While it is common in the western organizations and governments to organize bugs-bounty programs and Indian white-hat hackers often gather handsome rewards from those, Indian organizations are yet to make this a routine part of their cyber security strategy
In mid-November last year, the media was abuzz with the news of a cyber incident at CDSL (the Central Depository Services) which is a major market infrastructure institution that works as a depository, clearing and settlement facility for securities markets. The analysis of the incident is not yet available and may not be publicly available in the future, but what the story highlights is the sheer need for cyber security and cyber defence of all kinds of organizations in today’s digitalized business world.
Another illustrative example may be recalled – in April 2022, an US based cyber threat intelligence entity – Recorded Future reported that Chinese hackers have been collecting data from multiple Indian power sector organizations in the northern part of India. This story was a follow up from a previous report from the same organization in March 2021 where it was reported that along with power sector organizations, several Indian ports were also compromised by suspicious command-and-control servers apparently linked to China.
These are just a few examples of how a full-fledged cyber cold war is currently looming large, and we have seen a glimpse of it in the persistent cyber-attacks back and forth in the context of Russia-Ukraine war this year. The recent incident of Tata Power being attacked by the Hive Ransomware group just last month also underlines one of the major threats to organizations these days – ransomware.
Defending an organizational digital infrastructure requires cyber risk assessment and cyber risk mitigation in a continuous cycle – one time protection is not enough as the threat landscape keeps evolving, digital assets fall out of service contracts, and regularly reach end-of-life status where no further cyber security protection is available from vendors. Further, the tools, and methods developed for protection today becomes obsolete tomorrow due to the immensely fast rate of development of cyber offensive tools and techniques.
In the good old days of early 2000s, most of the attackers where hobby hackers, but today, most of the attackers are sponsored by nation states, and advanced persistent threat groups aligned with various governments. Biggest threats are the Russian, Chinese, North Korean, Iranian, Vietnamese groups with deep pockets, highly skilled hacking teams, and resourced personnel developing zero-day vulnerabilities in products and digital services which they exploit to attack systems of other countries.
As part of the regular cyber risk assessment of an organization, the risk assessment teams must understand the possible cyber borne threats that might target the organization, find the vulnerabilities in the organization – not only in their software/hardware/firmware but also in their network architecture, software front ends, business process implementations. This vulnerability enumeration has two distinct yet complementary components – vulnerability assessment and penetration testing – together called the VAPT process. While vulnerability assessment looks for existence of vulnerabilities in the cyber assets of the organization by consulting known and reported vulnerability databases such as the National Vulnerability Database maintained by the US National Institute of Standards and Technology (NIST), penetration testing is a more invasive method.
Usually organizations have “red team” hackers who would try to hack into the organizational infrastructure and discover vulnerabilities not yet reported or listed in any databases. This process not only uncovers vulnerabilities in products but also in the cyber security management, system architecture, business process flow etc. While vulnerability assessment leads to identification of problems which can be then mended by applying patches from the respective vendors of the products, vulnerabilities uncovered through penetration testing are fresh and does not necessarily have ready-made solutions – and that is where the risk mitigation techniques need to come in.
Professor, Computer Science & Engineering Department,
IIT Kanpur.
One important point to note here is that the quality of the penetration testing depends on the depth and training of the hackers working in the “red team”. If they are highly capable, a good number of vulnerabilities can be discovered before an adversary such as nation state hackers discover them and start exploiting them. Unfortunately, given the paucity of highly skilled and trained cyber offensive professionals in the job market, most organizations face challenge in building a very capable “red team”. That is where the bugs-bounty programs help. Many organizations crowdsource the work of the “red team” by announcing a bugs-bounty program where hackers unaffiliated to the organization can voluntarily try to hack into the organization – especially in the public facing parts of the infrastructure. Such hackers are usually termed as “white-hat” hackers and they disclose their findings and usually are rewarded by the organization. This way, the organization could get the benefit of the skills of many hackers to discover cyber vulnerabilities.
While it is common in the western organizations and governments to organize such bugs-bounty programs and Indian white-hat hackers often gather handsome rewards from those, Indian organizations are yet to make this a routine part of their cyber security strategy. This needs to change and now it’s imperative on the Indian organizations to take advantage of the skills and talents of Indian white-hat hackers and institute reward programs.
