Cyber security audit of websites

Niraj Dubey
India is one of the fastest-growing digital markets in the world with close to 881.25 million internet users. It is home to the third-largest number of Internet users in the world, after the US and China. Eyeing the huge consumer base that India presented, Internet-based services flooded in India. Around 346 million Indians are engaged in online transactions including e-commerce, and digital payments. Even the orthodoxical industries which functioned largely on manpower earlier joined the digital bandwagon in order to stay relevant in the changing times. The ballooning Indian digital market also caught the eyes of cybercriminals. And as India moves further ahead on the path to digital transformation, threats to its different economic sectors rise simultaneously. Further, a presentation by the NITI Aayog underlines the biggest victims of these data breaches as financial organizations, healthcare, universities, higher education and public sector etc. In order to meet such alarming situation and emerging cyber security challenges, security audit of respective websites is need of the hour. A cyber-security audit involves a comprehensive analysis and review of the IT infrastructure of your business. Security audits will help protect critical data, identify security loopholes, create new security policies and track the effectiveness of security strategies. Regular audits can help ensure employees stick to security practices and can catch new vulnerabilities. It is a primary method for examining compliance. It is designed to evaluate something (a company, system, product, etc.). The Indian Government and stakeholders who were exploring ways to fight off the rising threat landscape, zeroed in on regulatory norms and guidelines for all services operating in India, putting a more stringent focus on BFSI (Banking, Financial Sector & Insurance) and Government sectors. These stringent regulations forced organizations to take due cybersecurity steps to combat cyber attacks. It is estimated that the security testing services market in India would increase from USD 201 million in 2019 to USD 4.70 billion by 2024. In order to check menace of ransomware, spamming and phishing, the Government of Union Territory of Jammu and Kashmir has issued directions recently for immediate security audit of all the official websites and sensitization of all the employees on fake whatsapp messages. Moreover, it has been made clear that no digital service shall be started without security audit through the empaneled agencies as approved by CERT-in. CERT-in is the national nodal agency that provides technical advice to System Administrators and users to respond to computer security incidents. It also identifies trends in intruder activity, works with other similar institutions & organizations to resolve major security issues, and disseminates information to the Indian cyber community.
As per the Information Technology Act, 2008, it is mandatory to have security audit of all the applications and web services to be eligible for hosting in the State Data Centre (SDC). Security testing is usually done by a certified security professional or service provider who, in layman’s terms, tries to hack your system or software to find security gaps and reports it so that the organization can work towards fixing those security gaps and make an informed decision in instituting the right security system for itself. The process of performing security patches, bug fixing and feature update are referred as patch management. Depending on the requirement of a company’s specific needs and goals, security testing can follow different approaches like – White-Box security testing, Black-Box security testing, and Grey-Box security testing. The tests involved in security testing may also differ from organization to organization.
WHY SECURITY TESTING:-
Web applications and Web sites have been favourite targets of hackers because they have access to valuable information and they are relatively easy to exploit. A successful attack can result in a variety of devastating consequences including financial loss, damage to brand reputation, and loss of customer trust. Because web applications must be available 24/7 and offer data access to customers, employees, suppliers and others, they are frequently the weak link in organization security. When hackers gain access to web applications, they often have direct access to confidential back-end data on customers and the company. For this reason, testing web application security is a high priority for the organization today.
Common security testing goals
* To identify security bugs, missing security rules, configuration flaws, endpoint access, and other potential vulnerabilities in a system.
* To get security attested to comply with Government mandates and regulatory bodies norms.
* To formulate an optimized security system for their organization and so on.
Cybersecurity testing types:- 1)Vulnerability Scanning/Assessment, 2) Penetration Testing, 3) Red Team testing, 4) Purple Team testing.
Tests for Websites/Web Applications :-
* Static and dynamic code analysis
* Server infrastructure testing & DevOps
Tests to identify the loopholes in the business logic
* Authorization checks for user access (UAC)
* Manual & automated application scanning
According to the official documents accessed by NVI, Union Ministry of Electronics and Information Technology has asked all the Chief Information Security Officers (CISO) of states and Union Territories to regularly audit the Government websites. Auditing of these websites and applications has to be conducted regularly to check any attempt of hacking. Besides, the Union Government has also formulated Crisis Management Plan to assist state and Union Territory Government’s including Jammu and Kashmir in countering cyber attacks and ‘cyber terrorism’ by empaneling 150 security organizations to support and audit implementation of Information Security Best Practices. The author would like to conclude this article by this beautiful quote, “Security isn’t something you buy, it’s something you do, and it takes talented people to do it right.” “If it’s smart, it’s vulnerable.” “It takes 20 years to build a reputation and few minutes of cyber incident to ruin it.” “Security should be built in, not bolt-on.”
The author is a Senior Faculty (GCET Jammu)