News that the Web site of the National Security Guards (NSG) – the Indian counter-terror elite operation of the Indian army and police – has been hacked has a security message for any company IT security manager.
And that message is that no matter how good your ITsec defences are when you install a system, unless you keep those defences under constant review, cybercriminals will slide in and cause havoc.
It sounds as though the NSG Web site has been hacked more for public embarrassment of the elite counter terror squad than anything, but the message is quite clear.
Indian newswire reports suggest that the NSG has undertaken a complete security review of its IT operations, and not just on the Web site. That review includes a forced change of e-mail passwords for staff and their contacts.
The hacking of the NSG site is an important issue for the Indian government, as the site reportedly acts as a gateway for a number of services. This means that the hackers could have gained access to a number of Indian government databases, and not just data that relates to the NSG.
This is the problem with a modern corporate Web site being hacked, as a growing number of organisations are using their Web portals as just that – a portal or gateway for staff and qualified third parties to gain access to advanced services.
Many IT managers see the use of Web sites as gateways as a way of saving money in both the short and longer-term, but it is important that at least some of these savings to be re-invested in increasing the security posture of the Web resource in total.
It is a bit like merging two bank branches into one superbranch. Although the cost of operating the both branches is reduced, the increased concentration of cash and other valuables at a single site means that the bank has to beef up its security.
For banks this means a security review and general audit of security practices on an on-going basis – and the same principles apply for companies using their Web site as a gateway for additional services, such as e-commerce.
Web site security is no longer the set-it-and-forget-it aspect of IT defences that it used to be in the days of a static site. Modern Web sites need on-going and in-depth security reviews in order to defend against an evolving hacker threat.
Auditing and pen-testing a Web site is a must-have in the modern arsenal of corporate security defences, otherwise your corporate system could end up being the UK equivalent of the NSG: a laughing stock in security circles.