Case study: Network, Server & Data Center Security audit (VAPT)
In 2014, amidst a massive student agitation & rally, the website of the renowned university got hacked & it became a media sensation. Hackers had put up an 'I am sorry' message at the VC's desk button. The officials denied the fact and claimed that the website had been hacked. The incident was covered by all leading media houses in print & digital format.
In face of mass protest & reputation loss, University requested ISOAH to help them thwart the continuous attack on the website, which was resulting in a mockery of the premium institution.
Under full media attention & relentless attack on the website, where hackers were posting fresh derogatory messages every day on the website, and knowing that the site can not be taken down for a moment; was a challenge for ISOEH Team. Taking stock of the situation and a promise to Vice Chancellor of the University that site will not get hacked from following day, team implemented the following –
The relentless attack got stopped within the next day we took over, while our team analyzed the code (approx. 2000 pages) & helped JU technical team to understand the security gap in the code & subsequent plugin. The media attention stopped without further hacking of the website.
What could have been done: JU was using the vulnerable website hosted in a vulnerable infrastructure for many years. Hackers did infiltrate the system & was waiting for the right time to use the back door. The website was used for student recruitment, circulars, faculty login, student login, project portal & exam related activities. All information was compromised, downloaded to hacker server, database modified, etc.
If JU has opted for period audit (WAPT, NPT) for the website & hosting infrastructure, the active persistent threat could have been detected much earlier. Not only confidential data could have been protected, but reputation could have been saved.
We recommend every company opts for ISO/IEC 27001:2013 certification, where they have a end to end assurance of their information security.