CERT-In cyber security norms bar use of Anydesk, Teamviewer by govt dept

Cyber security watchdog CERTin has barred the use of remote desktop softwares like Anydesk and Teamviewer in the government department under new security guidelines released on Friday.

The guidelines prescribe government departments use virtual private networks (VPN) for accessing network resources from remote locations and enable multi-factor authentication (MFA) for VPN accounts.

"Ensure to block access to any remote desktop applications, such as Anydesk, Teamviewer, Ammyy admin etc," Guidelines on Information Security Practices for Government Entities said.

CERT-In (Indian Computer Emergency Response Team ) said the purpose of these guidelines is to establish a prioritised baseline for cyber security measures and controls within government organisations and their associated organisations.

Minister of State for Electronics and IT Rajeev Chandrasekhar in an official statement said the government has taken several initiatives to ensure an open, safe and trusted and accountable digital space.

"We are expanding and accelerating on Cyber Security with focus on capabilities, system, human resources and awareness. The guidelines are an important part of our larger cybersecurity framework being built under the leadership of our PM Narendra Modi ji, as India takes rapid strides towards USD 1 trillion Digital Economy," Chandrasekhar said.

According to the guidelines, critical servers should be either made stand-alone or members of a dedicated secure zone and the servers need not communicate amongst themselves unless they are part of the same application with dedicated ports and authenticated applications.

"In the wake of certain allegations and assumptions that AIIMS servers were compromised by ransomware and alleged leak of government data from entities, it is good that CERT-In has issued standard operating guidelines. These will standardise cyber security postures across India. It will help reduce the number of cyber security attacks in the country," Voyager Infosec, Director of Digital Lab, Jiten Jain, said.

Besides the security of computer and network infrastructure, the guidelines have also incorporated security measures for social media of government department accounts.

The guidelines mandate approval of content from appropriate authorities before it is posted on an official social media account.

"Content to be posted on social media handles should be approved by the appropriate authority within the organisation," the guideline said.

The guidelines bar use of official social media platform accounts on public devices or unauthorised devices.

CERT-In guidelines call for the prevention of IT systems from unauthorised access, physical damage, and tampering by implementing physical security.

"Important and sensitive zones should be monitored through CCTV cameras and footage should be stored for at least 180 days," the guideline said.