The National Telecommunication and Information Technology Security Board (NTISB) has cautioned government departments of using Indian/Israeli IT-related Products and Services in departments.
In its latest advisory pertaining to Cyber threats associated with Indian/Israeli IT related Products and Services, NTISB stated that some government Organizations including Critical Information Infrastructure (CII) are using Indian/Israeli-origin IT products and services probably on the pretext of being a low-cost option in comparison with other market competitors.
However, the possibility of the presence of backdoors or malware in these solutions cannot be ruled out and therefore, pose a considerable cyber security concern, it added.
In the recent past, many incidents of such nature in the public sector revealed the involvement of Indian-based threat actors which has not only caused discontinuity of services/loss of data but also became a source of reputational loss for the organizations.
NTISB in its latest advisory suggested to all Federal departments to appropriately safeguard businesses and critical data.
It suggested that IT hardware solutions must not be procured in line with a ban already imposed on goods from these countries by Commerce Division vide SRO 927(1)/2019.
In addition, IT security solutions like Intrusion Detection System/ Intrusion Prevention Systems, Security Information and Event Management, Extended Detection and Response, Mobile Device Management, and DDOS Mitigation Solutions may not be procured from these countries or their partners owing to the strong possibility of the presence of backdoors or malware.
NTISB has also asked organizations to discontinue the use of online software solutions on priority and migrate to alternate solutions keeping business continuity in consideration.
It also recommended the use of offline solutions with associated risk acceptance, without applying updates/patches or connecting to the internet.
According to NTISB, the Vendor/OEM is to render a certificate that no backdoor eavesdropping or remote access mechanism is present and Identification of avenues for unauthorized access/data leakage at any stage may lead to cancellation of the contract along with blacklisting of the firm.
SLA (if applicable) to include relevant security clauses to ensure the safety of businesses and critical data, it added.
In case of critical information infrastructure, code walkthroughs, and detailed security assessments be planned through PTA-approved auditing firms. Furthermore, random penetration testing may also be ensured.
It is worth mentioning that all Government Organizations are responsible for implementing Cyber Security measures in their respective domains, and a cautious approach may be adopted by all.
