on the rise recently. The government and commercial sectors must prepare to prevent an imminent wave of fraud, and if no drastic measures are taken, the online swindle would adversely harm consumer confidence, among other things. To address this issue, which involves multiple cross-agency and private-sector cooperation, a more holistic approach is required. Educational videos as well as tips and tactics for identifying, combating, and reporting fraudulent activity will be broadcast widely across the campaign’s numerous online and offline channels by all of the campaign’s partners (Bernama, 2022). As a result, within three simple steps - spot, check and report, the people can be actively involved in crippling online scams. As such, those who come across any form of suspicious financial fraud may report to the CCID Scam Response Centre between 8am–8pm every day at 03-26101559 and 03-26101599 (CCID, 2020). On the other hand, when discussed about love scam it is clear that emotional trust is also being played upon as it closely relates with relationship building. An Internet love-scam syndicate operating in Malaysia was crippled after a 41-year-old woman in Singapore fell victim to the ruse and lost about $28,000. Singapore’s Commercial Affairs Department (CAD) coordinated with its counterpart in Malaysia, the Commercial Crime Investigation Department (CCID) mainly to track down the suspects to an apartment in Selangor (Kai, 2021). In a statement on Thursday (Sept 16), the Singapore Police Force (SPF) said the syndicate may be behind at least eight such scams, seven in Singapore involving $37,000 and one in Malaysia involving RM210,000 ($67,840) (Kai, 2021). According to SPF, the woman reported on May 17 that she had been the victim of a potential love scam. It happened after she contacted a man on Facebook in March of this year who told her he was in charge of a Ukrainian oil rig project. He vowed to marry her in Singapore when the project was finished, but he never followed through. The transfer of a large sum of money was done on the basis of word of mouth, with the hope that it would be true and trusted, and that it would be an act of love. In a statement, the SPF advised members of the public to exercise caution when becoming online friends with strangers and to be wary of those who ask them to wire money to bank accounts with which they are unfamiliar. As Communications and Multimedia Minister Gobind Singh Deo (pic) himself has said, cybercrime was posing a serious threat to Malaysians who were losing their hard-earned money, amounting to hundreds of thousands of ringgits, to scammers. The Communications and Multimedia Ministry, through the Malaysian Communications and Multimedia Commission (MCMC), has had several discussions with Bukit Aman’s Commercial Crime Investigation Department (CCID) to seek ways to combat the cybercrime menace, according to a press statement issued by Gobind on Oct 8 (Bernama, Serious steps to curb cyber crime, 2022) They are currently debating whether to organize a task force made up of officials from MCMC, financial institutions, and telecommunications firms that would work with CCID to speed up information sharing and offer fast feedback to the public if a fraud is uncovered. The Ministry of Communications and Multimedia will also spearhead a year-long campaign, beginning this month and concluding in December 2019, to raise public awareness

about telecommunication fraud and educate individuals on how to protect themselves from being victims of such crimes. Besides, the departments and agencies involved in the campaign are MCMC, Malaysian National News Agency (Bernama), RTM, Information Department, National Film Development Corporation Malaysia and the ministry’s Strategic Communications Division, which will all hold special programmes in support of the campaign (Basyir, 2021). To achieve the campaign’s goals, the organizers will work with strategic partners such as the police, private media outlets, other ministries, non-governmental organizations, and community leaders. The police, for example, will assist in law enforcement, while private television and radio stations will aid in public dissemination of the campaign’s messages. The ad is primarily aimed at seniors, working women, and the middle-aged, as fraudsters are known to prey on these demographics. Secondary school pupils and undergraduates are also targeted by the campaign. Because of the tremendous increase in the use of connected gadgets, more Malaysians are becoming exposed to online frauds, making it increasingly difficult for authorities to combat the danger. Based on the two studies covered above, we can infer that internet fraudsters, or more specifically cyber scammers, have brilliant ideas for persuading people in a variety of ways, making it appear highly innovative and gaining easy access to data for their own gain. It’s critical to stay aware at all times and double-check that the source of our sensitive information is legitimate. In light of Malaysia’s worrying surge in cybercrime, the government is taking strong steps to combat the problem.

Conclusion The present assessment has discussed the latest issues faced by the people, business organizations and the government of the country in cyber security, cyber law and ethics. From the above discussion it has been found that the rate of cyber crime has been increasing in the present digital world. Therefore, implementing proper laws and security systems is very important for the government to mitigate the issues that have faded because of cyber crime. The number of cyber crime has been increasing in Malaysia over the three decades and therefore they include and implement various acts and laws to prevent the crime related to cyber crime. Among the Southeast Asian countries, the rate of cybercrime in Malaysia has been increasing very fast and it is in the top in the increasing rate of crime.

MOBILE MALWARE IS ON THE RISE, KNOW HOW TO PROTECT YOURSELF

SECURITY WRITTEN BY LEE KHAI YEAN & NORSUAINI @ APRIL 22, 2022 40

Introduction Cybercrime is generally regarded as any illegal activity conducted through computer. Today, online marketplaces exist where participants use webbased platforms to meet, discuss, exchange, buy and sell goods and services to enable cyber-crime activities. Malware, short for “malicious software” is any software that is intentionally designed by cybercriminals which are often called as hackers to cause disruption to a computer, server, client, or computer network, gain unauthorized access to information or systems or to steal data. It can cause harm to another piece of software or hardware. Example of common malware include viruses, worms, Trojan viruses. It has been found that there are many ways and means where an individual can commit crimes on cyber space. It is important to note that cybercrimes are an offense and are publishable by law. It is therefore very important for every individual to take awareness on these crimes and remain alert to avoid any loss. Crimeware toolkits software packages that instruct users on how to infect a system and then retrieve data, such as corporate documents personal photos, or credit card information for their financial gain. These off-the-shelf tools minimize the user’s need for programming skills.

Objectives

Mobile malware programs targeting smartphone and tablet users is significant and growing at an alarming rate. It is important to give awareness to the public to increase their ability to protect their network and devices from mobile malware attacks. Communicating mobile security threats and best practices has become a central objective due to the ongoing discovery of new vulnerabilities of mobile devices. To cope with this issue, we need to identify and analyze existing threats and best practices in the domain of this area. Android is an open-source system, which allowing the developers of Android apps to take the source code and create their own custom OS with it. This makes Android devices easier to ‘root’, removing the manufacturer’s software restrictions and installing unauthorized apps, which translate to greater chance of vulnerabilities in the code on the phone. “For hackers, it makes sense to write hacking code for a system that is not only easier to hack but is also more widely used. There is a much wider base of user information to steal so most of mobile malware aimed at Android devices, due to their popularity. It is like the “Spray and Pray” method. Besides keeping the Android devices up to date with the manufacturers who seldom push out the latest OS to the users, users should begin to start having security solution on their Android devices,” says Yeo. Therefore, we need to stay alert to figure out the different approaches that such criminals can take. Here, there is a need to have intellectual mindset to sense such situation that

may lead to such damages. One of the solutions to combat to such crimes cannot be simply based on the technology. The technologies can just be one such weapon to track and put a break to such activities to some extent.

Type of Mobile Malware

The most common type of mobile malware attacks includes viruses, worms, mobile bots, mobile phishing attacks, ransomware, spyware, and Trojans. And some of these mobile malware combines more than 1 type of attack. It is designed to spread from 1 phone to another. Computer worm infects other devices while the remaining active on infected systems. It can be transmitted through SMS which do not require user interaction to execute the commands. A mobile bot is a type of malware that runs automatically once the user installs it on a device. Whereas mobile phishing attacks often come in the form of email or SMS text messages. It uses text messaging to convince the victims to disclose the account credentials or to install malware. Next, Ransomware locks the data on a victim’s device by encryption and ask for a payment before the data or device is decrypted. The demanded payment may come in the form of cryptocurrency such as Bitcoin. A Trojan virus require the user to activate it. In mobile devices, the cybercriminals insert Trojan into non-malicious apps on the device. So, the user activates the virus when he or she clicks or open the file.

Example of Cases

Based on statistics from the Commercial Crime Investigation Department at Royal Malaysia Police, Malaysian suffered losses amounting to about RM2.23 billion on cybercrime frauds since 2017. According to Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky, “More Malaysians are moving towards online banking now and we expect the adoption rate to increase tremendously in 2020, more so with the Budget 2020 where Malaysians will receive RM30 digital cash as a form for the government to push the e-wallet adoption in the country. With this, the mobile users in the country should start paying attention to securing their smartphones, beyond the physical protection, but the virtual world too.” Based on the record release by Royal Malaysia Police, below are the top 3 number of cybercrime cases been reported by the public since the year of 2007 until 2012. 1. E-Commerce Fraud – Online Purchase 2. Parcel Scam 3. VOIP Scam – Cross Border Syndicates A total of 8,162 cases of e-commerce fraud with losses amounting to RM57. 73 million have been reported nationwide this year as of Oct 31, 2021. Bukit Aman Commercial Crime Investigation Department, the officer Assistant Superintendent Mohd Sa’adon Sabirin said the Covid-19 pandemic hit worsen the situation since more people are making online purchase. As the COVID-19 pandemic continues to affect commerce across the globe, fraudsters are using phishing emails and scam websites to bait victims, often referred to as “social engineering” fraud. Fraudsters have used phishing emails for decades to obtain vital personal information from consumers to perform bank-account takeovers. Such emails have skyrocketed during the pandemic. Meanwhile parcel scam is another top case reported which causing the victims losing their money instantly. For example, if you do come across suspicious parcels or payment requests, which is mean, you are sure that there is no cash on delivery online purchase made by you, make sure to reject the delivery and report the scam to Ninja Van Malaysia or relevant courier services and the authority. Sometimes the victims received a message which pretends to be from a package delivery firm, prompts users to

install a tracking app but it is a malicious piece of spyware. This malware is called Flubot, it can take over devices and spy on phones to gather sensitive data, including online banking details. The public also can randomly receive unknown calls pretending that the calls are from the authorities such as Royal Malaysia Police or Royal Malaysian Customs Department informing that there are crimes or offences committed by these potential victims. In fact, the call recipient has every right to ask the caller to reveal his full name, the police station where he is based, identification number and the name and details of his superior officer. “Our people are so gullible. When the caller says he is from a police station, they believe him instantly,” Ahmad Noordin commented during RTM’s Bicara Khas programme aired in mid-October. For example, the Macau scam syndicates can lure their victims into their traps. The public must be aware that no financial transaction involving a government body can be made using an individual’s personal account. Any payment due to a government body can only be made at the counter of its official premises.

Statistics of cases in Malaysia

There is a total number of 103,573 mobile malware attempts were detected in Malaysia last year with the increased usage of e-payment platforms. In general, there is 99.9% of the mobile threats were targeted on Android and less than 0.1% on IOS. Malware which aims to infect smartphones used for digital payments trick the consumers to download fake, legitimate-looking e-wallet apps. Over the past few months, we have seen that the cybercriminals play their well-established tactics and malware against the human curiosity and the need for information. This is because the attackers see this as an opportunity especially during Covid-19 pandemic. During this pandemic, most of the people must work from home and hence working from home possess a new challenge which causes the cybercriminal to happen in Malaysia.

Figure : Threat Exposure in Malaysia

In Malaysia, it shows that the threat exposure rate is 17.44%. The malware in Malaysia compiles both statistics and forecasts on a regular basis to keep user updated on the latest information about malware issues and threats that happen especially during pandemic. Hence, malware is on the rise, and it can affect billions of world-wide credits.

Figure : Covid-19 Total Encounters

This figure shows that the spike in cases of mobile malware that happen in Malaysia during covid 19 lockdown.

Figure : Trojan-SMS Attacks

32.3% of the users reported Trojan-SMS Android infected by mobile malware. It has shown that malware attacks are the highest in financial industry which consists of 29% and following by government which is 26%.

<< Figure : Mobile Malware cases in Malaysia

Figure : The Most Popular Target of Mobile Malware

Smartphones are by far the most popular target of mobile malware, and the infection rate is soaring. The increase in smartphone infections was 83% following on the heels of a 96% increase during the first half of the year.

Laws to combat malware fraud Even though the Malaysian Computer Crimes Act 1997 was passed to handle cybercrimes, criticisms have been lodged against it on the ground of its lack of comprehensiveness and, in pursuance of the criticisms, suggestions have been made to amend its provisions. This however brings the legal community back to the cat-and-mouse game. However, it is impossible to find the most ideal way to reason and respond legally with technology. This is because the criminals will devise some other new ways to commit crime. Hence, it is essential for us to be careful to prevent being a victim of malware. These are the common laws that can be used in combating the attacks depending on the cases. 1. Computer Crime Act 1997 2. Communications and Multimedia Act 1998 (Cma) 3. Malaysian Communications and Multimedia Commission Act 1998 4. Digital Signature Act 1997 5. Copyright Act (Amendment) 1997 6. Telemedicine Act 1997 7. Optical Disc Act 2000 8. Electronic Transactions Act 2006

Not only that, but we can also monitor network administrators in our home netowork if there is any suspicious network traffic being reported. This is because early detection can help to prevent malware from happening. Next, it is important to practice safe browsing and make sure that it is on a secure connection. Firewall is essential as it can detect and block some of the known bad guys. So, we need to invest in security software to prevent ourselves becoming the victim of malware.

Conclusion In a world where everything can be done in a single touch and controlled with a smartphone, it is essential for everyone to improve their mobile protection by taking just a few common-sense precautions, you can help protect yourself from malware and other mobile security threats.

References:

Ben-Itzhak, Y. 2009. Organised Cybercrime and Payment Cards. CardTechnology Today , 21(2): 10–11 .http:// dx.doi.org/10.1016/S0965-2590(09)70057-X Goncharov, M. 2012.Russian Underground 101. Cupertino, CA: TrendMicro Incorporated.

Malware Preventions

Gurjeet Singh and Jatinder Singh, “Investigation Tools for Cybercrime”, International Journal of Computer, ISSN 0974-2247, Volume 4 Number 3, (2013) pp.141-154.

The eSecurity Bulletin by CyberSecurity Malaysia advised that smartphones, like computers, also prone to malware infections such as virus, worm, trojan horse, rootkit, ransomware, keylogger, adware and spyware.

[2] David Wall, “Cyber crimes and Internet”, Crime and the Internet, by David S. Wall. ISBN 0-203-164504 ISBN 0-203-164504, Page no.1

As consumers increasingly turn to online shopping for essential and non-essential goods while at home, fraudsters have adapted their technique to use more sophisticated tactics against consumers, banks and merchants.

[8]http://en.wikipedia.org/wiki/Computer_crime

Kaspersky recently started its partnership with Digi Telecommunications Sdn Bhd (Digi) to offer the telco’s customers Kaspersky robust cybersecurity solution across multiple platforms. The Kaspersky Internet Security for Android starts from RM3 a month, which has primary features such as blocking suspicious apps, websites, and files, stopping spyware monitoring calls, texts and location, anti-theft, and others. The Royal Malaysia Police explained that information such as telephone numbers and bank accounts received from fraud victim reports would be updated in the “Semak Mule” application to enable the public to check on the seller’s information before making a transaction. Financial Institutions need to improve two-factor authentication for the users as TAC number can be spoofed by a mobile malware. If your organization has the Mobile Security subscription, you can define policies to restrict mobile app downloads to specific app stores. This reduces the likelihood of users downloading apps from sites that may contain vulnerabilities or downloading fake copies of well-known apps. In terms of individuals actions in preventing this attack, we can keep the software updated and patched. This is because software updates ensure that the system recognizes the newer threats.

Briana Crispin. (2021, May 14). Latest Cyber Crime Cases In Malaysia : Malaysians Gullible To Cyber Fraud With Record Number Of Cases Liveatpc Com Home Of Pc Com Malaysia : Cyber crime is on the rise and can affect billions worldwidecredit: (brianacrispin.blogspot.com) Norton. (2021). What to do if you’re a victim of malware. Retrieved from https://us.norton.com/internetsecurity-how-to-what-to-do-if-youre-a-victim-of-malware.html#:~:text=Antivirus%20and%20antispyware%20software%20are%20the%20best%20tools,at%20regular%20intervals%20to%20further%20protect%20your%20device Julie Bort. (2008, May 29). Network World. Crimeware defense strategies: how to protect your network (and yourself). Retrieved from https://www.networkworld.com/article/2280117/crimeware-defense-strategies--howto-protect-your-network--and-yourself-.html (2020, Oct 2). Microsoft Malaysia. Microsoft report shows increasing sophistication of cyber threats. Retrieved from https://news.microsoft.com/en-my/2020/10/02/microsoft-digital-defense-report-cyber-threats/?msclkid=71610b9eba1811ecb6ca3a4eda384366 Wendy Zamora. (2016, Aug26). 10 Easy Way to prevent Malware infection. Retrieved from https://blog.malwarebytes.com/101/2016/08/10-easy-ways-to-prevent-malware-infection/?msclkid=91b9b351ba1b11ec85b7f4af12fc24d8

Also, we need to back up the data in case there is a case of malware attack on the system. Hence, we can restore the data from the backup to recover from malware. Updating the operating system is essential. This is because when we leave the programs alone, cybercriminals can find their way through the vulnerabilities.

(2022, April 13). 103,573 mobile malware detected in Malaysia last year- Kaspersky. Selangor Journal. Retrieved from https://selangorjournal.my/2021/04/103573-mobile-malware-detected-in-malaysia-last-year-kaspersky/#:~:text=KUALA%20LUMPUR%2C%20April%2016%20—%20A%20total%20of,than%200.1%20per%20 cent%20on%20iOS%2C%20it%20said.

Phishing Awareness Event

Kevin

Cybersecurity

Dhanesh

Cybersecurity

George

Data Science

Devan

ERP Consultant

Zakaria

Legal Affairs

INTRODUCTION The evolution of technology has made communication and transfer of data incredibly fast, easy, convenient, and effortless. While the emerging technology has made life easier and convenient for everyone, it has also introduced many new threats, danger, security issues and opened the door of opportunities for scammers and fraudsters. As humans are often considered as the weakest link in cybersecurity, social engineering attacks such as phishing have been broadly utilized by attackers to obtain sensitive information like credit card information, social security numbers and personal information. The attacker can then misuse the collected information for illegal purposes, such as identity theft, fraud and scam. Phishing is a well known type of social engineering attack whereby an attacker uses misleading e-mails, websites, etc. in order to deceive a victim into disclosing sensitive information to the attacker. Various techniques are used by the attacker to bait the victim through a trick or through an indirect means to distribute a payload to harvest sensitive and personal information from the target. A successful phishing attack adversely affects the confidentiality, integrity, and availability of assets and leads to major financial losses or reputation damage to an organization. According to Verizon’s Data Breach Investigations Report from 2021 (Verizon, 2021), phishing accounted for 36% of data breaches in year 2021 compared to 25% in 2019 which shows the number of victims of phishing attacks has increased significantly. To turn things even worse, the COVID-19 pandemic has moved work, banking, shopping, and other activities to the online platform which in turn has shaped new phishing opportunities and increased phishing attacks.

CASE STUDIES

Malaysian spent an average of nine hours and 17 minutes a day browsing the internet, according to The Edge Markets (S. Murugiah, 2022). This is equivalent to 141 days a year’s worth of time spent on the internet is 38.6% of the days in a year. Malaysia is ranked 6 in the world for spending the highest time using the internet per day. 32.6% of the said time is spent on social media. People also heavily rely on the internet for daily necessities like finances, shopping, news, and others. Hence Cybercriminals are targeting the cyber world for the motivation of financial gains, revenge, hatred, etc. In just the first two months of 2022, there was a total of RM33.7 million (Farah Solhi, 2022). According to Selangor police chief Datuk Arjunaidi Mohamed, 73.8% of commercial crime investigation papers opened are related to cybercrime cases. This is equivalent to a total of 405 investigation papers opened related to online crime. For example, a company reported loss of around RM2.9 million to cybercriminals in 22nd February 2022. The phishing attack occurred after the hacker managed to gain access to the company’s email. The hacker sent an email to the bank to instruct them to change the company’s banking ID. The email was attached together with forms that had forged the employer’s signature. The bank proceeded to follow the email request to change the banking ID without verifying the request with the company. This led to RM2.9 million being withdrawn from the company’s bank account via 59 transactions into 18 different accounts which were suspected to be mule accounts. This case could have been prevented if there was a higher level of cybercrime awareness to make it more difficult for hackers to open bank accounts to be used as mule accounts. In Malaysia, it is an offense under the law to allow bank accounts to be used as mule accounts. Besides this, this case can also be considered a violation of the Computer Crimes Act 1997 involving unauthorized access to computer material, unauthorized access with intent to commit other offences and unauthorized modification of computer contents. The remote work and quarantine culture that arose from the Covid-19 pandemic has made individuals going virtual and digital which in itself introduces a window for potential cybercrime and cyberattacks. Cybercriminals are aware that social engineering works best when focusing on human emotions such as fear, curiosity, greed, helpfulness, and urgency. It is no surprise that phishing attacks in Malaysia have increased since the pandemic began, as recently shown in the latest survey titled Phishing Insights, 2021 by security company Sophos. According to statistics by the Royal Malaysian Police, the number of cybercrime cases reported in Q1’21 was 4,327 and the losses involved totalled RM77 million. Last year, the number of cases totalled 14,229, with total losses of RM413 million. Kaspersky Southeast Asia general manager Yeo Siang Tiong says that three trends on cyberattacks and

security threats the company observed this year are remote working cybersecurity risks, social engineering attacks, and ransomware. Work from home or WFH poses a new risk in cybersecurity as a person’s home are often less protected than their offices. In the rush to keep things operational and running, security vetting may not have been as detailed as usual, with cybercriminals customizing their tactics to take advantage. An example of a successful phishing attack occurred in 2014 when around 30 computers at Malaysian law enforcement agencies covering the disappearance of Malaysian Airlines MH370 airplane were reportedly hacked, with perpetrators making off with confidential data on the missing aircraft. Asia News Network reported in 2014 that the computers of ‘high-ranking officials’ in several Malaysian aviation and security agencies were hacked with classified information removed. The point-of-entry for the compromise was said to be a spear phishing attack, with a malicious executable file in the format of a PDF file. When the attachment was opened, the user’s machine would be infected with malware, allowing the hacker to gain access to their PC from outside and send stolen information back to an IP address in China. The spear phishing email, with the subject line ‘Over the South China Sea’ and dated on 09 March 2014 – just one day after the Malaysian Airlines MH370 aircraft went missing – contained ‘sophisticated’ malware that was disguised as a news article reporting on the missing Boeing 777. The timing of the email indicates that the malware was prepared prior to MH370 disappearing and launched by persons unknown to break into Malaysian government systems to extract information. Some Malaysian government agencies reported that their network was congested with email transmitting out of their servers – The emails contained confidential data from the officials’ computers including the minutes of meetings and classified documents. Due to the nature of cyberattacks, it is difficult to be certain who exactly was behind the attack and though the exfiltration IP address was in China, the attackers could be located anywhere around the globe.

STATISTICS OF THE CASES

Phishing activities is one of the most prevalent forms of cybercrime in Malaysia. According to statistical data available on the MyCert website, phishing activities is categorized as fraudulent crimes that have been among the most widespread and extensively reported cases over the period of five (5) years, as seen in Figure 1.

Figure 1: 5 Years of Reported Cases of Phishing Activities (Incident Statistics, n.d.)

The graph illustrates a 51.75% rise in cases from 2018 to 2019, with a total of 5,123 to 7,774 cases. However, there has been a slight decrease in reported cases of phishing activities in recent years, but it continues to be the most common category of cybercrimes, accounting for more than half of all other types of other reported cases. Although approximately 1,242 phishing cases were reported in 2022, this figure still signals an alarming trend, since it corresponds to the first quarter of the year. Based on previous data, we may anticipate a rise of 4,968 cases by the end of 2022. This growing trend has happened not just in Malaysia, but also in other countries throughout the world. From January to February alone, the number of phishing cases reported during the covid-19 pandemic period surged by 600 %, jumping from 137 to 1,158 reported cases. (Zakaria, 2021).

LAWS RELATED TO PHISHING

CONCLUSION

Phishing is a form of identity theft or fraud. It often happens by emails masquerading as communication from purported government agencies, banks or reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. With regard to the Malaysian cyber laws, there is no specific provision on computer-related or online identity theft. However, it was suggested that reference may be made to the Penal Code and Section 416 of the Penal Code may be applicable to identity theft. Section 416 of the Penal Code provides that it is an offence to “cheat by personation”, where a person cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such person really is. The offence of cheating by personation is punishable with imprisonment for a term which may extend to seven years and/or a fine. To date, there are no reported cases specifically in relation to phishing. Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses) Infection of IT systems with malware is an offence punishable under the CCA. Under section 5 of the CCA, it is an offence for a person to do any act which he knows will cause unauthorized modification of the contents of any computer. Section 4 of the CCA creates a further offence against persons who commit hacking offence under section 3 with the intent to: (i) commit an offence involving fraud or dishonesty which causes injury under the Malaysian Penal Code (the main penal statute in Malaysia) (the “Penal Code”); or (ii) facilitate the commission of such an offence whether by himself or any other person. A person found guilty under section 4 is liable to a fine not exceeding RM150,000, or imprisonment not exceeding 10 years, or both.

Without doubt, phishing will remain to be a major threat in the future. With greater situational awareness and knowledge about attack techniques and methods, people can become better defenders. The primary reason that phishing incidents are on the rise is the absence of knowledge about the attacker’s strategies and techniques. Every single day, hundreds of innocent users lose their personal information, credentials to their online accounts, bank account details, etc. due to phishing attacks. Unless individuals begin educating themselves regarding phishing, attackers will remain to escape the clutches of law and acquire significant monetary benefits.

Government has put in place multiple laws to cripple cyber phishing by the public and private sector. More awareness to be created regarding the dangers of falling into phishing and becoming a victim. Knowing the law will always give you avenue to pursue further action to claim back your losses in terms of money or assets. Always be vigilant against cyber-attack & phishing is the most common cybercrime nowadays.

REFERENCES Farah Solhi. (2022). RM33.7 million lost to online scams in Selangor in 2 months. Retrieved from https://www.nst.com.my/news/crimecourts/2022/03/776014/rm337-million-lost-online-scams-selangor-2-months. Incident Statistics. (n.d.). MyCERT. Retrieved April 11, 2022, from https://www.mycert.org.my/ portal/statistics?id=b75e037d-6ee3-4d11-816966677d694932. June Moh. (2021). Ignore cyberthreats at your peril, Malaysian businesses told. Retrieved from https://www.thesundaily.my/business/ignore-cyberthreats-at-your-peril-malaysian-businesses-told-EG8448475. Pillai, D. and Han, Y. S. (2019). “Malaysia”, In The International Comparative Legal Guide to: Cybersecurity 2019 (pp. 130-138), London: Global Legal Group. Sally Adam. (2021). Phishing Insights 2021. Retrieved from https://news.sophos.com/enus/2021/08/26/phishing-insights-2021. Verizon. (2021). 2021 data breach investigations report. Results and analysis. Retrieved from https:// www.verizon.com/business/resources/reports/ dbir/2021/results-and-analysis/. Zakaria, A. H. (2021). Strengthening Cybersecurity At Home. eSecurity, 51(2/2021). Retrieved April 11, 2022, from https://www.cybersecurity.my/data/ content_files/12/2246.pdf.

PATRICIA SITINATHAN K.PRAGATISWARAN KRISHNAMURTHY SARMILA ELANGOVAN LEE KHAI YEAN NORSUAINI BINTI MOHAMED SHARIFF

This is a report of an interview project that we completed for our Cyber Security project in line

HACKING

with the topic of . Our team had to interview a Professional Risk Advisor in the workplace and analyze the interview.

Prepared by, NARESH A/L M NARENDRAN

Nature of Report

Interview Session

To get more insights and understanding on the subject revolving around Cyber Security, we were instructed to conduct an interview with an individual within the field of Cyber Security. There was no stipulation about the medium used for the interview or the types of questions that needed to be asked. Students were permitted to select their own respondent in hopes that they would be able to interview someone involved in a career path that the student found interesting. The report is directed toward fellow classmates, as well as future students in the class of Cyber Law & Ethics. The report aims to inform students about the medium of Cyber Security precisely on the potential risk an organization tend to be exposed to.

M : R : M : R : M : R : M : R : M : R : M : R : M : R : M : R : M : R :

Respondent’s Background The respondent we conducted the interview with (En Azlan Mohamed Ghazali) is the Director of the Risk Advisory Division for Deloitte Malaysia who holds numerous professional certifications such as ISO27001, ITIL and COBIT5. Prior to joining Deloitte, he has served as a Director of Cyber Security for one of the Big Four accounting firms for the last 2 years and led various engagement on Cyber Security with GLC’s, FI’s, Broadcasting and Plantation companies. He was also the Engagement Director and SME for few projects such as Cyber Maturity Assessment, Development of Technology Risk Framework, Development of Security Policy, and Procedures, ISO27001 implementations and multiple engagement on Security Testing (VAPT/Red Teaming) and Compromise Assessment.

Why this Respondent was Chosen We recently had a Webinar session where Deloitte representative was invited to give a talk to our fellow students and other external audience on the topic of Cyber Hacking Awareness. En Azlan being the Director of Risk Advisory Division appointed 2 members from his team to represent Deloitte Risk Advisory Division to provide the talk. The even was very fruitful and our participants were delighted with the knowledge and information gained from the session. Hence, we decided to extend an interview session with En Azlan to know more about the role of Risk Advisory to the corporate world and get more insights pertaining to the Risk Advisory subject.

Goals for the Interview We had several specific goals in mind when we approached this interview. As previously mentioned, we wanted to understand more about Risk Advisory. Also, we think Cyber Security is an interesting career path and we wanted to develop a deeper understanding of the mechanics that go into this type of roles. Additionally, we wanted to share the experience and understanding with our fellow classmates.

Narrative of the Interview We have a total of 9 questions which we prepared for this interview. We conducted our interview on the 25th of April 2022 (Monday) at 4pm. At first, we were concerned that En Azlan might be too busy with his work and not be able to attend the interview. Despite a reschedule of the interview from 22nd of April to 25th of April, we were glad that the interview session went well, and we gained the outcome which we expected.

Impression of the Interview Our impression from this interview was very positive. Not only did he answer the questions which we raised, but he gave a lot of insightful information and scenarios which was good to know. Despite establishing contact with our respondent, we have never met him face to face before. However, we have built a good rapport and relationship during this interview session and during the previous arrangement with him for the Webinar session. We will certainly keep his contact for future reference. All in all, we were pleased with the outcome of the interview.

The question of this interview is about BNM regulation on the risk advisory? Yes. Do you want me to ask you questions or you want to explain a bit questions? Ok, I just brief you a bit. As a background right because your question is if you are aware the RMIT risk management in IT that issued by Bank Negara. It’s a guidance for all financial institutions under FI, whether you are banks, whether you are large bank, you are small bank or your insurance you need to sort of comply with these requirements. They call it RMIT standards. It’s talking about how the banks or how the financial institutions should manage their cyber risks? So, if you aware there are a lot of risk. There be Operational Risk, there will be Capital Risk, Market risk but RMIT is a guidance for FI to manage to assess in terms of cyber risk that currently being practiced in their organizations. Okay but what did RMIT stand for? Risk Management in IT. Risk Management, okay. So, Bank Negara is taking a serious look into it as well? It is owned by Bank Negara and issued by Bank Negara to be a target client to all the FSI. Ok, FSI is a small medium? No, sorry it is Financial Institution. Ok. Before the RMIT there are guidelines owned by Bank Negara they call it GPIS-1. So, if you are involved in IT with the banks for the last 20 years basically the original documents Bank Negara define their requirements, define their compliance through GPIS-1. But that’s quite old documents. Then back in 2020 based on that GPIS-1, Bank Negara issued a latest version then they changed the name to Risk Management in IT. So RMIT it is a minimum baseline meaning requirements for FI to conduct to assess or to establish cybersecurity in their organizations. So, they divide into two elements there are call it Technology Risk, how the organizations can establish a technology risk, what they need to assess as well as Cyber framework. So, inside the RMIT you can Google and you can download, it is a free document, and it is all open documents. There are Technology Risks, PRMF as well as Cyber Risk (CRF) as well as Cyber Risk CRM. So, this is some two main components in RMIT. Ok, so are these components they have subcomponents as well? Yes, there are subcomponents as well. What are they sir? One of them is talking about the governance and board involvement. They want to emphasize how Senior Management from both Directors as well as a government should establish Senior Management. So, what are the commitment, what should aware. There should be a commitment from the board. There should be a dedicated CISO irrespective of IT. CISO stand for Chief Information Security Officers that are mandatory requirements for the bank to have a designated role in the organizations. Then from the board of directors, what need to aware, what are the risks that they are facing, what are the resources their support what are the commitment they should commit to the organization to manage these cyber risks. Sir just want to ask you can financial industry FI operate without RMIT without a risk assessor? No, it is compulsory now to all FI. Back into 2020 once the Bank Negara released this RMIT what banks done they first they need to conduct compliance where they are in terms of their current state against the RMIT requirements. After that they gave about one year to implement to be comply with the requirements. So, for instance for example banks to have a dedicated CISO. If they assess back in 2020 maybe that none of the banking have a CISO. So, they must source for a CISO or appoint a CISO, they need to establish Cyber Risk.

M : What is CISO? R : CISO is Chief Information Security Officer. M : Thank you, sir. R : So back then Bank to assess where they are in terms of level of compliance then bank needs to report to Bank Negara. Now we are 70% compliance because some of the control is there but there is also new control right. After one year most of them must fully comply with those requirements. So that is RMIT. M : How to FI assess an organization internal risk from BNM point of view? R : Ok, there are a couple of ways. One of them they should using RMIT itself is one of the approaches to assess in terms of their potential risk from cyber perspective. You remember this we are talking about Cyber Risk we are not talking about other risks we are not talking about operational risk we’re not talking about market risk. We are talking about Cyber Risk M : So about hacking and ransomware, malware? R : No, a lot of that one of the common issues that we know right by the public, but they need to assess in terms of their ecosystem what is the supplier risk, what are the system risks, what are the people risk. They need to look at from a holistic view. If I have backs I need to say first I need to assess what is my internal risk from cyber is it I’m exposed to any internal exposure from my internet staff, sabotage my systems that I am currently on board, is there any cache issue, is there any configuration issues that i should aware, is there any software recording problem or is there any hardware problem potentially it can be hacked. So that from first technology perspective. M : Sorry sir, when you say it about the technology perspective, is Bank Negara looking into making blockchain as a platform for financial institution? R : It is not part of RMIT role. M : All right. But I heard that blockchain technology reduces cyber risks because they have many nodes to affirm security threats and all that am I right? R : That is what being claimed by that enterprise as well. M : Yeah, that’s right but I heard also that Bank Negara looking into it, but they haven’t come up into a final decision of it am I right? R : Yes, nothing on that yet. So just now talking about internal risk right bank also need to consider what is the external risk. Externally is coming from the vendor, coming from the regulators, coming from the market. So external risk if I am Bank, I need to assess who is my vendor, who is my supply chain right? If I relying on third parties, then that party screw up then my system will screw up right? M : Yes. R : For instance, bank they rely on SOC 24x7 owned by third parties, there is need to access as well third-party risk or ecosystem risk so they can leverage on RMIT they can leverage also as a different standard forester. We have NIST, we have ISO standard. This kind of standard give a benchmark to the banks to assess where they are in terms of the cyber risk from external and internal. M : Ok, so basically the standards are not the tools they are just system quality, am I right? R : It’s a framework. M : So, what are the tools of the of risk management are there any tools any software they use to evaluate? R : When it comes welcome to solution you can use a manual, you can use your tools. There are some tools that I am aware. From RSA they call it archer it is a tool to register all those risks in the system. So, do you know how to conduct a Risk? M : Not really. R : So, it means first we need to assess to identify the risk, we need to assess what is the risk. For instance, I have asset system A, which is my asset. I identify the risk what are the potential risk to the asset attacking, server crash misconfiguration that is the potential threat right? Then I need

to assess why it happened that threat can be existed because of my weakness in term of a lack of configuration, I do not harden the box, i don’t have any policies, I don’t provide any security control in terms of the versioning i don’t patch my machines. So, because of lacking that part it puts me a threat of server crash, someone can hack to my system and then I need to assess what is my control. The control can be referred to any control for instance I hardened my box I am using a standard or remove certain unusable services, I secure my machine, right? I do regular patching so when there is a patching release by principle, I patch my machine accordingly. I review my asset accordingly. So, with all those mitigations I can break down the risk because from the likelihood from the possibility of impact it will reduce accordingly because I put a control, I put a solid control to bring down the impact to bring down the possibility of occurrence because risk. The risk is normally being calculated by likelihood to happen as well as likely to happen times the impact of that threat. So, I got a gross risk when I put a certain mitigation. I will bring down the numbers to a level that I can accept the risk. So, the moment you know there is a risk, you need to plan whether you want to accept the risk whether you want to transfer the risk whether you want to manage the risk or whether you want to avoid the risk. M : So, what you are saying is that they budget a risk assessment that means they pre-plan ahead, they have like a financial budget, they have a risk budget where they think this might happen or what they did what they do, is that what you’re trying to tell me? R : Right. M : So that means they must sit down they have to brainstorm and see this is the current trend that is being everywhere these are the current security risks that is happening everywhere. So, they plan for it. R : Yes, we do not get it planned but we call it risk assessment they need to conduct assessment. The right word is you need to use is Risk Assessment. You need to assess every single thing that come into your obligation so let’s say the current trend how they attack my system. So, I need to assess from various angles. M : How frequent BMM must conduct this risk assessment? R : According to RMIT it is once a year you send your report, but it is subject to the transitions for this framework as well. Normally there will be an ad hoc as a way there is a new system deployed you need to conduct risk assessment and because when you introduce a new system there will be some potential risk right? So, this time you need to conduct assessment. Number two when there is a major change in organizations. M : Do they do a risk assessment when there is a new software, new hacking software new hacking tools that are out in the market will they do a risk assessment then as well? R : No that’s not related. Why I need to know their tools I need to assess the risk in my system that I introduced to. If I bring my new car what are the risks that I bring to my acquisition, if I bring a new system, I do not care about whatever tools that if it be introduced in the market because I will not use that. I am only worried if I bring a new system to my company that system can give me a trouble, then I will assess what are the risks I bring to my position. M : Based on what are the pending threats that we have no future threats they do not anticipate future trends? R : They also need to anticipate future threat part of the risk assessment is to anticipate a future threat. M : Ok, and from your experience what was the most unique case you have encountered so far? R : What do you mean? M : Regarding risk assessment for financial industries, what any unique case have you gone through? I think the latest one was CIMB right, everybody bank account went to negative, savings became known. R : No, I cannot comment but if you ask me personally that is not a hacking issue man. This is just double posting. That is not a cyber-attack. M : Ok, is it software error?

R : No, it is not software error. We suspect they did double posting. That is my view. M : Ok. R : We do not know what the exact cause for that is but if you ask me that is not a cyber issue. M : Ok but in your experience any case that you came through? R : Based on our assessment it is not what happened in back. Based on our engaged movement with couple of Banks, we part of the foresters we conduct so-called red teaming exercise, one of the engagements we call it red team. Red team is mandatory assessment to be conducted by the banks as per RMIT standard. It means if you open RMIT you search red team so that’s a mandatory exercise to be connected by the bank. So, what we want our one of our experiences with the bank basically we managed to access to their critical area, we managed to do a social engineering, we managed to accept certain data, means we managed to penetrate the Bank. M : Ok, this is what they call it ethical hacking? R : Yes, part of the ethical hacking law. M : Lastly do you have any advice for BNM to reduce risk? R : It is not BNM to reduce it. It is a bad thing to reduce it’s an organization. If you fully understand what your risk appetite is, they are coming from three main angle. You need to look at from people process and technology. So, from people you need to understand what the risk from people from your staff need to assess whether is there any internet sabotage you need to understand what the potential threat is coming from your internal team. Whether are they given a right access or not or are they given extra access. Most of cases staff has a privilege to access certain data freely and then they can transfer share with anyone because you do not have a technology to detect that unless you have psychology. You know the moment my staff print, open, or read this document it will trigger an alert but without that nobody knows then do you implement certain control to prevent that determination for instance they should have a DLP data leakage prevention tools to alert as when someone print, copy, or email to third parties. That is one from internal. Number two you need to check from access perspective are you given extra access to your stuff or not? By right this guy only have two data entry but you also allow this stuff to do an approval. So, means you give them a free extra access, extra privilege which is a wrong thing based on their job level. There must be a proper segregation of duties that is to be established by the banks. That is why if they follow the RMIT they know exactly they need to review the access on quarterly basis maybe on a yearly basis, review the access to data centers, who can come to your data centers. You block everyone but you allow cleaners to come here. Cleaner has everything to control that cleaner can plug in the USB. So that one from internal. From external, they should have all those processes in place to mitigate for instance when it comes to cyber incidents. They should have a team dedicated team to manage cyber incidents. They need to have a playbook. Let’s say today issues about ransomware, do banks aware on how to respond, how to take action when come when come to the ransomware. Do they have test scenario or not when comes to the DDOS attack, when it comes to the ransomware attack or when come to the data exploitation, do they have a dedicated team or not. They call it blue team to respond and then how did to stay resilient on these things then come to the process wise. The third one will come to the technology. Without visibility they do nothing. Research shown that organizations require about six months to know whether they are being hacked or not? So, without tools, without monitoring, without 24/7 monitoring, without the IPS, without the proper configurations, without the proper IBS and without analysis you never know whether you’re being hacked or not. So, bank always need to look at from people process technology how these three main components has a play a key role in identifying their potential cyber risk or to assess their cyber posture. M : Ok. R : That is my advice. So, bank always need to look at from this angle not just focus on system because system always have a new technology here and there right but the moment you bring a

new system you need to look at process wise and people wise. So, three things always come together back up to the risk assessment to organizations. M : Thank you, sir, thank you for your time. Anything else would you like to add regarding these topics though? R : What is your intention here? M : We just want to write an article regards how the organization should assess the internal risk based on BNM perspective. You gave you all the information on how to assess when they assess they use RMIT and all that anything else you think that Bank Negara should look into your experience as per your experience anything else that Bank Negara is missing out? R : Before that this article are you going to publish? M : Yes, to our Unitar e-magazine. I search on Google on risk management in technology. Some saying that they have a division called Risk Management in technology and they have specialists on that. So, to be a RMIT specialist do you have to do any exams? R : No, if you understand RMIT they say that you need to have a dedicated cyber team. So, from there we assess when we do the assessment or when we do a compliance. Current state of our banks we will see how strong is their cyber team? Is it they have enough resource to manage all those cyber issues in the organizations? Otherwise, we will propose to have three head counts on governance, two persons taking care of the compliance. You also need to have a Cyber Security Operations that doing a firewall, network security, managed day-to-day, IT security operation. You also need to have a dedicated team to doing a policy and then compliance work. M : Even Technology audit, right? R : Yes, technology also one of the keys that they need to pop up. That is what they call it technology audit, they don’t call it IT audit compliance right because whatever technology that you bring it says you need to do a sort of assessment. M : I just did a quick review they have six policy requirements. The first one is governance and then technology risk management and then technology operation management and then cyber security management and then technology audit and internal awareness and training that is comes under policy requirement for RMIT. R : Yes, under RMIT you see that the word “S” as well as “G”. “S” is mandatory to be to be performed by the banks by the FI, “G” is a guideline. M : Where do we see that? R : Under the bullet point. If you open the RMIT there is. You see right there right each of the description right bullet point there is “S” and “G”. M : Yes, thank you Mr. Azlan R : All right, okay thank you man. Wonderful session. Ok everyone.

Conclusion Overall, we think the interview was very successful. We learned more about the roles and responsibility of a Risk Advisory division. Also, we got to know what risks the organization normally faces and what are the necessary steps to be taken to mitigate the risks. We also got to understand what the requirements and guidelines are imposed by Bank Negara Malaysia (BNM) regarding risk assessment. We hope our interview session will enlighten and be beneficial to our fellow course mates.

Member Group 6

OUR PANEL INTERVIEWER

OUR INTERVIEW DETAILS Many thanks to UNITAR Graduate School Dean Professor Dr. Rozzainun Binti Abdul Aziz and also to Dr.Iznora Aini Zolkifly for support in the group assignment for this interview session. The interview session this time was conducted by Mr. Muhammad Fakrul Rozi as moderator. Welcome speech from Mr.Muhammad Fakrul Rozi to the invitees and appreciation for the success of this interview session and the efforts of Mr.Kesavan Varadhan our university representative. In this interview session, a total of 7 students were involved. Three representatives were invited from the Ministry of Communication & Multimedia Malaysia (MCMC) namely Mr. Abdul Rahimi bin Ahmad Shamsul, Deputy Director of Data Protection Department, Mrs. Uma A/P Annamallai, Director of Policy and Strategic Planning Division Department, and Mr. Fazlan bin Abdullah Cybersecurity Officer Department of Personal Data Protection. This interview session was held on 22/04/2022 using the Microsoft Meet platform. A total of 10 questions were raised during this interview session. Here is the agenda for this interview session.

PDPA ACT 2010 [ACT 709] INFORMATION

SUMMARY OF Q&A Question 1:What is PDPA (explain as if the audience is 5 years old)? Answer: PDPA is Personal Data Protection Act 2010. This act is to regulate the processing of Personal Data Commercial Transaction. The PDPA was introduced to strengthen consumer confidence in business transactions and e-commerce, given the increasing number of credit card and identify theft frauds as well as personal data selling without the user’s consent. So, when we give these details for commercial transactions, for example bank insurance or any other services accounting engineering firm in the shops, it must be kept in a research method by the data user with those we keep our information too and we will become the data subject. (Answered By Puan Uma A/P Annamalai) Question 2: What is an individual’s responsibility and penalty on the Act (e.g. collected for postgraduate research) Answer: If you’re collecting data for post graduate studies from anyone for that matter, the data you’d be collecting will be anonymous for statistical purposes and it will not be identical information. For the individual’s responsibility is, we should get anyone consent to get the data. (Answered By Puan Uma A/P Annamallai) Answer: If student conducts research and obtains subject material from others without official permission and receives a complaint, the student can be prosecuted for using data without permission. Acts like this have happened before and can be convicted and will be subject to compound as prescribed by the Malaysian government. (Answered By Encik Abdul Rahimi Bin Ahmad Shamsul) Question 3: Federal Government, State Government, and Credit Reporting Organization are not accountable for this Act, what if there is a data breach/leak who will be held accountable under any Act? Answer: If it involves such matters, it is not subject to the PDPA but instead is subject to the OSA or managed by the National Security Council. And the Office of Government Security officers. (Answered By Encik Abdul Rahimi Bin Ahmad Shamsul) Question 4: What is PDPA’s relationship with GRC (Governance, Risk Management, and Compliance)? Answer: Governance, Risk Management, and Compliance is a bigger framework for an organization to protect the organization exposed to compliance. PDPA in Malaysian Contact is one of those Laws that the organization collect personal data will have to comply under this GRC (Governance, Risk Management, and Compliance). For example, Bank need to comply Act under Bank Negara Malaysia and with PDPA for their banking progress etc. (Answered By Encik Fazlan Bin Abdullah)

Question 6: People need to be empowered to be aware of the importance of taking care of their data, what is the current best way for anyone to know more about this? Answer: People around the globe are already very much aware of this personal data protection and following some breach of data incidents, Malaysian have started to pay more attention to data privacy as well. From the government side, they’re doing their best to inform the citizens to take care of their personal data. (Answered By Puan Uma A/P Annamalai) Question 7: Is there any new development, or future for PDPA within the PDPA Communities? eg. public events, expos, or seminars? Answer: Actually, throughout the year we have a lot of consensus seminar and webinar that some we do it with data users, some of it are invited like based on invitation like how you have engaged us today. We have a lot of radio talk on PDPA as well as TV programmers. We are quite active on Facebook; we do inform every gist of the act and circulate a lot of information in our Facebook. We have templates distributed at some programmers organized by the ministry as well. (Answered By Puan Uma A/P Annamalai) Question 8: The recent event, the sale of App Tracking MySejahtera to a private company raises concerns, what is your opinion on this? and it is a solution to transfer the accountability to a private company since the government will not be under PDPA Act? Answer: On My Sejahtera, the minister and ministry has cleared the issue. The act is not assault to any private companies. My Sejahtera is handled by the Government which is not covered by the PDPA. My Sejahtera has a lot of engagement with JPDP. Our advice to any government agencies even though they’re not covered by the act. They must make sure their contract with data processors or this private companies who help them develop and maintain the system is quite comprehensive included with clauses on PDPA so that the private companies will keep the adequate safety to the data that they’re processing on behalf of the government. (Answered By Puan Uma A/P Annamallai)

Question 5: When/What is the point of time or condition, individuals or organizations have to apply for PDPA Compliance? eg. is there a threshold of how much data is limited to be used just for personal use or recreation? Answer: PDPA Compliance is doesn’t have any threshold with anyone who collects data. But Registration with department of personal data is required by 13 groups of data users that has been identified thus far. This list 13 categories for instance communication sector, insurance banking and financial institution. Compliance is a must by anyone who process data. (Answered By Puan Uma A/P Annamalai)

PHOTO DURING THE INTERVIEW

Guidelines Or Strategies To Protect Computer Users While Using The Internet Article by: Ahmad Ikbal Shah bin Amishariff Durairaj Anbarasan Lim Geok Leong Lee Lay Peng Mior Muzaffar Bin Mior Dahalan

CONCLUSION PDPA major role is to supervise the processing of personal data of persons participating in business transactions by User Data to ensure that it is not abused or misapplied by the parties involved. The PDPA stipulates users must be safeguarded in order to avoid any type of abuse against the storage or processing of personal data of individuals, public and private sectors in Malaysia for commercial transactions. In order to enforce the PDPA, the JPDP has stipulated that all Personal Data User Groups comprise of people or private parties unless the government has legally registered for the purpose of preserving consumer and public rights.

The use of the internet had begun in the early 80s and up till today, there has been much evolution of the internet technologies. People had begun to rely on the internet for information, transactional processes as well as day to day activities. This trend surged even more in 2020 when the whole world was hit by the COVID-19 pandemic where many started to perform work remotely, mainly at home and students had to resort to online learning platforms that use the internet for that purpose. In view of the growing use of the internet and many security concerns had arise from it such as cyber security concerns as well as other threats, there is a need to look into the guidelines and strategies to protect computer users while using the internet. The following are some of the key suggestions that can be taken into consideration while using the internet securely:

Browse the web safely

Create a strong password & change your password frequently

One of the easiest ways for someone to fall victim to a cyber-attack is by using a web browser. One would argue that web browsing is the only way to be able to reach out to cyberspace, so what can we do to avoid a cyber-attack? One way to safeguard yourself while browsing the web is by being mindful of any potential risk of malware, spyware traps and phishing sites that are lurking unknowingly while browsing the internet.

Nowadays, data breaches and identity theft cases are on the rise. After stealing the credentials, cybercriminals will start to use the passwords to compromise against company data, use people’s payment information for purchases, spy on users through WiFi-connected cameras and so on. Therefore, create a strong password is important and consist a combination of letters, numbers, and characters. Figure below shown the time it would take for attacker to crack a password with the following parameter. (Security.org, 2022). We must avoid using the same password for multiple sites It is also recommended that you can change your password every 3 months to keep it secure especially for online banking, bill payment apps, social media and email account. Activate two-factor authentication is also important for valuable accounts. It will be another additional security check for a successful password entry.

On how to identify these potential cyber security risks, Internet users could follow these safety tips that could lessen the risk of being cyber attacked. Firstly, while browsing the internet users must avoid any questionable sites that you never visited or sites that offer strangely unbelievable offers on their website. Before you browse through these websites, do some research these websites, if any reports of wrongdoing or cyber-attack have been reported from these websites. In addition to browsing through questionable websites, it must be pointed out that certain sites are more prone to cyber-attack including adult sites, file sharing sites and social networking sites. So, before you click any link to any website link, think first and research first before clicking on the link (WEBROOT. N.D). The second tip that can be used to protect computer users while using the internet is to use modern browsers like Microsoft Edge and Google Chrome, which can help block malicious websites and prevent malicious code from running on your computer. Based on ITPro. (2020), Microsoft Edge offers three layers of privacy protection which block harmful trackers from penetrating and harm your computer. This applies to Google Chrome too, where it helps protect its users from malicious sites that may steal the user’s password or infect the user’s computer. And furthermore, Chrome updates every 6 weeks to ensure that its browser is up to date with the current security fixes and if it is a critical security bug, an update from Chrome will be done and updated in 24 hours to the user’s browser. The third tip to protect computer users while using the internet is for the users to ensure that their browser must be kept updated with the latest update provided by the web browser developer such as Edge, Chrome, Firefox, and others. This update will help to keep the user’s device safe and secure. If the users are being advised to update their browser, please do so.

Use HTTPS HTTPS (Hypertext Transfer Protocol Secure) is HTTP with TLS encryption. HTTPS uses TLS (SSL) will provide three layers of protection which includes encryption, data integrity and authentication from normal HTTP requests and responses. This protocol will protect the integrity and confidentiality of data between the user’s computer and the site. The Internet user is encouraging to check for an “https” or a padlock icon in your browser’s URL bar to verify that a site is secure before entering any personal or sensitive information. (Cloudflare, 2022)

Enable Antivirus and Firewall Another tip to protect computer users while using the internet is by having an up-to-date antivirus and firewall installed on their devices. Even though the users have been very careful and smart in not clicking any unwanted sites or questionable sites, Cyber threats can still be hidden in the most trustworthy sites and having an up-to-date antivirus and firewall will detect cyber-attacks before they happen. It is worth the investment in installing the best and most secured antivirus and firewall to protect the users’ devices and to protect the users from cyber-attacks such as identity theft, malware attack, or scamming.

Turn on your browser’s popup blocker

Popup blocker is now a standard browser feature and should be enabled any time you are surfing the Web. A popup blocker is a function or a program that prevents additional browser windows, known as pop-ups, from being opened. By analysing the JavaScript code, which is necessary for opening new browser windows, those code blocks are determined that open a pop-up regardless of user input. This code will then not be executed (Koray, 2021). In general, most pop-ups are usually advertisements and can even be malware. If it must be disabled for a specific program, it is vital to turn it back on as soon as the activity is complete.

Ignore spam

There is always a need to be constantly wary of emails from unknown senders and never click on links or open attachments in them. Spam filters in email inboxes have grown very adept at capturing the most obvious spam. However, increasingly sophisticated phishing emails that imitate your friends, associates, and trustworthy organisations (such as your bank) are becoming more popular, so be on the lookout for anything that looks or sounds suspect. (Baykara & Gürel, 2018)

Use two-factor authentication

Passwords are the first line of defence against computer hackers but adding a second layer of protection increases security. Many websites allow you to set two-factor authentication, which increases security by requiring you to log in with both your password and a number code given to your phone or email address.

Don’t open suspicious attachments or links

Hyperlinks are everywhere when using the Web including email, internet messages and more. They can appear in email, tweets, posts, online ads, messages, or attachments, and sometimes disguise themselves as known and trusted sources. Unlike spam, these links may be sent by someone you know and can prove to bring misfortune to your devices. (Microsoft, n.d.)

Use legal software

Avoid streaming or downloading movies, music, books, or applications that do not come from trusted sources. They may contain malware. (Microsoft, n.d.) Many applications and software uses the Internet for various activities. Using a pirated material risks third party sabotage when sending any private information.

Never send private information via e-mail

Use VPN on public networks

Never transmit confidential data over e-mail, such as passwords, credit card information, etc. E-mail is not encrypted, and if intercepted by a third-party, it could be read. (Computer Hope, 2021)

You don’t know anything about the security of that connection. It’s possible that someone else on that network, without you knowing, could start looking through or stealing the files and data sent from your laptop or mobile device. The hotspot owner might be a crook, sniffing out secrets from all Wi-Fi connections. A VPN encrypts your internet traffic, routing it though a server owned by the VPN company. (Rubenking & Duffy, 2021)

When browsing, if you’re prompted to install any program or add-on, make sure to read and understand the agreement before clicking the Ok button. If you do not understand the agreement or feel it is not necessary to install the program, cancel or close the window. Additionally, when installing any program, watch for any check box that asks if it’s ok to install a third-party program, toolbar, etc. These are never required and often introduce threats. Leave these boxes unchecked. (Computer Hope, 2021)

Conclusion

Social networking sites like Facebook are a great place to connect with friends and family online. However, it is also very easy for people to over share personal information about themselves or others. Before sharing something on a social network or any place on the Internet, make sure it is something you wouldn’t mind if everyone saw. Everything you share on the Internet should be thought of as public because it is possible for something you believe is shared privately to be leaked out publicly. If you’re thinking about sharing something you think could offend someone or embarrass you, maybe consider not putting it on the Internet. (Computer Hope, 2021)

References

Use caution when accepting or agreeing to prompts

Always think before you share something

In conclusion, security is something not to be taken lightly. There are many cyber-attacks that happen due to the negligence of the user themselves. Creating awareness especially by highlighting the impact of such negligence will help in ensuring all internet users take the necessary precautions to avoid any losses, be it financial, data or even reputation, from taking place.

WEBROOT. (N.D). Best Practices for How to Safely Browse the Internet. WEBROOT https://www.webroot.com/us/en/resources/tips-articles/online-activities-internet-security

Make backups of important data

ITPro. (2020). 8 of the most secure web browsers. ITPro

Anything can happen at any time. That is why it is a best practice to make backups of important data. If something were to happen while browsing the Internet, the backup will be the best source to retrieve lost data.

https://www.itpro.com/network-internet/web-browser/357253/8-most-secure-web-browsers

Never underestimate how much your browser’s cache knows about you. Saved cookies, saved searches, and Web history could point to home address, family information, and other personal data. To better protect that information that may be lurking in your Web history, be sure to delete browser cookies and clear your browser history on a regular basis. (Rubenking & Duffy, 2021)

Security.org (2022). How Secure Is My Password? Centerfield Media Company. Retrieved from: https://www.security.org/how-secure-is-my-password/

Clear your browser cache

Cloudflare (2022). What is the difference between HTTP and HTTPS? Cloudflare, Inc. Retrieved from: https:// www.cloudflare.com/learning/ssl/why-use-https/

Koray (2021). What are Pop-up Blockers and How to Use Pop-up Blockers from Browsers? Holistic SEO & Digital. Retrieved from: https://www.holisticseo.digital/ marketing/pop-up-blocker/ M. Baykara and Z. Z. Gürel, (2018) “Detection of phishing attacks,” 2018 6th International Symposium on Digital Forensic and Security (ISDFS) Computer Hope. (2021, 10 11). How to protect yourself while on the Internet. Retrieved from Computerhope.com: https://www.computerhope.com/issues/ ch000507.htm Microsoft. (n.d.). Keep your computer secure at home. Retrieved from Microsoft. com: https://support.microsoft.com/en-us/windows/keep-your-computer-secureat-home-c348f24f-a4f0-de5d-9e4a-e0fc156ab221 Rubenking, N. J., & Duffy, J. (2021, March 19). 12 Simple Things You Can Do to Be More Secure Online. Retrieved from pcmag.com: https://www.pcmag.com/howto/12-simple-things-you-can-do-to-be-more-secure-online

CEO Conversations - Cyber Security Emerging Regulatory Landscape

EVENT

On Saturday 9th April 2022, UNITAR International University resume its series of CEO Conversations event, now on Season 3, Episode 3. This episode featured Dr. Jasmine Begum and her take on Cybersecurity issue. Dr. Jasmine is currently a Regional Director, Legal & Government Affairs for Microsoft SEA, and New Markets. She also currently an Adjunct Professor of UNITAR International University. On the event, the speaker gave an online talk on Cyber Security, on Emerging Regulatory Landscape. The speaker started with reintroducing herself and her interpretation of Cybersecurity in a global perspective, and Microsoft SEA initiatives with their Cybersecurity effort and their collaboration with Malaysia Cybersecurity Agencies for the Malaysia Cyber Security Strategy 2020-2024. The speaker also mentioned the issue of rising numbers of cyberattacks nationwide and what has been done by current law enforcement over the past years. The speaker continues share that she strongly believes that one of the ways to reduce the rising numbers of cyberattack case is with cybersecurity education and awareness. The speaker adds that cybersecurity education is encouraged and should be a norm to everyone, individuals, and organization The speaker gave her admiration to bank agencies for their continuous efforts to keep educating their customers and the public over the year to be aware of cyberattacks such Scams and Phishing. The online presentation also includes Q&A session, which highlights a noteworthy question from the audience, “What is the Greatest Threat in Cyber Security”, which the speaker answered perfectly with “The greatest threat in Cyber Security is the IGNORANCE”. The speaker ends her talk with the perfect reminder to all audience to be proactive and take precautions in cybersecurity issues. Finally, the speaker and the audience take a screenshot picture with all webcams opens which ends another successful episode of CEO Conversations

Phishing On 4th April 2022, a group of postgraduate students of the course Cyber Laws and Ethics, called Group1 have conducted an event called Phising and Cyber Attack Awareness. The group members are consist of expert from various industries. The members are, Kevin and Dhanesh from Cybersecurity, George from Data Science, Devan from ERP, and Zakaria from Legal Affairs. The event are requirement as an assignment submission for the course ITNM 5053, Cyber Laws and Ethics led by Dr Iznora Aini binti Zolkifly. In the event, the group conducted an online presentation, with the speakers were Dhanesh, George, and Kevin. Other than that, the group also conducted online survey. The online presentation started with introduction of the event and the group members, next was live phising demo session with Dhanesh who is an expert from Cybersecurity, the session shows how typical phising was done via email and tips on how to spot a phising attack. Finally, the presentation of the online survey results by George, the survey consist of 10 Questions, Total of 50 respondents of the survey, the average score of the survey were 81.4%, and the average time taken to complete the survey of the repodents were 3 minutes and 12 seconds. The survey highlights the lowest scored question which is “What is Phising?” which only 48% answered correctly, while the 52% of individuals maybe a potential phising victim. The event finally wrapped up with conclusion from the group, that continous phising awareness campaign is important. Some consideration of channels can be to Social Media, TV ads, Radio Stations, Newspapers, government collaboration and government policy making and incentives programs. The motivation of Phising can be vary from Financial Gain, Identity Theft, Revenge, or Political Agenda. Thus Phising awareness should be a continoues learning for all, because hackers also continues to deploy new ways to exploits our cyberspace.

CYBER SECURITY AWARENESS RANSOMWARE According to Cybersecurity Malaysia records show that the number of cybersecurity incidents have been rising steadily – from 10,722 in 2019, to 10,790 last year. Between January and August this year, 7,495 cases we repoeted. The top types of incidents are online fraud like scams followed by instrusion cases like hacking and web defacements. The goal is to undertake a ransomware awareness campaign with information and resources for companies and individuals to use in order to reduce the risk of ransomware. The People and organizations should adopt good cyber practices to avoid becoming victims of ransomware. The team members from Cyber Law and Ethics class have crated survey and had organized online talk to spread awareness regarding Ransomwares. To further spread their event, team members had also made their impact by using Facebook, a social media platform by creating Facebook Page. On April 1, 2022, at 9 p.m., they held a Facebook live. The live session was a video that had been pre-recorded. We had a Q&A session in live comments during the event.

The live event was well responded with total of 215 engagement. The live event gave participants to engage closely as they can raise their questions and shred few experiences that happened to them as well.

The group were able to share their information about awareness with their friends and family. This occurrence has raised awareness of ransomware and prevention strategies among those who have participate in our event.

Director:

Dr Iznora Aini Binti Zolkifli

Editor Team: Yap Chew Hong Muhammad Hafiezul Hafizz Bin Hussin Dinesh A/L Parmasivam Luqman Hakim Bin Yusof

* With help from writers and friends in MIT 94