top of page

Recommendations from the Hong Kong China Network Security Association on the Hong Kong Post Certification Authority infrastructure

Hong Kong China Network Security Association (HKCNSA) has taken note of recent cyberattacks targeting government departments, organizations, and companies in Hong Kong. And also consider it important to strengthen the security of the HK Post CA infrastructure. The Financial Services Cyber Security Committee of HKCNSA has proposed a series of measures aimed at enhancing network security, reducing data leakage risks, and ensuring the proper protection of sensitive information.

FPS in HK which is mandatory required for using certificate issued by HK Post. There are incredible threats on the HK post CA Start from 2008 - 2018, 19 cyber incident of different CA vendors. If HK post CA is being compromised, all transactions will not secure. And also, all certificates for all FPS participants are required to re-issue.

Indeed not only FPS, iAM Smart+ also used HK Post eCert for digital signing service. The certificate services plays a critical role in facilitating business and financial services within Hong Kong, serving both the business and retail sectors. It is noted that Hongkong Post issues 'The Certification Practice Statement" for iAM Smart-cert., and also HK post engage external IA to conduct Independent Practitioner's Assurance for in-scope CA services for year 2023. In the eCert portal, the 3 audit reports are based on below reference:

* WebTrust Principles and Criteria for Certification Authorities v2.2.2

* WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security v2.7

* WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL v1.8

This WebTrust assessment provides insight into the CA's trustworthiness.

Cyber security is a journey not a destination, however the following are examples to better protect the HK Post CA infrastructure from cyber security threats:

1. Security monitoring and detection for anomalies and events.

2. Automated threat intelligence feeds from different security vendors and organization, e.g. Cybersec, Infohub, etc.

3. Implement EDR/MDR/XDR for all Managed Servers and endpoints. (Traditional AV/EPP should not consider good enough for endpoint security)

4. Multi-factor authentication (MFA) is now required on all privilege account and Non-privilege accounts of critical systems. 2FA/MFA for remote access system (e.g. VPN) is a must.

5. Privilege account management (PAM) system should be implemented.

6. Reduce Microsoft Active Directory attack surface to avoid Privilege Escalation, Lateral Movement, Golden Ticket attack etc.

7. DNS tunneling detection

8. Strengthened controls around remote access and privileged access to systems. MFA for remote access and also closely monitoring is required.

9. Implement robust network segmentation to segregate system servers and databases, based on criticality, to better protect more critical and sensitive data, such as clients’ personal data.

10. Monitor, evaluate and implement security patches or hotfixes released by hardware and software providers on a timely basis.

11. Encryption data in transit and at rest should be implemented

12. Reference to industry security standards and frameworks when conducting security assessment.

13. Include Certification Authority as part of Critical Infrastructure (if it has not already been identified as such).

By taking these steps, we can further enhance the security and reliability of the certification services provided by Hongkong Post, contributing to the overall trust and resilience of Hong Kong digital infrastructure.

In the future, HKCNSA will continue to focus on the latest developments and trends in cybersecurity, proposing targeted enhancement measures. It will collaborate with government departments, organizations, and enterprises to promote awareness and technological advancements in cybersecurity, aiming to establish a more secure and robust online environment. This effort is essential for safeguarding the security and reliability of Hong Kong's digital infrastructure.


bottom of page