IT Security compliance is a mandatory requirement for the critical sector organizations. Due to a Government directive or prevailing legal / regulatory provisions, only CERT - In empanelled IT Security auditing organisations are eligible to carry out such IT Security audits - Guidelines for applying to CERT - In for Empanelment of IT Security Auditing Organisations
Indian Computer Emergency Response Team (CERT – In) no doubt had the best intentions in mind when it issued its guidelines. But as they say, the best laid plans sometimes go awry and such a result may arise as a consequence of some of the technical qualifications specified in the guidelines.
Why should CERT – In be in the business of empanelling organisations or pre-qualifying the security industry? Neither in the US or the UK, for example, do the respective CERTs get involved in such issues. Does a CERT – In empanelment guarantee anything or is it part of a bureaucratic check list? Such practises also fly in the face of the Government’s commitment to Less Government and More Governance. The empanelment norms may also result in regulatory capture.
Pre-qualification criteria including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame – may be acceptable for financial audits, medical audits, bridge inspection etc but do not make sense in the area of cyber security.
The best in cyber security in India, indeed the world over, are freelancers - young kids/hackers who are on the Hall of Fames of companies such as Google, Facebook, Microsoft for having discovered vulnerabilities which bypassed the expert eyes of hundreds of highly qualified and experienced domain experts in such organisations. These freelancers and individuals have no certifications, no formal qualifications, no formal audit experience and will never work formally with any organisation.
Countries like the US have realised this. Instead of concentrating on a few empanelled entities, organisations are more focused on 0 Day exploit finders and bug bounty hunters. These countries realise that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships. Cyber risks are asymmetrical, unconventional and global and as such need an appropriate response.
Empanelment can also breed complacency, a false sense of security. In contrast, what effective cyber security needs is a degree of paranoia. Will anyone get fired for ineffective cyber security if the security audit has been done by a firm empanelled by CERT – In? Will CERT-In formally certify an organisation’s cyber security preparedness if the security audit is done by an empanelled firm? Will CERT-In and the empanelled firms provide financial guarantees to back up cyber audits?
It is commonly known that ISO 270001 as implemented in India by auditors concentrates more on process, rather than ferreting out vulnerabilities. Out of the 25 organisations that CSPF has done security consulting with, 21 suffered a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organisations. All 25 organisations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every 3 months as is mandatory in ISO 270001. When CSPF did APT assessment post incident, it found websites even had had simple vulnerabilities like CSRF, Sql injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 % of cases, formal discovery of APT attacks or cyber espionage was made only after 7-8 months of the actual event.
0 Day exploits or unknown vulnerabilities in software are amongst the most potent tools used by black hat hackers for cyber attacks. How many cases does one know of black hats revealing their secrets on 0 Days, especially to security auditors? They would make more money selling it to National Security Agencies or Governments for use as espionage tools.
To counter black hats, one needs equally motivated, unconventional and highly skilled white hats who are more often than not lone wolves. Some of the best white hats this writer knows of have not even passed Std 10, but are yet on the Google Hall of Fame. This is the talent India needs to leverage, and talent that India cannot afford to waste.
Critical infrastructure organisations and businesses in India need to look beyond CERT – In empanelled security auditors. Formal rules and norms apart, organisations need to set up liberal bugs bounty programs and invite independent bugs bounty hunters to take a crack. This alone will separate the men from the boys.
J Prasanna, Founder, Cyber Security & Privacy Foundation
Indian Computer Emergency Response Team (CERT – In) no doubt had the best intentions in mind when it issued its guidelines. But as they say, the best laid plans sometimes go awry and such a result may arise as a consequence of some of the technical qualifications specified in the guidelines.
Why should CERT – In be in the business of empanelling organisations or pre-qualifying the security industry? Neither in the US or the UK, for example, do the respective CERTs get involved in such issues. Does a CERT – In empanelment guarantee anything or is it part of a bureaucratic check list? Such practises also fly in the face of the Government’s commitment to Less Government and More Governance. The empanelment norms may also result in regulatory capture.
Pre-qualification criteria including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame – may be acceptable for financial audits, medical audits, bridge inspection etc but do not make sense in the area of cyber security.
The best in cyber security in India, indeed the world over, are freelancers - young kids/hackers who are on the Hall of Fames of companies such as Google, Facebook, Microsoft for having discovered vulnerabilities which bypassed the expert eyes of hundreds of highly qualified and experienced domain experts in such organisations. These freelancers and individuals have no certifications, no formal qualifications, no formal audit experience and will never work formally with any organisation.
Countries like the US have realised this. Instead of concentrating on a few empanelled entities, organisations are more focused on 0 Day exploit finders and bug bounty hunters. These countries realise that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships. Cyber risks are asymmetrical, unconventional and global and as such need an appropriate response.
Empanelment can also breed complacency, a false sense of security. In contrast, what effective cyber security needs is a degree of paranoia. Will anyone get fired for ineffective cyber security if the security audit has been done by a firm empanelled by CERT – In? Will CERT-In formally certify an organisation’s cyber security preparedness if the security audit is done by an empanelled firm? Will CERT-In and the empanelled firms provide financial guarantees to back up cyber audits?
It is commonly known that ISO 270001 as implemented in India by auditors concentrates more on process, rather than ferreting out vulnerabilities. Out of the 25 organisations that CSPF has done security consulting with, 21 suffered a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organisations. All 25 organisations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every 3 months as is mandatory in ISO 270001. When CSPF did APT assessment post incident, it found websites even had had simple vulnerabilities like CSRF, Sql injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 % of cases, formal discovery of APT attacks or cyber espionage was made only after 7-8 months of the actual event.
0 Day exploits or unknown vulnerabilities in software are amongst the most potent tools used by black hat hackers for cyber attacks. How many cases does one know of black hats revealing their secrets on 0 Days, especially to security auditors? They would make more money selling it to National Security Agencies or Governments for use as espionage tools.
To counter black hats, one needs equally motivated, unconventional and highly skilled white hats who are more often than not lone wolves. Some of the best white hats this writer knows of have not even passed Std 10, but are yet on the Google Hall of Fame. This is the talent India needs to leverage, and talent that India cannot afford to waste.
Critical infrastructure organisations and businesses in India need to look beyond CERT – In empanelled security auditors. Formal rules and norms apart, organisations need to set up liberal bugs bounty programs and invite independent bugs bounty hunters to take a crack. This alone will separate the men from the boys.
J Prasanna, Founder, Cyber Security & Privacy Foundation