Only a few months ago, in a “major cyber-attack”, more than 2000 Indian websites were hacked on a single day by Pakistani hackers. The targeted websites included those of critical public sector organisations, such as Central Bank of India, West Bengal State Coastal Zone Management Authority, Damodar Valley Corporation, and two Rajasthan State Government websites.

Although the government has shown some concern over it, and has released a National Cyber Security Policy, which addresses the important measures to be taken for the protection of information in cyber space and the prevention of cyber threats, these measures seem to be ineffective or not enough.

In July 2014, Atbash Security, a London based IT and email security company, conducted open source intelligence research into the Indian government departments - a mixture of central, state, local and nationalised corporations listed below:

  • State government - education ministries, police departments and large seaports/dockyards
  • Central government - financial departments and meteorological research
  • Nationalised corporations - space & satellite research and energy companies
  • Local government - police departments and forestry administrations

The results were shocking; a sizeable percentage uses outdated and in-secure email server platforms. Even basic hacking attempts and mass mail malware would have a high chance of getting through.

According to Graeme Batsman, the security director of Atbash Security, “Some of these departments would be highly interesting to foreign nations”.

More worrying is targeted attacks (like RSA in 2011) where a user receives a convincing email with a “harmless” PDF, or Word document attached, which lets the remote attacker (typically a foreign nation) siphon off sensitive data such as: financial records, intellectual property and defence contractor plans. Technical problems uncovered included:

  • No TLS/SSL - encryption certificates cost as little as $15 yet can offer defence for interception of emails and passwords
  • Basic anti-virus/anti-spam - increases the chances of network infection and wastes employee time by sorting through spam emails
  • Public links - webmail links should not be displayed on public websites since it makes it a greater and easier target
  • Poor productivity - legacy email servers do not offer full sync of emails, tasks, calendars and make the chances of losing emails higher
  • Hacking - old and basic email servers do not have proper defences against passwords guessing and “forgot password” offers a loophole
  • Zero defence against targeted attacks - advanced defences are required to catch spear phishing malware, but basic email servers do not have such capability