Indian government issues confidential infosec guidance to staff – who leak it
Bans VPNs, Dropbox, and more
India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.
The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.
"The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.
"In order to sensitize government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled."
Ironically, the document proves why it's needed. Despite being marked "Restricted" and for access only within Indian government departments and ministries – and including an exhortation that those sent the document "should honor this access right by preventing intentional or accidental access outside the access scope" – The Register was able to find it on an Indian government website with minimal effort.
Whoever posted it there probably needs to re-read the document. One of the instructions it includes is: "Don't share any sensitive information with any unauthorized or unknown person over telephone or through any other medium."
That instruction is one of 24 "Cyber Security Don'ts" that includes measures such as not re-using passwords or writing them on sticky notes left around the office, running only supported operating systems, and not using third-party browser toolbars. Users are not to save data to local drives, or click on links or attachments emailed by unknown parties.
"Don't install or use any pirated software (ex: cracks, keygen, etc.)" is another directive, as is a proscription on jailbreaking phones. Staff are also prohibited from using online file format conversion tools or mobile apps that scan text.
Other measures include prohibitions on:
- Uploading internal/restricted/confidential government data or files to any non-government cloud service (ex: Google Drive, Dropbox, etc.);
- Use of third-party DNS or NTP services;
- Using third-party anonymization services such as VPNs or Tor;
- Connecting printers to the internet, or allowing them to log job histories;
- Disclosure of "any sensitive details on social media or third party messaging apps";
- Connecting "any unauthorized external devices, including USB drives shared by any unknown person";
- Use of unauthorized remote administration tools;
- Use of unauthorized third-party video conferencing or collaboration tools for conducting sensitive internal meetings and discussions.
Just to show it's not all negatives, there is also a "Do's" list of helpful hints. It exhorts staff to do sensible things like use strong passwords and multi-factor authentication, patch promptly, run anti-virus software, log off when away from one's desk, and encrypt data before transmission.
India's national DNS server at 188.8.131.52 is required for all users. So is turning off GPS, Bluetooth, NFC "and other sensors" on government-issued smartphones and computers. "They maybe enabled only when required," the guidelines state.
- Another VPN quits India, as government proposes social media censorship powers
- India lets Mastercard issue new cards again
- Indian developer educator Scaler moves to America with $11k online courses
Another item instructs users to acquire mobile apps only from Google Play or Apple's App Store. When doing so, staff are told to "check the popularity of the app and read the user reviews. Observe caution before downloading any app which has a bad reputation or less user base, etc."
Overall the document offers sensible, if somewhat obvious, advice. But the fact such advice is considered necessary is surely of concern. The instruction that printers must not be connected to the internet, for example, will surely attract the attention of malicious actors who wonder if the devices offer a way in to Indian government systems.
One such actor – Malaysia's DragonForce – last week launched attacks on Indian government targets and over the weekend claimed to have deleted the website of the Port Of Chennai. Your correspondent was unable to reach the Port's website during a weekend check, but it has since been restored.
DragonForce has since claimed to be on the cusp of revealing major data leaks from Indian companies. ®