The Computer Emergency Response Team -India (CERT-In) has issued an advisory to improve the outcome of cyber security audits and reduce threat exposure to cyber-infrastructure. The advisory contains recommendations that CERT-In has mined from field data analysis of audits conducted across the country.
For the uninitiated, CERT-In has both proactive and reactive roles. In order to prevent cyber security incidents and generate awareness, the premier agency issues security guidelines and advisories. It also collaborates with various stakeholders and offers training programs, simulation exercises, etc.
CERT-In & Cyber Security Audit Program
CERT-In has created a panel of ‘IT security auditing organization’. Members of the panel audit or perform risk assessment/ penetration testing of computer systems & networks in both the government and private sectors.
Whenever an auditee organization requests, empanelled auditors will assess the information security risks. After a successful audit, the auditee organization gets a CERT-In certification.
You can read more about CERT-In here.
Different cybersecurity rules, such as RBI’s rules for banks, payment aggregators, and payment gateways, entities regulated by SEBI’s cybersecurity guidelines, etc., mandate such audits. Organizations can also volunteer for the audit to boost their cyber security credentials.
In case you are interested to know the entire cyber security law scenario of India, you can refer to this guide.
Recommendations to Implement Cyber Security Audit Program
Scope of the Audit: According to CERT-In, most cases of audit only include websites or web applications. However, the audit scope should include comprehensive audits of the entire cyber-infrastructure including system, applications, software, network infrastructure, SCADA/ ICS environment, etc.
Audit Intent: Organisations should not undertake audits just for the sake of compliance. Their intention should be to secure the cyber-infrastructure to protect the organization’s interests.
Timely action to patch vulnerabilities: Organizations should immediately patch the vulnerabilities that the audit reports highlight. After that, the auditor should perform follow-up audits to verify the closure of vulnerabilities.
Audit Methodology: As per CERT-In, audits should not be limited to lists like OWASP 10 or SANS Top 25. Rather, they should include the discovery of all known vulnerabilities based on comprehensive frameworks like ISO/ OWASP Web Security Testing Guide, Open Source Security Testing Methodology Manual, etc. Auditors can also refer to CERT-In advisories such as Cyber Security Audit Baseline requirements.
Audit Cycles: The top management should review & approve the audit program. This is also a requirement in many rules. e.g. RBI’s Master Direction on Digital Payment Security Controls.
Further, organizations should conduct audits after every change in infrastructure and application. Even if there is no change, audits should be performed at periodic intervals.
Prioritising Preventive Actions
CERT-In says organizations should prioritize preventive actions to avoid the most frequent vulnerabilities. This will reduce the threat of exposure to cyber-infrastructure. To do so, they should:
Maintain & monitor inventory of authorized assets: Organisations should maintain and monitor the inventory of all the authorized assets. They should also put in place proper patch management mechanism to patch vulnerable software, applications, and firmware.
Secure Configuration: Organisations should implement appropriate security configuration. It should block unused ports, secure and change default credentials, and remove unused pages during deployment of equipment and applications.
Implement the Principle of Least Privilege
Limit & Secure Remote Access: CERT-In is recommending multi-factor authentication for remote access to cyber-infrastructure. Further, such access should be limited, tunneled, encrypted, and logged.
Consider Security in all phases of application development by adopting Secure Software Development LIfe Cycle (SSDLC) or DeveSecOps.
Use Genuine Software and Secure Protocols
You can read the advisory on CERT-In’s website as well.