23/02/2026

MONDAY | FEB 23, 2026

3

Offence to conduct ethical hack testing without written consent PETALING JAYA: Ethical hackers in Malaysia walk a legal tightrope, as even well-intentioned security testing can be treated as a criminal offence without explicit written consent, warned the National Cyber Security Agency (Nacsa). In a written response to theSun , it said Malaysia’s licensing framework for managed security operations centre (MSOC) monitoring and penetration testing is designed to distinguish authorised assessments from unlawful network intrusions. “Ethical hacking is defined by a specific scope and explicit written consent. Any attempt to access a network without prior authorisation remains an illegal act.” The framework requires MSOC and penetration testing services to be conducted solely by licensed providers, particularly for organisations designated as National Critical Information Infrastructure (NCII). This ensures that testing is performed by properly credentialled practitioners within approved boundaries. Nacsa said oversight does not end at licensing. It added that during licence renewal, the chief executive may review a provider’s performance records covering the preceding six years, including whether any NCII entities experienced cyber incidents after MSOC monitoring or penetration testing. “Licensed providers must maintain service records for six years and produce them on request to support transparency and compliance.” The agency also highlighted a notable gap between licensed companies and individual practitioners. Malaysia currently has 410 companies licensed for SOC services and 403 for penetration testing, compared with only 23 individuals licensed for SOC services and 53 for penetration testing. “This is expected because NCII entities, particularly government-linked bodies, prioritise vendors registered with the Companies Commission of Malaysia to meet procurement requirements. “However, demand for individual freelancers still exists, especially among smaller organisations seeking penetration testing services. “Cybersecurity is fundamentally a governance issue. Organisational leadership must integrate cyber risk into corporate governance to ensure adequate resources, robust SOPs and effective cyber hygiene awareness.” – By Faiz Ruzman

Cyberattacks enabled by basic security lapses: Experts

Ű BY FAIZ RUZMAN newsdesk@thesundaily.com

o A‘ uthorised tests conducted recently reveal weak passwords, misconfigured networks and exposed services remain common entry points for hackers’

accounts and access across corporate networks, virtual private networks and cloud identities are also rising. He said advanced phishing campaigns, including email, SMS and QR-code-based “quishing” attacks, are increasingly localised to mimic Malaysian brands and government agencies, making them harder to detect. “There is often a perception that meeting audit requirements and deploying security tools means the organisation is adequately protected. “In reality, cybersecurity readiness depends on day-to-day operational discipline, identity management, timely patching and effective incident response.” – By Faiz Ruzman or credential issues. “From there, we simulate how an attacker would try to gain access and move across the network.” He added that teams use established testing frameworks and a mix of commercial and open-source tools, many of which are publicly available. “The tools themselves are not secret. The difference comes down to intent. Ethical hackers use them to identify and report weaknesses so that organisations can fix them while malicious actors use similar methods to exploit those gaps.” Yuri and See both agreed that poor cyber hygiene could have severe consequences. “In one ransomware-related case we handled, the organisation was out of business for three weeks and incurred losses amounting to millions of ringgit to fix and revive the environment.” In another forensic investigation involving a construction and property development firm, a flawed network design allowed attackers to escalate access into a full compromise. The company had placed critical systems on the same internal network, with office computers and servers sharing the same environment while allowing remote desktop access directly from the internet. “Attackers found this weakness by scanning the service ports and started exploiting the service. “They eventually got into the server, moved laterally to other systems and caused the organisation’s storage and files to be stolen and then deleted.” While some organisations act swiftly after penetration testing, others delay remedial measures for months, sometimes until after a breach occurs. The statement said a persistent misconception among executives is that annual penetration testing is sufficient. “A penetration test is only a point-in-time assessment. Systems continue to change and new risks can be introduced.”

PETALING JAYA: Even the simplest security lapses can leave companies wide open to cyberattacks, with ethical hackers being able to breach some corporate systems in hours. Ethical hackers, also known as white-hat hackers or penetration testers, are authorised to simulate real-world cyberattacks to uncover weaknesses before criminals can exploit them. Authorised tests conducted recently for Malaysian companies reveal that weak passwords, misconfigured networks and exposed services remain common entry points for attackers. Many breaches still arise from basic security oversights rather than sophisticated hacking techniques. These findings were the result of legally approved white-hat hacking exercises designed to mimic real attacker behaviour in a

page. It can be that easy. “People often think attackers are using highly advanced AI-driven methods. While that does happen in some cases, it is often not the reality. Most of the issues we find exploitable by attackers are due to the fact that basic security hygiene is not practised. For example, usage of weak passwords and failure to enable multi-factor authentication. “We start with reconnaissance to understand the target environment, then attempt to identify weak points such as exposed services, misconfigurations

controlled environment. Exclusive Networks Malaysia country manager Yuri Zaharin and Firmus CEO Datuk Alan See said in a joint statement to theSun that initial access could sometimes be achieved within 48 hours of a penetration test. They said authorised penetration testing follows a structured process to simulate cyberattacks. “In one engagement involving a large conglomerate, we managed to get into their official portal as administrator within 24 hours using default credentials to the admin

Many cyber security breaches arise from basic security oversights rather than sophisticated hacking techniques. – AI IMAGE BY FAIZ RUZMAN/THESUN

Problem compounded by delays in addressing vulnerabilities PETALING JAYA: Malaysian organisations may be underestimating their cyber risks as ethical hackers continue to uncover hidden vulnerabilities that automated scans miss. that organisations take an average of two to three months to remedy critical vulnerabilities, a delay increasingly dangerous in an era in which attackers could rapidly weaponise newly discovered flaws. When asked whether largely compliance driven. “In more mature environments, testing results feed directly into real-time patching pipelines. In reactive settings, findings are treated as one-off audit deliverables, leaving organisations in a constant game of catch-up.”

reusing passwords for convenience, these lapses create the perfect storm for attackers. Breaches are rarely purely technical failures.” Among recurring weaknesses observed across Malaysian organisations is the continued use of weak or default credentials, particularly generic administrative accounts paired with easily guessable passwords. He added that at the same time, the threat landscape facing local enterprises is becoming more aggressive and complex. Roshdi said ransomware operations involving data exfiltration and double extortion continue to surge, while credential-focused attacks targeting active directory systems, which manage user

Delays in patching the lapses leave firms dangerously exposed to rapid AI-driven attacks. “Ethical hacking and authorised penetration testing provide a battle-tested view of an organisation’s defences,” CyberSecurity Malaysia acting CEO Roshdi Ahmad told theSun . “Unlike automated scans, white-hat hackers simulate real world breaches to expose hidden vulnerabilities that routine checks may miss,” . He said current benchmarks show

organisations promptly fix issues uncovered by ethical hackers, he said: “Not fast enough. With the help of AI, attackers can weaponise new vulnerabilities in as little as a couple of days, or even within an hour in some cases. “This creates a dangerous gap between discovery and remediation.” He said organisations broadly fall into two camps – those that treat penetration testing as part of a continuous security improvement process and those that remain

Beyond delayed fixes, Roshdi said most breaches still stem from a combination of human behaviour and technical weaknesses rather than highly sophisticated cyber warfare. “While the entry point may be technical, such as unpatched systems, default credentials or exposed admin interfaces, the root cause is almost always human driven. “Whether it is delayed patching, misconfigured cloud storage or staff