Improving Outcome of Cyber Security Audits and Reducing Threat Exposure to Cyber Infrastructure - Advisory for Auditee Organizations
Original Issue Date: December 08, 2021
The objective of this advisory is to sensitize and recommend best practices to organisations in order to improve outcome of cyber security audits; and reduce the vulnerabilities in the cyber infrastructure. Key findings and recommendations in this advisory are mined from the field data analysis of audits conducted across the country.
iv. Limit and Secure Remote Access: Ensure restricted remote access to the cyber infrastructure. Remote access traffic should be tunneled, encrypted and logged to avoid any misuse. Multi Factor Authentication (MFA) is recommended for remote access of the cyber infrastructure.
- Recommendations to Ensure Effective Implementation of Cyber Security Audit Program
i. Scope of the audit: It is observed that in most of the cases only websites or web applications are being audited. The comprehensive audits of entire cyber infrastructure including system, applications, software, network infrastructure, SCADA/ICS environment, cloud architecture should also be included in the scope of audit.
ii. Audit Intent - Audit for securing the cyber infrastructure of the organization: The scope of security audit should be clearly defined along with clear communication plan with auditing team. Audit should not be performed just for the sake of compliance, but to secure the cyber infrastructure so as to protect the interest & goals of the organization.
iii. Timely actions to patch the vulnerabilities: Vulnerabilities highlighted in audit reports should be patched by owners/developer immediately. Workaround needs to be identify where patching is not possible. After remediation actions, follow-up audits should be performed by auditor to verify closer of vulnerabilities & nonconformities highlighted in the previous audit.
iv. Audit Methodology: Standards/references for audit should not be limited to OWASP top 10, SANS Top 25 and other such limited lists. Audit Should include discovery of all known vulnerabilities based on the comprehensive standards/frameworks like ISO/IEC, Cyber Security Audit Baseline Requirements, Open Source Security Testing Methodology Manual (OSSTMM3), OWASP Web Security Testing Guide along with applicable regulatory framework and directions & guidelines issued by agencies such as CERT-In.
v. Audit program oversight by top management: Top management should review & approve the audit program and remedial measures taken by organization to plug the vulnerabilities highlighted in the audits in a time bound manner.
vi. Change Management: Audit should be performed after every change in infrastructure and application. Change Management policy should be enforced in organization to avoid unnecessary changes in cyber infrastructure and applications.
vii. Periodic Audits: Audits should be performed even if there is no change in infrastructure at periodic interval of time to remediate and eliminate the risk from new vulnerabilities. Periodicity of audits should be decided based on the criticality of cyber assets.
- Prioritize preventive actions to avoid most frequent vulnerabilities and to reduce Threat Exposure to Cyber Infrastructure as observed in the audit data analysis:
i. Asset Inventory and Patch Management: Organisations should maintain and monitor the inventory of all the authorized assets (both software and hardware). For all the assets, proper patch management mechanism should be in-place to patch the vulnerable software, applications and firmware used by the organisation.
ii. Secure Configuration: Organizations should have secure configuration of assets. Appropriate security configuration such as blocking of unused ports, securing and changing default settings and credentials, removing unused pages should be done during deployment of equipment and applications.
iii. Principle of Least Privilege: Organizations need to implement the principle of least privilege across the organization's assets.
v. Secure Software Development Life Cycle (SSDLC): It is observed that one of the main reason for vulnerabilities in cyber infrastructure of organizations is insecure application development. It is recommended to consider security in all phase of the application development by adopting SSDLC and DevSecOps.
vi. Authentic Software and Secure Protocols: Organizations should only use genuine software in their infrastructure and ensure to update software, application and firmware on regular basis to avoid software vulnerabilities. Organisations should also Ensure to use secure protocols over weak vulnerable protocols to avoid vulnerabilities associated with weak protocols.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003