As security threats continue to proliferate unabated, security challenges for Indian enterprises are correspondingly on an upward spiral. Security is now a matter of hygiene; it’s no longer a matter of “if and when” but rather, more a matter of “how”. Network security assessments play an important role here in prioritizing resource allocation to critical areas and ensuring that security gaps in the network are discovered and remediated in time.
Searchsecurity.in spoke to several security experts across verticals in the Indian industry for insights into the nitty-gritty of network security assessment / VAPT exercises. What emerged was that while a secure network might be a common goal and lack of skilled manpower and budget constraints common woes; Indian enterprises are approaching the problems in their own unique ways, going beyond the routine and honing in to specifics.
Network security assessment at India Inc.
Manish Dave, CISO, Essar Group, a $16 billion Indian conglomerate with diverse interests including steel, oil & gas, power and shipping, views network security assessments in Indian enterprises from two perspectives. One, within the organization’s WAN; the other, between the outside world and the logical perimeter. Dave feels that while intrusion from outside or information leaks from inside are points of focus, what is often ignored during network security assessment is the “availability” aspect of CIA (confidentiality, integrity and availability).
“Unless a backed-up device exists in case of failure, the whole purpose of security at the logical perimeter is defeated,” he says. Building redundancy at each level (firewalls, IPSs, core routers, and so on) is something organizations might be overlooking, and a failure at any critical point is a free ticket for intruders, Dave feels. He advises that network security assessments should not be limited to firewalls/IPSs and Internet-facing websites, but should also include services such as VoIP and video conferencing systems.
Pankaj Agrawal, CISO & head of technology governance at Aircel, feels that, in boardrooms across the country, especially in telecom, discussions around network security and vulnerability assessment are now more mature and intelligent, rather than being restricted to a basic level.
Moreover, telecom being a highly regulated sector in India, with any breach or leak attracting massive penalties and reputation loss for companies, security is getting deeply embedded into the organization culture. Agrawal believes that given the maturity of organizations today, the focus is shifting from perimeter-centric security to data protection. He sees the market moving towards solutions to protect data at rest and data in motion. Agrawal prefers to rely on a robust ISMS framework, regular tool-based vulnerability assessments and rigorous annual audits to stay secure.
Dave of Essar says that while Indian organizations are fielding a full spectrum of security tools from IPSs to firewalls, the necessary skill-sets to configure policies on these devices are lacking. Most devices come with hundreds of policies prewritten, which organizations may be configuring based on inputs and templates from the vendor itself. Many of these policies might not even be relevant to the business.
Therefore a mechanism to review network policies on a periodic basis is essential, he says. The policy review mechanism must be geared to deal with whether policies are relevant and up-to-date and whether not a mechanism exists to record changes to policies on network devices.
Says Dave, “Changes to policies need to be strictly recorded as human error cannot be ruled out. A periodic review of all checks and balances is a must to keep track of anomalous activities. Unless sensible analysis is done on critical devices, a major gap in the network security architecture is inevitable.”
Satish Das, CSO and VP at software major Cognizant , firmly believes that a good policy management, monitoring and response mechanism are key to a secure network. Das depends on tools to monitor changes and help in automating the policy review process, to ensure correct network security policy enforcement. Similarly, Aircel has installed network access controls to monitor hygiene and compliance, and restrict network access on-the-fly.
Of VA and PT
Das feels that many Indian organizations are today at a level of security where general pen-tests during a network security assessment exercise will not unearth much. Giving the analogy of how a regular checkup for a fit man might not find any problems, Das believes that beyond a certain level of maturity, more rigorous and specialized tests need to be conducted in order to test the network’s susceptibility to attack. Das believes the security market in India is moving towards specialized pen-testing.
With the Essar Group’s interests in critical infrastructure sectors such as oil and gas, Dave says it becomes imperative to go beyond the technical aspects of pen-testing and consider attack vectors such as social engineering and physical security. He states that while a biannual internal tool-based vulnerability assessment is essential for hygiene, an annual independent third-party assessment is required to properly assess network security. In addition to a complete network security assessment exercise, focusing on different aspects each year (vulnerability management, device compliance, privileges & access, and so on) can be a great way to weed out problems, especially if the assessments are done by the same team every year.
In-house or outsource
According to Axis Bank’s CISO Nabankur Sen, for an annual network security review, independent third-party firms are appointed by the bank, to avoid potential biases. During this exercise, Sen’s security team only comes into the picture when a secure network architecture (SNA) diagram is systematically prepared. This is then handed over to the network team for implementation. To overcome the shortage of skilled manpower, Sen moved to a managed service provider three years ago, and this option is working well for the bank thus far.
In terms of whether penetration testing should be done through third parties or in-house, the general consensus is that it depends upon the size of the organization and the resources at its disposal, says Das. An SME would be much better off outsourcing, but a large company in a regulated industry might find it prudent to have both an internal team as well as an outsourced team.
In Das’s case, while he uses the internal team to run periodic tool-dependent pen-tests, he expects external teams to conduct various specialized tests on his network infrastructure.
For successful network security assessments, strategizing in advance is essential. For instance, without proper planning, it would be extremely difficult to perform assessments on live production environments. In fact, at telcos such as Aircel, pen-testing is only performed on pre-production environments.
According to many, India as a country still lacks professionals with specialized security capabilities such as forensics and incident response. To deal with emerging threats, experts believe that specialization within security needs to be encouraged if massive deficits in manpower are to be plugged. Finally, a culture needs to be created in the security profession that would facilitate a career path for professionals who would like to specialize.
This was first published in June 2012