What's Wrong with CERT-In's Empanelment Guidelines?As Cyber Threats Rise, It's Time to Review and Rewrite the Criteria
With rising cyber threats in India, industry experts question if CERT-In's empanelment norms for IT security auditing organizations are capable of helping enterprises remain in compliance and be able to combat the new cybersecurity challenges.
Since IT security compliance is mandatory for all critical sector organizations, they are allowed to hire only CERT-In empanelled IT security organizations to carry out audits. While CERT-In undoubtedly had the best intentions when it issued guidelines for empanelment, over the years, due to insufficient audit parameters, it has lost its essence in meeting current cybersecurity challenges.
CERT-In's guidelines were issued way back and not reviewed as per current needs. Also, the team is not skilled to assess organizational capabilities in handling VAPT, APT, or zero day attacks
The fundamental question industry leaders ask is why CERT-In should empanel organizations or pre-qualify the security industry, which is never the case in the U.S. or UK, as they need to act just as an advisory. Does it guarantee hard-core security, or is it just a bureaucratic governance structure?
In my opinion, CERT-In's pre-qualification criteria set as part of its empanelment process - including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame - may be acceptable for financial audits, medical audits, bridge inspection, etc., but does not make sense in cybersecurity, which is much more sophisticated and grave.
For instance, CERT-In's empanelment process includes four rounds including 1) Documentation Round, 2) Offline Practical Skill Test, 3) Skills Assessment Test, 4) Personal Interaction Session at CERT-In and a special test round if found necessary. But all these do not justify the capability of the audited organizations, due to the increasing vulnerabilities the industry is witnessing.
There are in all about 51 organizations, besides the big four, which are empanelled in CERT-In, allowed to conduct security audit in enterprises. Most organizations fail to meet customer expectations and have shortcomings in the vulnerability assessment and penetration tests on the network and OS.
Why does this happen? It's a true case of CERT-In's empanelment breeding complacency, creating a false sense of security and easy catch to win orders. CERT-In's guidelines were issued way back and not reviewed as per current needs. Also, the team is not skilled to assess organizational capabilities in handling VAPT, APT, or zero day attacks.
The guidelines cover basic requirements of technical certifications and compliance standards, but don't look into the manpower and skills of the organizations to support customers in addressing cybersecurity challenges.
An example: it's commonly known that ISO 270001, as implemented in India by auditors, concentrates more on process, rather than ferreting out vulnerabilities. On an average, out of 25 organisations, about 21 suffer a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organizations. All 25 organizations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every three months, as is mandatory. As regards APT assessment post-incident, the websites of these companies were found to have simple vulnerabilities such as CSRF, SQL injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 percent of cases, formal discovery of APT attacks or cyber espionage was made only after seven to eight months of the actual event.
The reason for such deficiencies? Most auditing organizations do not have teams with access to zero day vulnerability, they do not have white hat hackers or bug bounty hunters as part of their teams as they are very expensive. How many cases does one know of black hats revealing their secrets on zero days, especially to security auditors? They would make more money selling it to National Security Agencies or governments for use as espionage tools. So, the empanelment norms may be suboptimal for national cybersecurity.
How Should CERT-In Address the Challenge?
If CERT-In must play a vital role in cyber defence, it must incorporate a few stringent measures of evaluation.
The ideal approach would be to combine CERT-In rules and its process-based approach with a program that formalizes the roles of bug bounty hunters and white hat hackers, backed by a CEO-led counter cyber espionage program in each organization.
CERT-In should assess auditing organizations for empanelment based on:
- Understanding that no single organization has capabilities to control end-to-end processes, as most who claim to be so are just tool runners;
- Ensuring that empanelled organizations have motivated, unconventional and highly skilled white hats to counter black hats;
- Hiring bug bounty program hunters and white hat hackers who are on the halls of fame of companies such as Google, Facebook, Microsoft, Apple, who have experience in discovering vulnerabilities;
- Realizing that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships.
When critical infrastructure - energy, defense and transportation among the components - form the backbone of a nation's economy, security and health, it's time CERT-In took responsibility of ensuring the empanelled firms establish a cyber-secure ecosystem and have capabilities to handle APTs, VAPT and zero day vulnerabilities.
CERT-In should remove glasshouse infrastructure and encourage bilateral agreements with universities, corporate and international groups to roll out cybersecurity courses and technology transfer and build capacity of professionals to help organizations do their job.