[Download Dangal Part 1 In Hindi 720p
Addison Mauldin
LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.
I urge you to read the header for this article, to understand the rationale for the Directions, as put out by CERT-In, and not just try to pontificate or shoot holes into the directives, just because you are paid to do this.
This is a big bug in the back for the naysayers, as CERT-In wants everyone to connect to Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers. I am not qualified to comment on the merit or demerit the technology here so I shall pass. But while I pass, what I cannot understand is:
At times there is good value coming from CERT-In and the mails tend to get lost. Having a single point of contact will be helpful. And maybe this person can build some friendly bridges with the CERT-In personnel and get you some slack too.
Do these guys know what percentage of entities in India have enabled logs? Enabled and retained them? If researched well, you will realize that this is a joke. Even entities which are certified to ISO and other standards have pretty low standards for log management. This is a national malaise, similar to the habit of sweeping/hiding security incidents under the carpet.
- Firstly, the Direction does not say that you have to enable ALL logs, so carry out a quick risk assessment and identify logs which you WILL need when the chips are down.
- Stop thinking of it as a government compliance issue, it is for your good.
- Second, it may break your purse a bit to buy more storage, but will be worth it when you have to investigate an incident.
- Thirdly, CERT-In is going to ask you for the logs when there is an incident.
- Lets see if the government departments and PSUs follow this writ
- If they do follow, NIC will have to set up a new data center only for log storage
- This is bound to fall flat since no one knows what logs to capture and store
So, stop the crib and start the day reading up your Log Management Policy, then walk the talk with log identification and risk assessment, and finally close the day enabling critical logs and giving them a nice warm storage and backup space.
Guys remember this is India and we live with diversity. We have attacks happening in the real and digital world by cross border terrorists, home grown naxalites, religious fanatics, paid activists/lobbyists, adversary nations and what have you.
Asking a VPN service provider to keep logs and provide them when needed does not amount to suppressing free speech. We are not an authoritarian state we are a democracy, albeit an Indian one and no one knows how it works, but it has been working well for about 75 years now. A jalebi no westerner can understand!
However, CERT-IN has to explain what it is that they may be looking for in the KYC records (if ever they do come knocking). Did CERT-In ever face any instance where they felt that this is key information in their investigation, or did they put this in just because their knee started jerking!
This is a list of cyber security incidents provided by CERT-In and asked that they be notified. Can't you think of it as an "indicative" list and stop bawling about it's completeness or priority etc. Stop trying to show your intelligence is still academically-grown and not operational/industry/practitioner experience-grown.
Your statement in Parliament said that about 48,000 incidents were reported. If these are all reported from now on, then how do you propose to manage this volume of work? For the benefit of the common man can you please let us know if :
- You will hire about 10,000 cybersecurity professionals and build a new building to house them as your incident analysis center.
- Or, you will ask your National League of Cybersecurity Superhumans (a.k.a. empanelled auditors) to take up the analysis.
- Or, you will outsouce this analysis to some Big4 organizaiton, or to some foreign organization which is the norm?
- Or, will you just collect the reports and view them at random because no one can ask you as all security work is 'secret'.
Finally, I want to record that I have a lot of issues which is usually put out, with respect to CERT-In working. Things have not changed though I have had the opportunity to talk about them in various conferences and in private with some of the government officers. However, I am apolitical and acknowledge good work as well as openly criticise omissions and bad stuff which comes from Government.
Anyway, I have been seeing a lot of for and against being talked about the Directions Circular -in.org.in/Directions70B.jsp issued by CERT-In in April and I had planned to write a detailed paper on this.
But today morning I read this article in The Register _infosec_rules_criticised/ and it really got my gall. Mind you, I respect and admire all the work on The Register but this time they have messed it. The writer of this piece is their APAC editor and he is so clueless that one can laugh at him trying to do his native dance. To add to his cluelessness, his sources seem to be on the usual anti-government trip.
One has to view the Direction with reference to the posture of entities, their lackadaisical approach to security, the incessant cover-ups and lies pushed by professionals and experts in public ... And a lot more! Look out for my follow-up articles on this I am definitely out with a lot of malice.
About CERT-IN, their capability and other issues is a different story. Remember that every directive from the government is not backed up by equivalent resources. And, with a country of our size, and diversity nothing comes easy, especially when our polity, religious heads and intelligentsia are (seemingly) perpetually engaged in self-seeking strife.
This is my opening article and I shall follow up by bashing a lot of misinformation being doled out by the "influencers" and "lobbyists" as well as the "India ignoramus". My message to all these naysayers is - go and read the document, or just read the image I have shared in the header to this piece.
795a8134c1