The Indian Computer Emergency Response Team (Cert-In) has published a number of cyber security advisories and vulnerability notes, which have come to the fore across various media reports. While these advisories and notes have been around for a while, the importance of such advisories has escalated in light of growing cyber security vulnerabilities in commonly used consumer software services such as operating systems built by the likes of Apple and Google.
Interestingly though, most CERT-In advisories seem to appear after an issue has been fixed, and often when it is even widely known. They are also reported as 'advisories from the centre' by some media publications, even though they aren't actually government warnings per se. TechCircle explains how these advisories affect you, and why you should pay heed to them.
What is Cert-In?
The Indian Computer Emergency Response Team is the nodal cyber security agency operating under the central government’s Ministry of Electronics and Information Technology (Meity). The agency was formed in 2004, and is different from other government-affiliated cyber security bodies — such as the Indian Cybercrime Coordination Centre (I4C) and the National Critical Information Infrastructure Protection Centre (NCIIPC).
While the I4C was approved in October 2018 by the Ministry of Home Affairs to undertake research for building cyber defence services, the NCIIPC is a body to identify and advise critical sectors against impending cyber-attacks. Cert-In, meanwhile, is tasked with identifying and responding to immediate cyber breaches that are reported regularly by companies around the world.
What do Cert-In’s advisories signify? Why are they late?
Cert-In’s advisories cover a wide range of flaws and vulnerabilities. These include data on glitches in software and hardware systems used by both users and companies, and resemble those reported in Common Vulnerabilities and Exposure (CVE) database.
These software and hardware include apps like Google Chrome etc, ranging to routers used in enterprises, laptops and more.
What is CVE?
CVEs are also reported by companies, once the flaw is disclosed to the company in question — and is also subsequently patched. The CVE is basically a database of publicly known computer security flaws, and is maintained to help individuals, researchers and even companies to be aware of what patches they need to ensure on their systems.
The CVE program is overseen by an American non-profit called the MITRE Corporation, which runs via funding from the Cybersecurity and Infrastructure Agency (CISA), which is a part of the US Department of Homeland Security.
The advisories issued by CERT-In typically appear under "vulnerability notes", which is a commonly used term in international vulnerability reporting. Another US-based non-profit called Computer Emergency Response Team Coordination Center (CERT/CC) and the US National Vulnerability Database (NVD) maintain 'vulnerability notes' databases, which include details of the flaws mentioned in the CVE.
Are CERT-In vulnerabilities part of new cyber security regulations in India?
No. Cert-In’s advisories and vulnerability notes date back to 2003, and cover software issues over the past two decades. However, the frequency of such advisories has increased, with increasing infiltration of technology among mainstream users.
Do these advisories affect you as a user?
Yes, they do. A wide number of Cert-In disclosures cover commonly used software platforms, such as Apple’s iOS and Google’s ChromeOS. For instance, on August 18, Cert-In published two advisories under Cert-In Vulnerability Note (CIVN) numbers 2022-0329 and 2022-0330. These notes cover security flaws in Apple’s iOS, iPadOS and macOS for the former, and Google’s ChromeOS for the latter.
As a user, it is important for you to follow these notes, which include a link to the latest software patch version that remedies the mentioned software flaws. You can follow these issues through Cert-In’s Twitter account, and ensure that you update your devices regularly.
Do these advisories cover companies as well?
Yes. The Cert-In advisories also cover enterprise segment vulnerabilities, such as software flaws in information technology (IT) services. Cyber security administrators in companies are advised to follow these notes to ensure that their enterprises apply the latest software patches — which can mitigate a range of vulnerabilities.