KUALA LUMPUR: The Central Database Hub (Padu) requires genuine threat assessments to uncover any overlooked vulnerabilities.
Cybersecurity expert Murugason R. Thangaratnam strongly encouraged testing it against genuine threats through audits or penetration tests on the database.
Murugason, who is Novem CS Sdn Bhd chief executive officer said this was necessary to uncover additional red flags or warning signs indicative of vulnerabilities within Padu's security infrastructure.
"To make sure the test is comprehensive, involve ethical hackers or recognised penetration testing vendors in their security testing.
"Penetration testers provide extensive reports listing database vulnerabilities, and it is important to quickly investigate and remediate these vulnerabilities," he said stressing that the test should be run once a year.
Global Centre for Cyber Safety director Associate Professor Datuk Dr Husin Jazri emphasised the critical importance of managing access rights and fortifying audit trails to address common vulnerabilities.
He also underscored the necessity of employing database encryption as a mandatory technical measure to effectively mitigate these issues.
However, he highlighted that while a centralised data hub offers advantages, it becomes a prime target for skilled hackers worldwide and is more vulnerable to ransomware attacks due to its increased visibility and value compared to decentralised data.
"Multi-layered defences, constant monitoring, vulnerability management, and a skilled team among others are required to ensure data security and privacy are achieved and maintained at all times.
"The security measures cover various aspects of cybersecurity, physical security, and operational procedures," he told the New Straits Times.
Thus, he recommended a continuous process of evaluation and adaptation to cope with emerging threats and technological advancements.
In line with this, he proposed the implementation of third-party cybersecurity audits encompassing defensive and red teaming assessments as integral components of Padu's cybersecurity policy.
He stressed the enforcement of these measures to strengthen Padu's security infrastructure, noting the high maintenance cost and the requirement for a skilled team to operate and safeguard it.
"The use of database encryption as the last layer of defence and to enforce data confidentiality and privacy are mandatory measures to be implemented immediately."
Husin also underscored the critical necessity for Padu to adopt a multi-layered security approach, including defence in depth, Zero Trust, continuous monitoring and logging, strong data governance, effective threat intelligence, rigorous vulnerability management, penetration testing, comprehensive security awareness training, and a robust backup and disaster recovery plan.
Murugason underlined the necessity of configuring every privileged account on a database server with a robust and distinct password.
He further recommended that if accounts are no longer required, they should be promptly expired and locked to ensure tightened security measures.
"Ensure that patches remain current. Effective database patch management is crucial as attackers constantly seek new vulnerabilities in databases, with new viruses and malware emerging daily.
"Irrespective of how solid your defences are, there is always a possibility that a hacker may infiltrate your system. Yet, attackers are not the only threat to the security of your database."
Murugason also pointed out the potential risk posed by employees, acknowledging the ever-present possibility of a malicious or careless insider gaining unauthorised access to sensitive files or data within the system.
"Without an encryption key, they cannot access it and this provides a last line of defence against unwelcome intrusions.
"Encrypt all-important application files, data files, and backups so that unauthorised users cannot read critical data."