Niraj Dubey
India is one of the fastest-growing digital markets in the world with close to 800 million internet users. It is home to the third-largest number of Internet users in the world, after the US and China. Eyeing the huge consumer base that India presented, Internet-based services flooded in India. Around 346 million Indians are engaged in online transactions including e-commerce, and digital payments. Even the orthodoxical industries which functioned largely on manpower earlier joined the digital bandwagon in order to stay relevant in the changing times. The ballooning Indian digital market also caught the eyes of cybercriminals. And as India moves further ahead on the path to digital transformation, threats to its different economic sectors rise simultaneously. Further, a presentation by the NITI AAYOG underlines the biggest victims of these data breaches as financial organizations, healthcare, universities, higher education & public sector etc. In order to meet such alarming situation & cyber security challenges, security audit of respective websites are need of the hour. A cyber-security audit involves a comprehensive analysis and review of the IT infrastructure of your business. Security audits will help protect critical data, identify security loopholes, create new security policies and track the effectiveness of security strategies.
Regular audits can help ensure employees stick to security practices and can catch new vulnerabilities. It is a primary method for examining compliance. It is designed to evaluate something (a company, system, product, etc.). The Indian government and stakeholders who were exploring ways to fight off the rising threat landscape, zeroed in on regulatory norms and guidelines for all services operating in India, putting a more stringent focus on BFSI (Banking, Financial sector & Insurance) and government sectors. These stringent regulations forced organizations to take due cyber security steps to combat cyber attacks. It is estimated that the security testing services market in India would increase from USD 201 million in 2019 to USD 325 million by 2022. In order to check menace of spamming and phishing, the Government of Union Territory of Jammu and Kashmir has issued directions recently for immediate security audit of all the official websites and sensitization of all the employees on fake whatsapp messages. Moreover, it has been made clear that no digital service shall be started without security audit through the empanelled agencies. As per the Information Technology Act, 2008, it is mandatory to have security audit of all the applications and web services to be eligible for hosting in the State Data Centre (SDC). Security testing is usually done by a certified security professional or service provider who, in layman’s terms, tries to hack your system or software to find security gaps and reports it so that the organization can work towards fixing those security gaps and make an informed decision in instituting the right security system for itself. The process of performing security patches, bug fixing and feature update are referred as patch management. Security testing in India can have starkly different results with different types and methodologies of security testing. Depending on the requirement of a company’s specific needs and goals, security testing can follow different approaches like – White-Box security testing, Black-Box security testing, and Grey-Box security testing. The tests involved in security testing may also differ from organization to organization.
Why Security Testing:-
Web applications and Web sites have been favourite targets of hackers because they have access to valuable information and they are relatively easy to exploit. A successful attack can result in a variety of devastating consequences including financial loss, damage to brand reputation, and loss of customer trust. Because web applications must be available 24/7 and offer data access to customers, employees, suppliers and others, they are frequently the weak link in organization security. When hackers gain access to web applications, they often have direct access to confidential back-end data on customers and the company. For this reason, testing web application security is a high priority for the organization today.
Common security testing goals that intersect with most organizations:
* To identify security bugs, missing security rules, configuration flaws, endpoint access, and other potential vulnerabilities in a system.
* To get security attested to comply with government mandates and regulatory bodies norms.
* To formulate an optimized security system for their organization and so on.
* Cybersecurity testing types:- 1)Vulnerability Scanning/Assessment, 2) Penetration Testing, 3) Red Team testing, 4) Purple Team testing.
* Tests for Websites/Web Applications :-
* Static & dynamic code analysis
* Server infrastructure testing & DevOps
* Tests to identify the loopholes in the business logic
* Authorization checks for user access (UAC)
* Manual & automated application scanning
According to the official documents accessed by NVI, Union Ministry of Electronics and Information Technology has asked all the Chief Information Security Officers (CISO) of states and union territories to regularly audit the government websites. Auditing of these websites and applications has to be conducted regularly to check any attempt of hacking. Besides, the Union Government has also formulated Crisis Management Plan to assist state and Union Territory government’s including Jammu and Kashmir in countering cyber attacks and ‘cyber terrorism’ by empanelling 90 security organizations to support and audit implementation of Information Security Best Practices. The author would like to conclude this article by this beautiful quote, “Security isn’t something you buy, it’s something you do, and it takes talented people to do it right.” “If it’s smart, it’s vulnerable.” “It takes 20 years to build a reputation and few minutes of cyber incident to ruin it.” “Security should be built in, not bolt-on.”
(The author is Cyber Passionate)
Follow our WhatsApp channel
