If you're a Chief Information Security Officer (CISO) or a cybersecurity professional, you're undoubtedly aware of the ever-evolving landscape of data protection and privacy regulations. In recent years, India has made significant strides in this arena with the introduction of the India Privacy Act. We'll dive into the key highlights and implications of this act, and we have some renowned legal experts to guide us through the intricacies.

Meet the Experts

Our esteemed panel of experts includes:

• Advocate Dr. Pavan Duggal (Supreme Court of India; Expert Authority in Cyberlaw)
• Advocate (Dr.) Prashant Mali (Cyber Law and Data Protection Lawyer, Bombay High Court)
• Advocate Puneet Bhasin (Cyber & Data Protection Laws Expert, Founder- Cyberjure Legal Consulting & Cyberjure Academy)
• Bikash Barai (Co-founder CISOPlatform, Firecompass)

(Panel Discussion) Recorded

Key Highlights of the India Privacy Act

1. Intent Matters

One of the most striking aspects of the India Privacy Act is its emphasis on intent. The concept of personal data breach under this act encompasses unauthorized sharing of data, whether intentional or not. This means that even unintentional data breaches can have legal repercussions. So, if you're a CISO, you must be prepared to demonstrate that you took reasonable security measures and conducted data audits to safeguard against data breaches.

2. Personal Data

The act merges sensitive personal data and personally identifiable data into one category, known as "personal data." This means that anything that identifies an individual, such as their name, health data, email ID, or IP address, falls under the purview of the act. This consolidation broadens the scope of data protection and places more responsibility on data fiduciaries and processors.

3. The Merger of Data Categories

Unlike previous laws, the India Privacy Act merges sensitive personal data and personally identifiable data into a single category – personal data. This means that any information that can identify an individual, from their name to their health data or email address, falls under this broader definition. CISOs need to be aware of the expanded scope and adapt their security measures accordingly.

Who Does the India Privacy Act Apply To?

The act casts a wide net, applying to almost every legal entity in India. Whether you're a large corporation, a startup, a healthcare provider, or a cooperative housing society, if you handle personal data, you're subject to the provisions of the act. This means that there's no escape from compliance for any organization, big or small.

Penalties and Liabilities

The India Privacy Act introduces substantial penalties for non-compliance. The fines can go up to 250 crore rupees, and they can be levied per breach or per record, depending on the severity of the data breach. The act is not lenient on organizations, and even smaller entities can face significant financial and legal consequences.

While the act does not explicitly include criminal liabilities, it does not absolve organizations from other existing laws, such as the Information Technology Act 2000 and the Indian Penal Code. Violations of these laws can lead to criminal charges, making it crucial for CISOs to ensure comprehensive compliance.

Impact on Enterprises and Startups

The India Privacy Act does not distinguish between large enterprises and startups when it comes to compliance. Both are equally bound by the act's provisions, and they must adhere to data protection regulations. This includes obtaining explicit consent for data processing, maintaining a consent management system, and providing a means for individuals to withdraw their consent.

Startups that handle sensitive data face the same level of responsibility as larger organizations. The source of the data and the scale of data processing do not exempt them from compliance. It's essential for all organizations, regardless of their size, to invest in educating their employees, developing consent management systems, and ensuring data security.

Formula for Penalties

The India Privacy Act does not specify a fixed percentage of revenue as a basis for calculating penalties, unlike the GDPR. Instead, it relies on a formula that considers factors such as the magnitude of the data breach, the nature of the data, and the level of negligence on the part of the organization. The formula is still in the process of being determined and may provide more clarity in the future.

Implications for CISOs

As a CISO, you're at the forefront of ensuring data security and compliance within your organization. Here's how the India Privacy Act will impact your role:

1. Extensive Training and Education

You'll need to invest in training and education for your team to ensure they understand the nuances of the Act. From consent management to understanding the parameters of the law, a well-informed team is your first line of defense.

2. Consent Management

Consent management will become critical. You'll need to implement consent management software that provides explicit notice and allows individuals to withdraw their consent if needed. The Act emphasizes transparency in data processing and consent, ensuring data subjects are fully aware of how their information is used.

3. Data Localization

While data localization didn't make it into the Act, the onus is on organizations to ensure data security. CISOs need to consider the potential risks and advantages of data localization in their specific contexts, even in the absence of a specific mandate.

4. Data Classification and Protection

Given the Act's broader definition of personal data, a more comprehensive approach to data classification and protection is essential. This includes stricter controls on data access and sharing, encryption, and secure data storage.

Act Now

The India Privacy Act is a game-changer in the realm of data protection and privacy. As a cybersecurity professional, it's your responsibility to understand and implement the necessary measures to ensure compliance. The magnitude of the fines and the potential repercussions for non-compliance make it imperative to act now.

To stay updated and connect with a community of like-minded cybersecurity professionals, consider joining CISO Platform, a dedicated cybersecurity community. Sign up here and be part of a network that prioritizes knowledge sharing and continuous learning.

In this enlightening Fireside Chat, Brad La Porte, a former Gartner Analyst, and Bikash Barai, Co-Founder of FireCompass, delve into the world of Continuous Security Validation and Testing. Their conversation offers valuable insights for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), Cyber Security Managers, Vulnerability Managers, and Security Analysts.


Part 2 Recap:
They discuss the current state of security validation, share their thoughts on achieving a continuous security approach and Exploring the Tools: ASM, CART, and BAS  >>> Read More

Fireside Chat (Recorded)

The Challenge Of Continuous Security Validation

In today's digital landscape, cybersecurity has become a top priority for organizations of all sizes. Small and medium-sized businesses (SMBs) face the same threats as larger enterprises, and attackers don't discriminate based on company size. Therefore, it's crucial for SMBs to adopt a smart approach to continuous security validation.

Brad La Porte suggests that the process remains largely the same, but the key is to "think smarter, not harder." It begins with assessing your organization's attack surface, understanding what's necessary, and eliminating what's not. Just like securing your home by locking individual doors, implementing network segmentation within your organization helps reduce the overall impact of security breaches.

The Importance Of Restrictive Policies

La Porte emphasizes the significance of having strict policies in place. These policies should control what users can access, such as URL filtering, blocking websites, and restricting administrative rights. For example, in a corporate environment, it might not be appropriate to grant social media access to every employee or allow them to have administrative privileges. Implementing multi-factor authentication, stricter password rules, and frequent password resets also add layers of security.

Open Source Tools And Consolidated Solutions

For organizations with limited budgets, La Porte suggests leveraging open-source tools. Many such tools are available, allowing SMBs to gain exposure to essential security practices without breaking the bank. As organizations mature and their budgets expand, they can consider integrating best-of-breed solutions.

Barai adds that starting with open-source tools can be an excellent way to begin the cybersecurity journey. It's a cost-effective approach for SMBs looking to strengthen their security posture. Additionally, he recommends looking for consolidated solutions that offer multiple capabilities in one package, similar to a "Swiss army knife."

Key Success Factors And Common Mistakes

La Porte reflects on key success factors and common mistakes in implementing continuous security validation. He emphasizes that the answer is unique to each organization, depending on factors like business nature, culture, budget, and alignment between financial and security goals.

Success factors include reducing the number of unsuccessful attacks (reconnaissance) by identifying and eliminating weak points and decreasing dwell time (the time attackers remain within your network) through early detection and swift response.

Reducing false positives and false negatives and focusing on reducing noise in security alerts are also essential. The goal is to find the "needle in the haystack" efficiently, which, as in the world of magic, requires continuous improvement and visibility from all angles.

Ready to join the cybersecurity community and further your knowledge? Join CISO Platform, For more insightful content and updates, stay tuned to CISO Platform!

Welcome to a Interesting Fireside Chat where Brad La Porte, former Gartner Analyst, and Bikash Barai, Co-Founder of FireCompass, delve deep into the world of Continuous Security Validation & Testing. In this discussion, we'll explore how Cybercrime has become an underground economy, the importance of continuous security validation, and what it means for the ever-changing threat landscape.


About Speaker

Brad LaPorte has been on the frontlines fighting cyber criminals and advising top CEOs, CISOs, CIOs, CxOs and other thought leaders on how to be as efficient and effective as possible. This was conducted in various advisory roles at the highest levels of top intelligence agencies, as a Senior Product Leader at both Dell and IBM, at multiple startups, and as a top Gartner Analyst.

Bikash Barai is the Co-Founder of FireCompass, known for his innovations in Network Security and Anti-Spam Technologies with multiple USPTO patents. He's been recognized by Fortune in their Top 40 Business Leaders under 40 list in India and is a prominent speaker at events like TiE, RSA Conference USA, and TEDx.



Fireside Chat (Recorded)





The Cybercrime Has Become An Underground Economy

Brad La Porte, with over two decades in the cybersecurity industry, brings a unique perspective on the field's evolution. From his military days to consulting with High Tide Advisors, Brad has witnessed a monumental shift. The days of manual, 'men in black' forensics tools have given way to a high-tech battleground. The arsenal of attackers has grown, harnessing cloud-based tools, machine learning, and artificial intelligence.

This digital transformation isn't exclusive to defenders; criminals have adopted these technologies too. Cybercrime has become an underground economy, where you can outsource malicious activities with a few clicks. Ransomware as a service, supply chain breaches, and other cyber threats are just a Bitcoin away.

The Rise Of Continuous Security Validation

Continuous Security Validation is the response to this ever-growing menace. Organizations have become more serious about security, driven by the fear of being on the front page of a newspaper for the wrong reasons. The cost of a breach goes beyond immediate losses; it affects brand reputation and long-term security posture.

This evolution demands a change in mindset. Accepting that breaches will happen, and being proactive about security is paramount. The 'not in my backyard' mentality is changing, but it's not pervasive enough. It's not a matter of 'if' a breach will occur, but 'when' and 'how bad.' Organizations need to be in a continuous state of readiness, battling breaches on multiple fronts.

The State Of The Industry

The Agile Adversary
The adversary landscape has transformed into something agile. Just like developers, attackers make continuous changes. They seek windows of opportunity, and when they find them, they strike. This dynamic environment necessitates continuous testing and validation of security measures.

Simple Breaches, Huge Consequence
Many breaches appear deceptively simple, reminiscent of the 'For want of a nail' poem. Small misconfigurations can lead to massive compromises. Although zero-day vulnerabilities are powerful, they're rare culprits. Most breaches occur due to easily exploitable weaknesses.

The Way Forward

For CISOs, CIOs, Cyber Security Managers, Vulnerability Managers, and Security Analysts, understanding these dynamics is essential. Continuous Security Validation is not an option but a necessity in this evolving landscape. To ensure your organization's safety, you must adopt a proactive, continuous testing approach.

Embrace Continuous Security
The number one piece of advice is to fully embrace continuous security validation horizontally and vertically across your organization. Accept that breaches are inevitable, and focus on 'when' rather than 'if.' This mindset shift is crucial.

Join CISO Platform

To stay updated on the latest in cybersecurity and connect with like-minded professionals, consider joining CISO Platform, the CyberSecurity Community. Access valuable insights, discussions, and resources to fortify your organization's security posture.

Join CISO Platform - the CyberSecurity Community: Sign Up Now

 
>>> Part 2 Of Continuous Security Validation by Brad La Porte & Bikash Barai

At the CISO PLATFORM 100 Awards & Conference 2023, we were fortunate to host "100+ CISOs joining us over 22+ Sessions to share their knowledge with the community and build Task Forces". Attendees experienced Keynotes, Panel discussions and Task Forces along with Award felicitation.

Our editorial team has handpicked the top sessions at CISO Platform Top100 Conference held in Agra. Here are the list of top sessions from the Conference 2023.

1. (Keynote) Orientation CISO Platform Journey

Speaker : Bikash Barai, Co-founder & Advisor, CISO Platform 

>> Go To Presentation

2. (Keynote) Getting Inside Generative AI And Its Impact On Security Testing

Speaker : Arnab Chattopadhayay, CTO, FireCompass & Bikash Barai, CEO, Firecompass 

>> Go To Presentation

3. (Keynote) Cyber Truths : Are You Prepared?

Speaker : Nikhil Fogat, Regional Sales Director- North Enterprise, SentinelOne & Shanker Sareen, Head Marketing - SentinelOne India and SAARC

>> Go To Presentation

4. (Keynote) Simplifying Data Privacy And Protection

Speaker : Tushar Haralkar, Principal Technical Sales Leader, Security Software, IBM India South Asia

>> Go To Presentation

5. (Keynote) Every Attacker Exploits Weaknesses - Understand Yours

Speaker : Chandrashekhar Basavanna, CEO, Secpod

>> Go To Presentation

6. (Keynote) India's Digital Personal Data Protection (DPDP) Act 2023

Speaker : Advocate Dr. Prashant Mali, Cyber Law and Data Protection Lawyer, Bombay High Court

>> Go To Presentation

7. (Panel Roleplay) CISO Presenting The Top 10 Security Risks To The Board

Speaker : Rajiv Nandwani (Moderator), Dr. Yusuf Hashmi, Kuldeep Kaushal

>> Go To Presentation

8. (Panel Roleplay) Executing Cyber Crisis Management Plan

Speaker : Gowdhaman Jothilingam (Moderator), Yudhisthira Sahoo, Basil Dange, Jagannath Sahoo, Prabhakar Ramakrishnan, Koushik Nath, Balram Choudhary, M.Sathish Kumar, Sathish Eathuraj, Ramkumar Dilli, Srinivasulu Thayam, Suprakash Guha

>> Go To Presentation

9. (Task Force) Verizon DBIR Control Mapping

Speaker : Manoj Kuruvanthody, CISO & DPO, Tredence

>> Go To Presentation

10. (Task Force) Session On Chennai Chapter

Speaker : Gowdhaman Jothilingam, Global CISO and Head IT, Latent View

>> Go To Presentation

About Speaker

Manoj Kuruvanthody, CISO & DPO, Tredence

(PPT) Presentation From The Discussion

About Speaker

Rajiv Nandwani (Moderator), Dr. Yusuf Hashmi and Kuldeep Kaushal

(PPT) Presentation From The Discussion

About Speaker

Gowdhaman Jothilingam (Moderator), Yudhisthira Sahoo, Basil Dange, Jagannath Sahoo, Prabhakar Ramakrishnan, Koushik Nath, Balram Choudhary, M.Sathish Kumar, Sathish Eathuraj, Ramkumar Dilli, Srinivasulu Thayam, Suprakash Guha

(PPT) Presentation From The Discussion

About Speaker

Gowdhaman Jothilingam, Global CISO and Head IT, Latent View

(PPT) Presentation From The Discussion

About Speaker

Arnab Chattopadhayay, CTO, FireCompass

Bikash Barai, CEO, Firecompass

(PPT) Presentation From The Discussion

About Speaker

Nikhil Fogat, Regional Sales Director- North Enterprise, SentinelOne

Shanker Sareen, Head Marketing - SentinelOne India and SAARC

(PPT) Presentation From The Discussion

About Speaker

Tushar Haralkar, Principal Technical Sales Leader, Security Software, IBM India South Asia

(PPT) Presentation From The Discussion

About Speaker

Chandrashekhar Basavanna, CEO, Secpod

(PPT) Presentation From The Discussion

About Speaker

Advocate Dr. Prashant Mali, Cyber Law and Data Protection Lawyer, Bombay High Court

(PPT) Presentation From The Discussion

About Speaker

Bikash Barai, Co-founder & Advisor, CISO Platform

(PPT) Presentation From The Discussion

As technology continues to evolve, so too the threats to the security of enterprises. As we enter 2023, the threat landscape for enterprises is becoming increasingly complex, fast-moving, with cyber threats growing in both volume and sophistication. The threat actors are using technology and knowledge from multiple domains to weaponize and create layers of techniques forming complex advanced attacks. From lone actor hacking for fun and some profit, cyber attack has turned into a full fledged underground industry. To protect against these threats, enterprises must adopt a comprehensive cybersecurity strategy.

Some of the key elements that ideally be included in any security strategy relevant for 2023 are:

• External attack surface management
• Continuous automated pen testing
• Identifying day 1 vulnerabilities at the earliest
• Protecting against supplier chain compromise threat
• Create mitigation plans against new classes of threat arising due to generative AI
• Continuously monitor against Ransomware susceptibility

External Attack Surface Management 

The external attack surface of an enterprise refers to all the potential entry points. It involves discovering an enterprise’s assets exposed over the internet, critical ports remaining open due to misconfiguration, exposed sensitive data, shadow IT by means of Cloud and other virtual environment, dangling domain records, leaked credential, leaked code and more. In 2023, external attack surface management should include monitoring of cloud environments, third-party vendors, and supply chain partners. Also, the capability to filter, validate, prioritize and integrate with enterprise security management systems are also essential.

Continuous Automated Pen Testing 

Traditional manual penetration testing is no longer sufficient in keeping up with the pace of technological advancements and the evolving threat landscape. Continuous automated pen testing provides businesses with a comprehensive view of their security posture and enables them to detect vulnerabilities quickly and respond promptly. It also allows businesses to conduct more frequent testing without impacting their day-to-day Advt Get App Leaders Speak Events Webinars More bilities ts Ransomware Cybercrime & Fraud Identity & Access Management GRC OT Security News Newsletters operations. Remember, the attackers are testing all the systems all the time whereas enterprise using traditional methods test some of the systems some of the time.

Identifying Day 1 Vulnerabilities 

Day 1 vulnerabilities refer to zero-day vulnerabilities or vulnerabilities found very recently and the existing hunting and defense systems yet to identify and implement controls. The threat actors today are very fast to exploit those before a patch or update is available. In 2023, identifying day 1 vulnerabilities should be a priority for businesses. Enterprises should focus on identifying Day 1 vulnerabilities on their attack surface, preferable in 24 hours of its publishing. Proactive vulnerability management, including vulnerability scanning and assessment, to identify vulnerabilities before they are exploited by attackers is becoming extremely crucial.

Incident response plans should also be in place to address any Day 1 vulnerabilities that are discovered. This will help businesses respond quickly and minimize the damage caused by any potential attacks.

Supplier Chain Compromise 

In recent years, threat actors have increasingly targeted third-party vendors and supply chain partners to gain access to an enterprise's network infrastructure. In the recent past, utilities, manufacturing and health care has seen APT actors attacking critical systems using supplier chain weaknesses. The impact has been very serious. In 2023, supplier chain compromise should be a focus for businesses as they are responsible for ensuring that their partners have adequate cybersecurity measures in place. Enterprises must establish a security vetting process for third-party vendors and suppliers and ensure that they adhere to their cybersecurity policies and standards. This will help prevent supply chain attacks, which can have devastating consequences for businesses.

Defense against Generative AI based threats 

Generative AI is an emerging technology that is transforming the way businesses operate. However, it is also presenting new challenges to cybersecurity. In 2023, businesses must address the new class of threat arising due to generative AI. Generative AI can be used to create convincing phishing emails and other social engineering attacks that can bypass traditional security defenses. Therefore, businesses must invest in AI-powered security tools that can detect and respond to these new types of threats. 

Continuous Monitoring of Ransomware Susceptibility 

Ransomware attacks have been on the rise over the past few years, with cybercriminals using increasingly sophisticated methods to target businesses. A recent data breach report from Verizon mentioned Ransomware attacks as a key threat to enterprises. It also mentions phishing emails, malicious downloads, and through compromised supply chain partners as key attack vectors commonly used by ransomwares. The consequences of a successful ransomware attack can be devastating. In addition to the financial impact of paying the ransom, businesses may also face lost productivity, data loss, and reputational damage. Furthermore, some threat actors may not honor their promise to restore the encrypted data, even if the ransom is paid. Apart from internal preparation it may be worthwhile for large operations to arrange Insurance cover. Business Interruption insurance or standard Errors and Omissions (E&O) may not be sufficient. There are specialized Insurers and Lloyds of London market may be tapped. Some of these Insurers have specialized units who can also help in audit of preparations and cover financial re-mediation to customers

Cybersecurity is a critical issue for enterprises in 2023, and they must focus on implementing a robust cybersecurity strategy to protect themselves from the increasing number of cyber threats. This includes External attack surface management, Continuous automated pen testing, Continuous monitoring, Identifying Day 1 vulnerabilities in near real-time, Protecting against supplier chain compromise threat, Create mitigation plans against new classes of threat arising due to generative AI, Continuously monitor against Ransomware susceptibility. By taking the approach mentioned above, an enterprise will be able to reduce the Get App Leaders Speak Events Webinars More bilities ts Ransomware Cybercrime & Fraud Identity & Access Management GRC OT Security News Newsletters gap in cybersecurity controls, mitigate risks at a speed that matches the current day's attackers.

Posted from CISOPlatform member Arnab Chattopadhyay (Member of the CybersecurityWorking Group, IET Future Tech Panel) 

Blog also here : https://ciso.economictimes.indiatimes.com/news/ot-security/cybersecurity-strategies-for-enterprise-in-2023/103046315

According to latest Threat Intelligence, 80% of the times, Ransomware gets initial access using Top 3 Attack Vectors:
1. Exploiting Vulnerabilities
2. Shadow IT & Stolen Credentials
3. Various Variants Of Phishing Attacks
This webinar covers 6 most critical and ransomware weaponized CVEs published in the last 3 months and how CISOs can identify them and immediately decrease the chance of Ransomware by 26%.

Key Discussion Points : 

• Key Insights on Reducing Ransomware Risk by 26% 
• Top 6 CVEs in last 3 months tracked by FireCompass Research Team
• Key Recommendations and Best Practices
• Know the 3 Weaknesses which leads to 80% Ransomwares

About Speaker

Jitendra Chauhan, Head of Research at FireCompass. Jitendra holds multiple patents in Information Security and has 18+ years of experience in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing and SIEM.

(Webinar) Recorded

Discussion Highlights

1. 3 Weaknesses leads to 80% Ransomewares

2. Attackers Capability to scan internet in few days

One of the typical automation, without any human intervention is following

• Scan for targets on mass scale
• Profile the targets using custom crawlers or fingerprinting techniques
• Detect CVEs based on technology, or banner
• Attempt exploitation
• Attempt persistence

3. Ransomewares runs on Global Attack Surface

4.  CVE Prioritized in April by Firecompass

5. Possible Recommendations

• Threat Intel + Pentesting on Daily Basis.
• Combine ASM + Threat Intel + Vulnerability Management.
• Firecompass Day 1 CVE + Threat Exposure Alerts

6. Ransomewares targetted CVEs 

Incident Lifecycle Management : Threat Management - NIST Aligned Process

Incident Lifecycle Management (ILM) refers to the systematic process of handling and managing security incidents within an organization. It involves the entire lifecycle of an incident, from detection and response to resolution and learning. The goal of ILM is to minimize the impact of incidents on the organization's operations, systems, and data, while also improving incident response capabilities.. Threat Management, specifically NIST Aligned Process, refers to the approach of managing threats to an organization's information and technology systems in accordance with the guidelines and best practices outlined by the National Institute of Standards and Technology (NIST). NIST provides a comprehensive framework and resources for managing cybersecurity risks and protecting critical infrastructure.

Detection & Analysis

Identification
• Analyze logs and information security events
• Identify potential information security incidents.
• Categorize incident

Validation
• Validate incident scale and consequence.
• Assign
consequence, seventy and priority ratings.
• Review and confirm ratings
• Endorse ratings.

Declaration & Escalation
• Based on priority, assemble ISIRT and notify appropriate parties and escalate incidents. (e.g. cntical & high pronty crisis and emergency incidents escalated to Country Emergency Manager).

Response & Recovery

Containment, Investigation & Forensics
• Direct ISIRT, develop incident response plan, activate rapid response team if needed, and communicate incident to internal and external stakeholders.
• Perform incident containment, investigation and root cause analysis, forensics and evidence management.

Eradication
• Eradicate technical vulnerabilities and incident root causes.

Recovery
• Recover affected information systems and business operations.

Post Incident

Post Incident Activities
• Document lessons
learnt.
• Close incident.
• Create incident review report.
• Develop and implement IS-IM improvement recommendations.

(Many years back we started the 'Top 100 CISO Awards' recognizing the important role a CISO plays in preventing huge breaches. Nominate yourself for the 15th Edition Of Top 100 Awards, The 1st recognition for CISOs)

Presentation For Reference