Government dragging its feet on security audit

THIRUVANANTHAPURAM: Despite repeated incidents of attacks on the cyberspace owned by the State Government and a written direction from the Centre, the state is dragging its feet on conducting a security audit of the government websites.As far as 104 websites out of the 250-plus websites of the State Government and its arms had fallen prey to the hackers since March 2009, including the latest break into the website of the Civil Supplies Corporation the other day. A directive from the Union Information and Technology secretary addressed to the Chief Secretary of the state in December 2010 says that all websites of the organisations under Kerala Government should be audited and complied to web security guidelines issued by Indian Computer Emergency Response Team (CERT-In). The directive adds further that the websites must also be periodically audited as per the guidelines of the National Crisis Management Committee which is chaired by the Union Cabinet Secretary.Figures show that at least 40 percent of the 100-plus websites which have been hacked have not provided the log details of the websites to the CERT-Kerala which is mandatory to ascertain the mode of hacking and the severity of the attack. Sources say that the problem with collecting the log details of the websites is mainly due to the fact that many of the servers that host these websites are stationed outside the country. In fact, the Union Home Ministry, in a directive in February, 2005 had requested all the departments and ministries not to host their websites on the servers of private companies or servers that are not stationed in India. “A vulnerability analysis of the websites periodically can ascertain how vulnerable they are,” says CERT-Kerala director Mahesh I C. He added that the CERT-Kerala would go ahead with the task of the security audit once the government gives the nod. “A comprehensive security audit would include vulnerability analysis, information audit and penetration test. This will have to be done in each of the website and corrective action should be taken if found vulnerable,” says Mahesh. The CERT-Kerala is the nodal agency to protect all the State Government websites from any potential threat of defacement which operates on behalf and in conjunction with CERT-In.