Priya R's Posts (80)

Sort by

 

In today's data-centric world, organizations face increasing pressure to uphold privacy standards and comply with regulatory requirements. This blog explores essential steps for fostering a privacy-driven culture within organizations, aligning with the principles outlined in the Digital Personal Data Protection Act (DPDP).

 

 

Here is the verbatim discussion:

to privacy so start seource first of all you should first decide whether to take this responsibility of data protection whether you're going to get anything more from you know salary or from renumeration point of view or there should be a different designation of designated person who handles that data related part second point is privacy related education in the organization it could be online it could be offline it could be uh HR driven any kind of thing but certain rules and certain principles which dpdp has given us every organization in every employee should know this so create a prevy driven awareness a privacy driven culture in your organization and then you be you your organization will actually will become privacy focused and then you can achieve compliance on any any laws government throws at you any rules government throws at you you'll be compliant and you'll be privacy happy organization going to be required so we we have a lot of questions I don't know if we'll have to go we'll be able to go through or not I'll keep last five minutes for uh like all of you my Prashant pun and P to highlight anything which you want to talk about which we may not have discussed.

 

Highlights:

Assessing Responsibility and Designation:

  • Organizations must determine whether to assign specific individuals or departments the responsibility for data protection.
  • Consideration should be given to potential incentives or remuneration for designated personnel to ensure commitment to the role.

Prioritizing Privacy Education:

  • Implement comprehensive privacy education programs for employees, encompassing both online and offline formats.
  • Ensure that all staff members are familiar with the principles and rules outlined in the DPDP to cultivate a privacy-conscious workforce.

Creating a Privacy-Focused Culture:

  • Promote a culture of privacy awareness and accountability throughout the organization, starting from top management down to every employee.
  • Emphasize the importance of privacy in organizational practices and decision-making processes to embed privacy as a core value.

Achieving Compliance and Adaptability:

  • By fostering a privacy-driven culture, organizations can achieve compliance with existing and future data protection laws and regulations.
  • Continuously assess and adapt privacy practices to align with evolving regulatory requirements and technological advancements.

 

Building a privacy-driven culture is essential for organizations to navigate the complex landscape of data protection regulations effectively. By assigning responsibility, prioritizing education, and fostering a culture of privacy awareness, organizations can not only achieve compliance with existing laws like the DPDP but also establish a foundation for adapting to future regulatory changes. Embracing privacy as a core organizational value is not just a legal obligation but a strategic imperative for maintaining trust and credibility in today's data-driven ecosystem.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

 
Read more…

 

The implementation of the India Privacy Act heralds a new era of data protection regulations in the country, bringing significant challenges and opportunities for organizations. In this blog, we delve into the critical aspects of the Act and highlight imperative measures for compliance and risk mitigation.

 

 

Here is the verbatim discussion:

Mode why because that's going to cost any organization humongously from the ciso standpoint apart from costing the organization such kind of an error could even cost you your job in addition it could also expose you to criminal liability under the existing law in your own individual capacity and for which you may not have the appropriate documentation to show that you as an organization or you as a top management of the organization had exercised all due diligence to prevent the commission of any offense or contention so Focus back on documentation Focus back on your due diligences and compliances and this law particularly I think is going to be a gamechanging law primarily everything will be dependent on how it's going to be implemented but the very fact that every organization is now going to have a democles sword on their head for a potential fine for 250 CR rupees could actually drive India towards a more sh uh sound data economy as we go forward as more responsible data practices are going to be ensured be followed by all stakeholders needless to say please don't only concentrate on the digital personal data protection act this is just the Cherry in the on the cake please concentrate on the cake as well which is the information technology act 2000 and the rules and regulations with other other entities now suppose if there is a data Bridge through a third party then who has to pay the fine who is responsible so the the concept of cascading consent has not been Ed in the dpdp ACT if the third party see it depends upon who is liable the data fiduciary is liable to the data principle here we don't have a concept of something like a second third party person who is doing something now suppose if you have to guard yourself from you know data fiduciary to guard yourself from such kind of labs from the third party you need to have contract with him and in the contract you need to have indemnification Clauses as to if the I get fined because of your issues your problems you will indemnify against the whatever the loss I incur or whatever penalty or fine I incur so this having a contract with indeminification Clause with regards to data protection board now becomes important so every organization needs to go back to their contracts and revise the contracts when it comes to uh handling of data in a cascading pattern when you're giving data to further for third party or further from third party.

 

Highlights:

Stringent Compliance Obligations:

  • The India Privacy Act mandates stringent compliance requirements, with potential fines of up to ₹250 crore for non-compliance.
  • Organizations must prioritize documentation, due diligence, and compliance frameworks to mitigate legal and financial risks.

Individual and Organizational Accountability:

  • Top management individuals face personal liability for data protection breaches, necessitating comprehensive documentation of due diligence measures.
  • Focus on compliance with the Information Technology Act 2000 and associated regulations is paramount for organizational integrity.

Addressing Third-Party Liability:

  • The Act lacks provisions for cascading consent and delineating liability among multiple parties involved in data processing.
  • Organizations must revise contracts with third-party vendors to incorporate indemnification clauses and mitigate risks associated with data breaches.

 

As organizations navigate the complexities of India's data protection landscape, proactive compliance efforts are indispensable. By prioritizing documentation, due diligence, and responsible data practices, businesses can mitigate legal and financial risks while fostering trust among stakeholders. Compliance with the India Privacy Act is not just a regulatory obligation but a strategic imperative for organizations to thrive in the evolving digital economy.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 
Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 

Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

The enactment of the India Privacy Act has ushered in a new era of data protection regulations, presenting significant challenges and opportunities for organizations across the country. In this blog, we delve into the intricacies of the Act, its implications for businesses, and actionable steps to ensure compliance and readiness.

 

 

Here is the verbatim discussion:

to have but you need to have that data audits you need to have it annually you need to ensure all of this like uh is in place for you to and obviously one of the most important things is data mapping I would say the first point of compliance for you is going to be data mapping because today Indian organizations don't know what data they have collected which data they have collected where is it even residing we have never really had this kind of compliance before so before you even start building a framework which honestly I'm hearing a lot of people come up you know can you build the data privacy framework work for us the question is do you even know what is your data and where is your data so the first step is obviously data mapping and privacy Frameworks consent management uh auditing a lot of these things are going to happen thereafter principle here we don't have a concept of something like a second third party person who is doing something now suppose if you have to guard yourself from you know data fiduciary to guard yourself from such kind of labs from the third party you need to have contract with him and in the contract you need to have indeminification Clauses as to if the I get fined because of your issues your problems you will indemnify against the whatever the loss I incur or whatever penalty or fine I incur so this having a contract with indeminification Clause with regards to data protection board now becomes important so every organization needs to go back to their contracts and revise the cont contracts when it comes to uh handling of data in a cascading pattern and when you're giving data to further for third party or further from third party to so Punit we I think we are not able to hear you but there's a great point that you made that mapping the data is super critical uh so we'll move to Pavan um any closing remark and by the way we should have a session just on this uh Punit made a very vital point in terms of how do we get ready so we should just have a session only on that like how do we have the Readiness huh for the new act um pav any closing remark and then we'll go to Prashant maybe quick one one one to two minute closing remark my closing remarks are only this much uh let's get out into the field let's get our hands dirty let's start working on things let's not be in a complient.

 

Highlights:

Universal Consent Mandate

  • Organizations must obtain explicit consent for data collection, processing, and sharing, ensuring transparency and accountability.
  • Multilingual notices are mandated to cater to the diverse linguistic landscape of India.

Comprehensive Data Definition

  • The Act encompasses all forms of personal data, eliminating the distinction between personally identifiable and sensitive information.

Stringent Penalties

  • Non-compliance can result in fines of up to ₹250 crore per violation, emphasizing the seriousness of data protection breaches.

Breach Reporting and Remediation

  • Mandatory reporting of breaches to the Data Protection Board and affected individuals.
  • Organizations must demonstrate proactive measures to secure data and mitigate risks post-breach.

Applicability to Digital Data

  • The Act covers breaches of digital personal information, irrespective of its initial format or source.

 

The India Privacy Act represents a paradigm shift in data protection regulations, necessitating proactive measures from organizations to ensure compliance and mitigate risks. By understanding the key provisions of the Act and implementing robust data protection frameworks, businesses can navigate this regulatory landscape effectively, safeguarding privacy and fostering trust among stakeholders.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

With the introduction of the India Privacy Act, organizations across the country are facing a new era of data protection challenges. This landmark legislation brings stringent requirements for consent, compliance, and penalties for breaches. In this blog, we delve into the key aspects of the Act, its implications for organizations, and actionable steps to ensure readiness and compliance.

 

 

Here is the verbatim discussion:

super critical uh so we'll move to Pavan um any closing remark and by the way we should have a session just on this Punit made a very vital point in terms of how do we get ready so we should just have a session only on that like how do we have the Readiness huh for the new act um pav any closing remark and then we'll go to Prashant maybe quick one one one to two minute closing remark my closing remarks are only this much uh let's get out into field let's get our hands dirty let's start working on things let's not be in a complacency mode why because that's going to cost any organization humongously from the ciso standpoint apart from costing the organization such kind of an error could even cost you your job in addition it could also expose you to criminal liability under the existing law in your own individual capacity and for which you may not have the appropriate documentation to show that you as an organization or you as a top management of the organization had exercised all due diligence to prevent the commission of any offense or contravention so Focus back on documentation Focus back on your due diligences and compliances and this law particularly I think it's going to be a gamechanging law primarily everything will be dependent on well the very very simple if your pii is misused no problem just shoot a complaint to the data protection board and that becomes the starting point of a new investigation when the board is going to go ahead and try to find out if there's any contention and thereafter ultimately give a fine up to 250 CR rupees that's one of the many things that you can do in addition because there's a breach of your sensitive personal data or pii clearly you will also have remedies under the information technology act which you can also do which means that you can also file criminal charges against the company under the it Act and the IT rules most of the time the companies become intermediaries under section 21w of the information technology act 2000 and this uh shall I say uh abuse or misuse of personal data is also in complete contravention of the provisions of rule three of the information technology rules 2021 which have been updated as on 6th of April 2023 because right now they are going to marrying this with the requirement for having in place reasonable security practices and procedures which will have to be again an ISO 7,1 so you will have remedies under there unfortunately your remedy for unlimited damages by way of compensation under Section 43 cap a of the it act has been withdrawn because that's been repealed.

 

Highlights:

Universal Consent Mandate

  • Organizations must obtain explicit consent from data subjects, detailing data collection, processing, and third-party involvement.
  • Multilingual notices are required, ensuring accessibility across diverse linguistic communities.

Comprehensive Definition of Personal Data

  • The Act encompasses all information identifying individuals, eliminating the distinction between personally identifiable and sensitive data.

Penalties for Non-Compliance

  • Fines of up to ₹250 crore per violation may be imposed, reflecting the severity and scale of breaches.

Breach Notification and Remediation

  • Mandatory reporting of breaches to the Data Protection Board and affected individuals.
  • Demonstrable steps must be taken to secure data and mitigate risks post-breach.

Applicability to Digital Data

  • The Act covers breaches of digital personal information, regardless of its initial format.

 

The India Privacy Act marks a significant shift towards data protection and privacy rights. By understanding its provisions and taking proactive steps towards compliance, organizations can navigate this regulatory landscape effectively. Ensuring readiness is imperative to safeguarding data and maintaining trust with stakeholders in the digital age.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

 

The India Privacy Act is a landmark piece of legislation aimed at protecting the digital personal data of individuals. It introduces stringent requirements for consent, compliance, and penalties for data breaches, applicable to organizations of all sizes. This blog delves into the key aspects of the Act, its implications for small and large organizations, and the necessary steps for ensuring compliance.

 

 

Here is the verbatim discussion:

oh is it yes uh so with respect to small and large organizations the first thing that needs to be understood is the concept of consent and legitimate consent is applicable to all organizations irrespective of size so again which uh question you know was even coming through in the chat box prior that you know uh in the beginning itself where I Define data there's no bifurcation of personally identifiable and sensitive data which means an organization which may be a small organization which is let's say offering a a health packages to their employees just an example and you know you're allowing your employees in health packages which many organizations do today as a bing offer to the employees you are ending up collecting their health related data when a employee is applying to you for a leave you are collecting a medical certificate you are collecting some kind of records from them so at any and every point of time you may imagine that you don't have data but that is actually not a point so you cannot say that you know I'm not taking uh data pertain to your exact health condition or you know I'm a smaller organization I don't collect financial information so I am not coming within this Ambit that is not how it works so irrespective of the size of your organization if you are collecting anything that constitutes personal data you're going to come within the ammit I'll give you a simple example today when you go to a bank they are asking you a lot of information just to open your bank account all of which is sensitive today when you're applying for a credit card when you go for a job employment there is a application that you make and track magnitude of the data breach it's going to be based on the nature of data it is going to be based on how negligent was the organization so though the negligent mind is not the concept but let's say they had zero security or they had let's say only a mediocre level of cyber security and they were dealing with highly sensitive data so all these different permutation combinations are going to determine up to what figure in that 250 crores are you looking at the penalty is it 100 CR is it 200 CR based on that is where there is going to be like a a formula DET so right now the ACT considering the board like the powers given to the board is that there is a certain parameters in which they can determine now if there is further Clarity and rules that will come up thereafter then you know there may be a more tweaking of this with respect to how they are going to work out the penalties so clearly uh any data which has personal data now you really can't distinguish between distributor data or uh um or uh reseller data or your dealers data any data which has pii uh personal information personal data I know these are different words but the words being used so that when you're collecting personal data and you are deciding the means when you're trying to process this data when you classify yourself as a data fiduciary then this law is applying and if you're Gathering huge amount of data and government goes and classifies you as significant dat data fiduciary a different set of uh treatment could get applied so what industry you are in there is no industry specific mentioning in the law it is Data specific if it is personal data dpdp is applicable it is digital personal data dpdp is applicable so there a few other questions like one is right to forget is that concept there.

 

Highlights:

Universal Consent Requirement

  • Consent must be obtained from data principals through an explicit notice that details data collection, processing, and the involvement of data processors.
  • Notices must be provided in all Indian languages as per the 8th schedule of the Constitution.
  • Consent requirements apply to all organizations, irrespective of size, including startups, MNCs, hospitals, and even housing societies.

Comprehensive Definition of Personal Data

  • The Act encompasses any information that can identify an individual, such as names, health data, email IDs, and IP addresses.
  • There is no distinction between personally identifiable information and sensitive personal data.

Substantial Penalties for Non-Compliance

  • Penalties for non-compliance can reach up to ₹250 crore per violation, with fines dependent on the nature and magnitude of the data breach.
  • The Act does not specify penalties as a percentage of turnover but imposes blanket fines based on the severity of the breach.

Breach Notification and Remedial Actions

  • Organizations must notify the Data Protection Board and affected individuals in the event of a data breach.
  • Post-breach, organizations are required to take demonstrable steps to secure data and inform victims of the breach.

Applicability to Digital Data

  • The Act applies to breaches of digital personal information. Non-digital data that is subsequently digitized also falls under the Act’s jurisdiction.

 

The India Privacy Act imposes significant responsibilities on organizations, demanding a proactive approach to data protection and privacy. By understanding and adhering to its key provisions, businesses can navigate this regulatory landscape effectively. The CESO platform is dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

The India Privacy Act represents a significant advancement in the country's data protection landscape, aiming to safeguard digital personal information. This blog examines key aspects of the Act, its implications for various organizations, and the steps necessary to ensure compliance. Insights from a recent panel discussion on the CESO platform, featuring top cyber law experts, provide a comprehensive understanding of this legislation.

 

 

Here is the verbatim discussion:

and then an organization cannot say I do not have the bandwidth or the monetary uh uh requirements for it so I'll give you a simple example no where is the act specifying a percentage of turnover like the gdpr so when they're giving a blanket figure of up to 150 crores up to 250 crores up to 100 crores you need to understand that the magnitude of offense like let's say if it's a hospital data there have been actual cases like I will not quote the cases but abroad there have been cases where hnis have been targeted their medical information when they hospitalized was manipulated to you know obviously create a risk to their life and in India this could be happening so many times as a matter of fact many people who are actively involved in data protection would be aware in the year 21 and 22 in India majorly most of the hospitals face cyber breaches even right now medical data is the second highest targeted data after a financial data that's of Banks and insurance Etc so considering the sensitivity of such data so whether you may say I'm a small Clinic that does not mean that you cannot risk your patient life end of the day you need to understand the repercussion you may say I don't have 100 crores but then in that situation if you even read the CPC in the event there is a compensation in in the event there is any kind of money that's a civil clear it talks of a personal breach this law is only applicable if there is a breach of a digital personal information so the moment I give a non-digital personal information which is maybe a print out then then technically from a standpoint from a interpretation standpoint it can be argued that this is not coming within the Ambit law but if I give a print out of a pan card or an Adar which subsequently gets digitized I still come within the Ambit of this law so in each particular case look at whether the ultimate digitization of the personal data took place or not if it has taken place and subsequent there to there's been a data breach then of course this law is going to be applicable but if I was to just give my Adar or a pan card number photocopy to my cellular service provider who does not digitize it but Monet just monetizes it by selling it then to that extent it would not really qualify as a breach under the digital personal data protection legal framework but these are very very great complications we'll have to still await for more clarifications in the rules and regulations that the government may come up very shortly so for all practical purposes it's people are going to digitize very few are going to sell it as like a zerox copy right so for all practical.

 

Highlights:

Explicit Consent Requirement

  • Consent must be obtained through an explicit notice detailing data collection, processing, and the involved data processors.
  • Notices must be provided in all Indian languages as per the 8th schedule of the Constitution.
  • Consent is required regardless of the organization's size or sector, including startups, MNCs, hospitals, and housing societies.

Broad Definition of Personal Data

  • Includes any information that can identify an individual, such as names, health data, email IDs, and IP addresses.
  • Merges previous categories of sensitive personal data and personally identifiable information.

Significant Penalties for Non-Compliance

  • Penalties for non-compliance can reach up to ₹250 crore per violation.
  • The severity of fines depends on the scale and impact of the data breach.
  • Unlike GDPR, the Act does not specify penalties as a percentage of turnover but rather imposes blanket fines.

Breach Notification and Remedial Actions

  • Mandatory notifications to the Data Protection Board and affected individuals in case of a data breach.
  • Organizations must take demonstrable steps to secure data and notify victims post-breach.

Applicability to Digital Data

  • The Act applies to breaches of digital personal information.
  • Non-digital data that is subsequently digitized falls within the Act's purview.

 

The India Privacy Act imposes significant responsibilities on organizations, demanding a proactive approach to data protection and privacy. By understanding and adhering to its key provisions, businesses can navigate this regulatory landscape effectively. The CESO platform is dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 
Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 
Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

The India Privacy Act introduces a new era of data protection and privacy regulations in India. This comprehensive law emphasizes the need for explicit consent, robust compliance measures, and significant penalties for non-compliance. Recently, a panel discussion on the CESO platform, featuring esteemed experts in cyber law, shed light on the critical aspects of this legislation. This blog delves into the key highlights of the India Privacy Act, its implications for various organizations, and the steps necessary to ensure compliance.

 

  

Here is the verbatim discussion:

the more the data that's flowing so by default the concept of consent will have to come in now just to get give you a brief about what is the concept of consent so it's primarily in the nature of an explicit notice an explicit notice as to what you are going to do with the data what are the data sets that you're collecting how are you going to utilize it what are the data processors involved what are they going to perform on it and not just in English or Hindi in every single Indian language as per the e8th schedule of the Constitution the notice has has to be provided if the data principle explicitly consens is when you can actually go ahead and process data so this is irrespective of the size of the organization startup MNC large organization medium scale organization manufacturing Hospital anything a Cooperative Housing Society a person who's a visitor coming into your Society also needs to give explicit consent you cannot just collect his data we are waiting the secondary legislation the minister has indicated that they are not going to wait for elections and that rules under the dpdp act are going to come very soon so I do hope that the rules will provide certain amount of clarity as to how this particular Quantum of fine has to be so-call calculated uh we need to be mindful of the fact that some broad parameters are given under the ACT but they are too broad in general so each case will have to be dependent on its own peculiar facts and circumstances it will also be dependent upon what subjective interpretation does the data protection board take in each case as it moves forward for the very simple reason that supposing if it's just as a data breach of say 1,000 records then obviously the Quantum of fine is going to be slightly lesser but if the records are say 10 million records then the Quantum of fine is going to be far more higher so this this nomenclature of up to 50 250 cror means it is left to the subjective discretion measures and they have a clean audit report what will happen still they will be F or not I guess this was discussed that they may have lesser F but still still they will be fined is that right uh yes it would be in the nature of uh demonstrating uh you know just having an audit on paper is not what works you will have to show demonstrable compliance that is actually the level of implementation of security measures data security measures cyber security measures that you can actually demonstrate uh that is something which would be important I'm quite certain for uh the nature of proceedings as in judicial proceedings just showing that you have an auditor sign off is not enough there you have to show evidence too so uh.

 

Highlights:

Explicit Consent Requirement

Consent must be obtained through an explicit notice detailing data collection, processing, and the involved data processors.

  • Notices must be provided in all Indian languages as per the 8th schedule of the Constitution.
  • Consent is required regardless of the organization's size or sector, including startups, MNCs, hospitals, and housing societies.

Broad Definition of Personal Data

  • Includes any information that can identify an individual, such as names, health data, email IDs, and IP addresses.
  • Merges previous categories of sensitive personal data and personally identifiable information.

Data Protection Board and Penalties

  • Establishes a Data Protection Board to oversee compliance and handle grievances.
  • Penalties for non-compliance can reach up to ₹250 crore per violation, with fines depending on the severity and scale of the data breach.

Breach Notification and Remedial Actions

  • Mandatory notifications to the Data Protection Board and affected individuals in case of a data breach.
  • Organizations must take demonstrable steps to secure data and notify victims post-breach.

 

The India Privacy Act imposes significant responsibilities on organizations, demanding a proactive approach to data protection and privacy. By understanding and adhering to its key provisions, businesses can navigate this regulatory landscape effectively. The CESO platform is dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

The India Privacy Act represents a significant step towards robust data protection and privacy standards in the country. During a recent panel discussion on the CESO platform, experts in cyber law—Advocate Dr. Pavan Duggal, Advocate Dr. Prashant Mali, and Advocate Punita Shetty—explored the Act's key provisions and their implications for businesses. Moderated by Vikash Parekh, the session emphasized the importance of data security, the role of intent in data breaches, and the responsibilities of data fiduciaries and processors. This blog distills the discussion into actionable insights for organizations navigating this new regulatory landscape.

 

 

Here is the verbatim discussion:

you could say rang a bell with me The Moment I Saw The Act was with respect to intent so if you see the concept of personal data breach under this particular act it is talking about unauthorized sharing of data it even talks of unauthorized uh uh you know data breaches that may happen let's say with or without intention so it could even happen let's say you have not intentionally done the ACT you may not be a hacker who is attacking a particular system but if unintentionally this entire activity has happened let's say from your employee of at your end to secure your systems so the concept of men's Ria is what we see very importantly whether or not you are guilty in intentionally doing this act of a data breach doesn't come so when you are going to be uh let's say pulled up by the board uh the question I never meant it the the entire argument you know I never meant it I never thought of it it was not in my knowledge of it these these kind of arguments are never going to work and primarily even if with or without your knowledge the fact that this act has occurred a breach has occurred you will have to demon demonstrate justifiably that you know what steps were taken by you prior how you were secure reasonably whatever uh you know assessments data audits you had undertaken what kind of security you have and obviously after the breach what steps you have taken thereafter to notify uh the victims of the breach what steps you have taken to secure them so uh you know it's going to be a a lot of responsibility upon organizations which are going to be data fueres collecting data data processors unlike the kind of regime that we have today unfortunately in India today we don't really have that kind of a mindset in organizations organizations are collecting data selling data left right the large Enterprises how does it impact the startups so you can combine uh both of them together and and um yeah over to you Punit we we'll go to everybody with this question like how what are the top things that you see it's going to impact both the Enterprises as well as the startups I think you are on mute it it was not in my knowledge of it these these kind of arguments are never going to work and primarily even if with or without your knowledge the fact that this act has occurred a breach has occurred you will have to demonstrate justifiably that you know what steps were taken by you prior how you were secure reasonably whatever uh uh you know assessments data audits you had undertaken and what kind of security you have and obviously after the breach what steps you have taken thereafter to notify uh the victims of the breach what steps you have taken to secure them so uh you know it's going to be a a lot of responsibility upon organizations which are going to be data fiduciaries collecting data data processors unlike the kind of regime that we have today unfortunately in India today we don't really have that kind of a mindset in organizations organizations are collecting data selling data Left Right Center that's like the methodology of business today in India so a lot of it is going to undergo a c change and one of the most important highlight that you know I would like to put forth is about the concept of a personal data breach so wherein it is not with intent without intent that's not something that's even going to be considered by the board and in line with the personal data breach concept I would like to highlight the meaning of personal data so unlike the previous laws that bipoc sensitive personal data and personal uh personally identifiable data uh this particular Act as a merger of both so anything that is going to identify you as you whether it may be your name your health data your email ID your IP address so the bation that this is an aggravated offense in case of let's say it is your medical health data and not your other identifiable information the definition of personal data does not have this kind of a bation so this is one of the points one of the highlights and I would lead it leave it to the rest.

 

Highlights:

Role and Responsibility of Data Fiduciaries and Processors

  • Data Fiduciary: Responsible for determining the purpose and means of processing personal data.
  • Data Processor: Handles data on behalf of the data fiduciary, ensuring adherence to compliance measures.

Intent and Accountability

  • The Act emphasizes that both intentional and unintentional data breaches are subject to penalties.
  • Organizations must demonstrate due diligence and reasonable security measures to mitigate liability.

Broad Definition of Personal Data

  • Merges previous categories of sensitive personal data and personally identifiable information.
  • Encompasses any information that can identify an individual, including names, health data, email IDs, and IP addresses.

Breach Notification and Remedial Actions

  • Mandatory breach notifications to the Data Protection Board and affected individuals.
  • Post-breach responsibilities include notifying victims and taking steps to secure their data.

Penalties for Non-Compliance

  • Significant fines up to ₹250 crore per violation.
  • Criminal liability for severe breaches, emphasizing the importance of stringent data protection measures.

 

The India Privacy Act demands significant adjustments from organizations, both large and small. By understanding its key provisions and preparing adequately, businesses can navigate this new regulatory environment effectively. The CESO platform remains dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

The%20India%20Privacy%20Act_%20Implications%20for%20Large%20Enterprises%20and%20Startups.png?profile=RESIZE_710x

 

The India Privacy Act marks a transformative shift in the regulatory landscape, with profound implications for both large enterprises and startups. Recently, CESO platform hosted a panel discussion featuring leading experts in cyber law—Advocate Dr. Pavan Duggal, Advocate Dr. Prashant Mali, and Advocate Punita Shetty. Moderated by Vikash Parekh, the session explored the nuances of the Privacy Act and its potential impact on various stakeholders. This blog captures the key takeaways, offering insights into how organizations can navigate this new legal framework.

 

 

Here is the verbatim discussion:

LA and e-commerce law Dr Dule has been acknowledged as one of the top four cyber lawyers around the world world domain day recognizes him as one of the top 10 cyber lawyers around the world Advocate Dr Prashant Mali Cyber Law and data protection lawyer Bombay High Court Dr Prashant is India's top cyber and privacy lawyer with many landmark cases to his credit he has been awarded as best cyber privacy lawyer 2022 at newsmaker awards best cyber security lawyer in 2017 and with national cyber defense award in 2019 Advocate pun buin cyber and data protection laws expert founder cyber jury legal Consulting and cyber jury Academy Advocate pit is a Pioneer in cyber laws in India and has been awarded and that wouldn't be a real life thing that you can find in multiples of 150 crores or or 250 crores second point is how would they calculate now this is the biggest question because organizations are talking to me asking me upon how do they write some figure on the legal risk or how do they secure them s in cyber Insurance that's a big question so why because if you calculate that whatever ultimately all the fins which have been mentioned it comes to 500 crores you because suppose you find in every place you know you are as a data breach then you are a significant data fiduciary also and then the total can come to around 500 crores but that is not the actual figure you can calculate now how would the figure will be coming now that they could device a formula a board has to device a formula to come across how much to be charged to whom you know because it has to be realistic and it has to be lot of Pi data so this dream of companies having less Pi data is I don't I don't think it is a practical dream saying that I don't have less data and coming Bing on again what pan G said that people are people were celebrating that we will not have jail ter rather people who are going to handle the data part so ITX section 43 B read with Section 66 still is alive and there is punishment up to three years of imprisonment and there is a penalty there also so that also can operate and apart from obviously other IPC sections depending upon what has been stolen along with the data okay so so let us go to the next part of the question and I'll clap two questions together that is like how does it impact the large Enterprises how does it impact the startups so you can combine uh both of them together and and um yeah over to you Punit we we'll go to everybody with this question like how what are the top things that you see it's going to impact both the Enterprises as well as the startups

 

Highlights:

Introduction of New Roles

  • Data Principal: The individual to whom the personal data belongs.
  • Data Fiduciary: The entity responsible for determining the purpose and means of processing personal data.
  • Data Processor: The entity processing data on behalf of the data fiduciary.

Consent and Rights of Data Principals

  • Explicit consent required for data collection and processing.
  • Rights to access, correct, and delete personal data.
  • Right to be informed about data breaches affecting their data.

Data Protection Board

  • Establishment of a Data Protection Board to oversee compliance and handle grievances.
  • Powers to investigate, audit, and impose penalties for violations.

Data Localization and Cross-Border Data Transfer

  • Mandates for storing certain types of data within India.
  • Regulated procedures for transferring data abroad, ensuring protection aligns with Indian standards.

Breach Notification and Compensation

  • Mandatory breach notifications to the Data Protection Board and affected individuals.
  • No government compensation for data breaches; non-compliance by individuals may result in fines.

Penalties for Non-Compliance

  • Significant fines up to ₹250 crore per violation for non-compliance.
  • Potential criminal liability for severe breaches.

 

The India Privacy Act presents both challenges and opportunities for large enterprises and startups. By understanding the key provisions and preparing adequately, organizations can navigate this new regulatory landscape effectively. The CESO platform remains committed to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

Navigating%20the%20India%20Privacy%20Act_%20Insights%20and%20Implications.png?profile=RESIZE_710x

 

In the rapidly evolving landscape of data protection and cybersecurity, the India Privacy Act stands as a significant legislative milestone. To shed light on its nuances and implications, CESO platform recently hosted a panel discussion featuring leading experts in cyber law: Advocate Dr. Pavan Duggal, Advocate Dr. Prashant Mali, and Advocate Punita Shetty. Moderated by Vikash Parekh, the session provided invaluable insights into the Act's key highlights and its impact on various stakeholders. This blog aims to encapsulate the essence of the discussion, offering a comprehensive overview of the India Privacy Act and what it means for organizations and individuals alike.

 

 

Here is the verbatim discussion:

cyber security law guy and when I think about cyber security law I had always been like uh I got to know Punit very recently but Prashant and Pavan I know for pretty long time I can't think of a better panel of experts if I had to go and take advice from so I believe for the audience um as far as at least I know I I can't think of a better audience I'm personally super excited to actually learn from this session so my background had been more on the technical side and um I knew that this thing is brewing finally the Privacy bill has become um how gdpr takes care of it from the perspective of how big the company is in terms of Revenue how how does the Indian Act take care of in Terms of how much will be defined okay so let me first give the Highlight from because other two speakers have spoken about uh from the corporate point of you let me take the data principal point of view you and me so if you and me are losing data the Highlight is we don't have any compensation from the government in fact if you don't follow the rules and because of which you have lost the data you may be charg you may have to pay fine of rupes 10,000 to the data protection board okay so that is the provision so a very uh different provision altoe uh yes you can hear you already sucked into the world pool so any expectation or any representation that look we are not covered under the dpdp ACT must instantaneously evaporate that's the first thing number two broadly speaking this law has come up with three broad Concepts which are alien in the Indian ecosystem but people need to know about it uh we have uh the concept of data principle data fiduciary and the data processor now we need to appreciate that India is coming from a historical standpoint where sharing has been the norm of Life we've all been in joint families we've been sharing information there's the classical joke that by the time you close your Railway Journey you know far more everything about your passenger and stuff like that but in a country like ours uh for the first time the law has now begun to start uh getting into action the law says if you are a data principal then you are the owner of your data your personal data which means that nobody else will be able to use it without your specific consent or under certain specified circumstances the second concept is that of a data fiduciary data fiduciary is a concept where the law says is a legal entity who will determine what kind of processing of the personal data of the data principle will have to take place and of course the third category is data processor where the entity is only processing data personal data our data principle for and on behalf of data fici so everything is very clear we are all covered of course the government wants to give us some uh interum period of preparation and the interum period is necessary because For the First Time in the history of Independent India we now have unprecedently heard fines of 250 CR rupees per contention so as assuming you are an entity you don't comply uh that does not mean that you can subscribe to the Indian jugar School of Management and yet also rest on your laws I think with the Advent of the it act the IPC amended and the dpdp ACT uh the jugar in the Indian ecosystem of electronic uh data.

 

Highlights:

Introduction of New Roles

  • Data Principal: The individual to whom the personal data belongs.
  • Data Fiduciary: The entity responsible for determining the purpose and means of processing personal data.
  • Data Processor: The entity processing data on behalf of the data fiduciary.

Consent and Rights of Data Principals

  • Explicit consent required for data collection and processing.
  • Rights to access, correct, and delete personal data.
  • Right to be informed about data breaches affecting their data.

Data Protection Board

  • Establishment of a Data Protection Board to oversee compliance and handle grievances.
  • Powers to investigate, audit, and impose penalties for violations.

Data Localization and Cross-Border Data Transfer

  • Mandates for storing certain types of data within India.
  • Regulated procedures for transferring data abroad, ensuring protection aligns with Indian standards.

Breach Notification and Compensation

  • Mandatory breach notifications to the Data Protection Board and affected individuals.
  • No government compensation for data breaches; non-compliance by individuals may result in fines.

Penalties for Non-Compliance

Significant fines up to ₹250 crore per violation for non-compliance.

  • Potential criminal liability for severe breaches.

 

The India Privacy Act represents a pivotal shift in the nation's approach to data protection, demanding significant adjustments from both individuals and organizations. By understanding the Act's key provisions and preparing adequately, stakeholders can navigate the complexities of this new legal landscape effectively. The CESO platform remains committed to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

Understanding%20the%20India%20Privacy%20Act_%20Key%20Highlights%20and%20Industry%20Implications.png?profile=RESIZE_710x

 

Welcome to the CESO platform, the world’s first online community dedicated exclusively to senior security executives including CIOs, CSOs, CTOs, and directors. With a thriving global membership exceeding 40,000, CESO stands at the forefront of cybersecurity discussions. Today, we delve into the India Privacy Act and its significance for Chief Executive Security Officers (CESOs). Our distinguished panel comprises Advocate Dr. Pavan Duggal, Advocate Dr. Prashant Mali, Advocate Punita Shetty, and our moderator, Vikash Parekh.

 

 

Here is the verbatim discussion:

welcome to ceso platform ceso platform is the world's first online community solely dedicated for information senior security Executives C CIO CSO CTO directors with 40,000 plus community members globally today's panel discussion is on India Privacy Act and what it means for CES and speakers joining us today are Advocate Dr Pavan dupin Supreme Court of India while practicing Advocate Supreme Court of India Dr Pavan Thal has made an immense impact with an international reputation as an expert and Authority on Cyber Law cyber security law Cyber Law artificial intelligence law and e-commerce law Dr Dugal has been acknowledged as one of the top four cyber lawyers around the world world domain day recognizes him as one of the top 10 cyber lawyers around the world Advocate Dr Prashant Mali Cyber Law and data protection lawyer Bombay High Court Dr Prashant is India's top cyber and privacy lawyer with many landmark cases to his credit he has been awarded as best cyber privacy lawyer 2022 at newsmaker awards best cyber security lawyer in 2017 and with national cyber defense award in 2019 Advocate pun cyber and data protection laws expert founder cyber jury legal Consulting and cyber jury Academy Advocate pit is a Pioneer in cyber laws in India and has been awarded the best cyber lawyer in India she is an adviser to the rajas SAA committee on internet laws and recipient of five national awards for contribution in cyber laws one of them being cyber lawyer cyber lawyer of best cyber lawyer in India bkash paray co-founder of ciso platform fire compass and co-founder of IIs which is now acquired by synopsis he is an IIT kakur alumni with multiple patents under his name Fortune magazine named him as part of Fortune 40 under 40 he a well-known Global speaker who spoke at RSA Conference USA Singapore tedex Etc this panel will be moderated by vikash varay we request all attending members to please post your questions in the chat box and we'll address those questions to the speaker at the end of the session thank you everyone for joining us today I would request vikash to take it forward thank real cases out there so we like to also know some of those real cases out there so that's number one the highlights of the act and some of the real cases then we'll also discuss a little bit on how does it impact the industry the startup ecosystem then we'll kind of end with um what what are some of the Milestones which we as an organization should Define in order to get prepared for it so we we know that there is a journey ahead but what are those Milestones if we have to move forward on that journey and some of the top risks and how do we manage um from the Privacy Act perspective so these are broadly some of the things which we discussed we'll touch upon today and we'll also keep some time towards the end for question and answers so we kept the number of questions yes so that we can keep more time for the uh our community members to also participate and ask so that's the broad um lay of the land in terms of today's discussion um so let me jump into um so let's let's start with the first question like what are some of the key highlights which um you have seen um in terms of the Privacy Act and also any of the cases which you have observed.

 

Highlights:

Data Protection Framework

  • Comprehensive guidelines on the collection, processing, and storage of personal data.
  • Rights of individuals to access, correct, and delete their data.
  • Mandatory consent from individuals for data processing.

Data Localization

  • Specific data must be stored on servers within India.
  • Cross-border data transfers are regulated to ensure compliance with local standards.

Regulatory Authority

  • Establishment of a Data Protection Authority (DPA) for enforcement and compliance.
  • The DPA has the power to investigate, audit, and levy penalties.

Breach Notification

  • Mandatory reporting of data breaches to the DPA and affected individuals within a stipulated timeframe.
  • Clear guidelines on managing data breaches and mitigating risks.

Penalties and Fines

  • Substantial penalties for non-compliance, including hefty fines based on the severity of the breach.
  • Provisions for criminal liability in cases of significant violations.

Data Fiduciaries and Data Processors

  • Distinction between data fiduciaries (entities that determine the purpose and means of processing data) and data processors (entities that process data on behalf of fiduciaries).
  • Specific obligations and accountability measures for both categories.

The India Privacy Act marks a significant step towards enhancing data privacy and security in India. It poses both challenges and opportunities for organizations across sectors. By understanding the key highlights and preparing adequately, companies can navigate the complexities of this legislation effectively. The CESO platform continues to support its members in staying informed and prepared for these pivotal changes, fostering a secure and compliant business environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Dr. Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

Read more…

 

In the ever-evolving landscape of cybersecurity, attackers continuously refine their methods to exploit vulnerabilities in a variety of systems. One of the most effective ways they achieve this is through the use of automated tools and databases, which allow for rapid identification and exploitation of newly discovered vulnerabilities. This blog delves into the methodologies attackers use, the critical importance of rapid remediation, and how implementing an efficient vulnerability management system can significantly reduce the risk of ransomware attacks by up to 26%.

 

 

Here is the verbatim discussion:

uh task for them okay and in fact actually what attackers do nowadays is that they maintain this database uh you know pre-indexed they keep on crawling and can maintain this database and in some you know raw big data tables uh Big Data you know Solutions so that you know whenever a one liberty comes up uh they can go and just do a search on this and put find a potential Target right so first step is internet wide scan and index it into the database so that you can search later then the next step is to do use a deep crawler now this what this crawler does actually is for for different products it goes and crawl and do a fingerprinting of the service the reason and then detect you know technology its versions Etc the reason for this is it makes easy to map a cve to a tech technology to a Target right for example if again esxi server if I take uh I can you go and you know scan the IPS I can grab the banners I can do finger printing that this specific you know technology which is VMware uh a specific version I can write you know parer to extract the versions and the technology on it and I can keep it indexed actually or even we can use it as on demand in fact whenever One Liberty comes we can you know go and scan the internet scan the IPS so once this crawling is done the next step is CV identification which means um that once the one Li is detect one Li is published you know it's it's matter of within you know maybe a few minutes to find out of maybe an hour to find out what versions are really impacted which technology is really impacted and once it is identified we can make a query into this database to find out which all Targets are potentially vulnerable right and once this one liberity identification is done on these potential targets uh the next step is to try out the exploits uh and generally this exploits once run the you know as I said you know the vulnerabilities are those space specific vulnerabilities which can give remote code execution most of the time to to the attacker and these are the V liabilities which are being targeted by R somewes so this is the uh you know the flow that automation that has allowed attackers to you know automate this whole Mass scale you know uh scanning and attacking uh within few days in fact and which which actually the point that I was referring to that the meantime to remediate a vulnerability has reduced to even few days now in summary now mitigating external critical cves could reduce ransomwares by 26% I think right as for the stats as for the you know the research by various reports right but the catch is that your mttr has to be few days uh if it is not done if the vulnerability is left open more than few days then there is increasing chance that it can be potential Target of an attacker and it is just luck that it is not being exploited but then you know if it is done correctly and there is a practice that continuously you know uh have these vulnerabilities and and mitigate them on a within few days then yes we can actually reduce the ransomware risk by 26% now the question is how now before you know going to details on how uh I just want to talk about fire Compass uh so fire Compass research team and I want to just give a background of about ourselves uh fire Compass research team by the way track uh you know brand new latest cves on continuous basis like whenever a new oneit is added to the NV database we go and track it we go and analyze it um and then we help our customers to identify exposure to these CVS within a day so that customers can take action and mitigate risk of these CBS using appropriate security measures now we have prioritized the upcoming you know we will talk about certain cves and then we have send in alerts exposure alerts to our customers that reduce the risk run somewhere at least by 25 26% assuming you have already fixed critical uh historical other critical CVS so assuming that you know other CVS which are already being fixed the new CVS that we will discuss right now if those are fixed then uh your your chance of you know risk of ransomware will be reduced by 26%.

 

Highlights:

Automated Internet-wide Scanning and Indexing:

Attackers perform extensive scans of the internet to index and store data about various systems and technologies. This pre-indexing process allows them to quickly identify potential targets when new vulnerabilities are discovered.

Deep Crawling and Fingerprinting:

A deep crawler performs detailed fingerprinting of services and technologies. By identifying the specific technologies and their versions, attackers can efficiently map vulnerabilities (CVEs) to potential targets.

CVEs Identification and Mapping:

Once a new vulnerability is published, attackers rapidly determine which versions and technologies are affected. They query their pre-indexed databases to find targets that match these criteria.

Exploitation of Vulnerabilities:

With identified targets, attackers deploy exploits to take advantage of the vulnerabilities. These exploits often enable remote code execution, which is a critical vector for ransomware attacks.

Importance of Rapid Remediation:

The mean time to remediate (MTTR) vulnerabilities has become a crucial metric. Reducing MTTR to a few days can significantly lower the risk of exploitation. If vulnerabilities are left unaddressed for longer periods, the likelihood of an attack increases substantially.

Impact on Ransomware Risk:

According to research, mitigating external critical CVEs promptly can reduce ransomware risk by 26%. This reduction assumes that historical critical CVEs have already been addressed, highlighting the need for continuous and proactive vulnerability management.

Role of Fire Compass:

Fire Compass continuously tracks new CVEs and analyzes their potential impact. By providing customers with timely exposure alerts and analysis, Fire Compass helps organizations mitigate risks effectively. This proactive approach ensures that customers can address vulnerabilities within a day, significantly reducing their ransomware risk.

 

Automated vulnerability management is an essential component of modern cybersecurity strategies. By understanding and replicating the methods used by attackers, organizations can develop robust defenses against potential threats. Rapid identification, analysis, and remediation of vulnerabilities are critical to reducing the risk of ransomware and other cyber-attacks. Implementing a solution like Fire Compass can help organizations stay ahead of threats and ensure their systems are secure against the latest vulnerabilities. Proactive vulnerability management not only enhances security but also significantly reduces the potential impact of ransomware, protecting both data and operational integrity.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…

 

Understanding%20the%20Sources%20and%20Risks%20of%20Stolen%20Credentials%20in%20Cybersecurity%20%20(1).png?profile=RESIZE_710x

 

In the digital age, stolen credentials have become a significant threat to enterprise security. These credentials, often harvested from various attack and breach databases, pose a critical risk to organizations worldwide. This blog explores where these credentials originate, the implications of their misuse, and the steps attackers take to exploit them. By understanding these dynamics, organizations can better prepare and protect themselves against potential breaches.

 

 

Here is the verbatim discussion:

CR initials now where are the stolen credentials coming from the these are coming from you know various uh attack and breach databases which were you know published for the last uh maybe you know 5 to 10 years uh where billions and billions of you know credentials are available on dark web and many of them are being reused by employees you know intentionally non-intentionally uh on other you know systems which probably works in the Enterprise and not only that uh some of the cases of Shadow it lot of cases in Shadow it also comes from you know code leagues like the developers when they go when they write open source you know tools they uh leave credentials and API keys in the code and make it you know and publish it on the developer or they can also you know leave this credentials in the build in the software build uh such as genes or maybe Circle Ci or maybe other you know any other you know cicd platform right so in one of the incidents which has happened last one month back where you know the after uh doing fishing you know once the attacker got access to one of the systems uh one of the devop systems and then they got access to their uh their cicd system what they they found out is they decompiled the build and then in the build itself they were package of credentials being you know packaged together with the build and as a result they got access to lot of other systems all around inside the inside the Enterprise Network uh yeah along with credentials and lot of being cases being reported where the leaked API keys where the API keys are also being published in the code that attackers can get access uh for the past few you know years there has been lot of incidents because the databases such as mongodb elastic search being open kubernetes we in fire Compass we did a research last year where we tracked all the open sorry all the kubernetes instances you know hundreds and hundreds of kubernetes instances being left open because of a bug in one of the you open source library and because of which we uh got access to their communities cluster and we reported this to various organizations and they could fix it immediately uh not only that we have also seen you know attackers using darker instances which are left open to the internet because of certain misconfigurations so Shadow it you know assets which are exposed to the internet with a misconfiguration with some kind of misconfiguration the code which is being leaked contributes to at least 60% of you know cases where the attackers can get access to you know initial foothold into the organization all right uh let's you know now not only that attackers have now the capability to scan internet in just few days and that's makes it increasingly difficult to you know increasing that makes a life of of a you know Defender increasingly difficult the reason being that if attacker can scan the internet in few days which means your mean time to remediate has drastically decreased from weeks to days in fact uh now how does this automation works I'll just describe in very in few you know words and sentences I'll try to simplify this by the way this is and when very simplified version of what happens in reality uh now one of the first step that uh attackers do is to create a internet wide scanner now there are various open source tools available uh which if configured properly using expert can be used to scan the whole internet actually within few days days and if you put more horsepower more Computing resources within ours in fact uh now this is not an easy task by the way right there are 3 billion ipv4 addresses and there are 65,000 posts which makes it nearly impossible right to scan the whole internet but then the the advantage the attacker has is that they do not scan whole internet on all the ports but they do do it as per no as per the attack say one.

 

Highlights:

Sources of Stolen Credentials:

Stolen credentials often come from databases compromised in attacks over the past 5 to 10 years. These databases, containing billions of credentials, are readily available on the dark web. Employees frequently reuse these credentials across multiple systems, increasing the risk of breaches within enterprises.

Impact of Shadow IT:

Shadow IT contributes significantly to credential exposure. Developers may inadvertently leave credentials and API keys in code repositories, build environments, or CI/CD platforms such as Jenkins or CircleCI. These oversights can lead to significant vulnerabilities.

Case Study: CI/CD System Breach:

In a recent incident, attackers gained access to a DevOps system through phishing. Once inside, they decompiled a software build and discovered packaged credentials. This allowed them to infiltrate multiple systems within the enterprise network, highlighting the critical need for securing build environments.

Leaked API Keys and Open Databases:

API keys and other sensitive information are often exposed in publicly accessible code. Incidents involving open databases like MongoDB, Elasticsearch, and Kubernetes clusters are common. Fire Compass research uncovered numerous open Kubernetes instances due to misconfigurations, emphasizing the importance of securing such assets.

Exploitation of Misconfigured Assets:

Attackers frequently exploit misconfigured Docker instances and other internet-exposed assets. These misconfigurations provide initial footholds into organizations, enabling further exploitation and data breaches.

Automation in Attacks:

Modern attackers use automated tools to scan the internet rapidly. Open source tools, when configured by experts, can scan vast IP ranges and ports efficiently. This automation reduces the time attackers need to identify vulnerable systems, thus pressuring defenders to remediate vulnerabilities more quickly.

Importance of Rapid Remediation:

As attackers can scan the internet in days, the mean time to remediate (MTTR) vulnerabilities must be drastically reduced. Effective vulnerability management and rapid response are crucial to preventing exploitation and minimizing risks.

 

The landscape of cybersecurity is increasingly complex, with attackers leveraging automation and vast databases of stolen credentials to breach systems. Understanding the sources and methods of these attacks is vital for organizations to defend themselves effectively. Implementing stringent security measures, securing code and build environments, and reducing MTTR are essential steps in mitigating these risks. By staying vigilant and proactive, organizations can protect their assets and reduce the likelihood of successful attacks.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…

 
The%20Critical%20Role%20of%20High-Risk%20CVEs%20in%20Ransomware%20Attacks%20(1).png?profile=RESIZE_710x

 

Despite comprehensive security practices aimed at mitigating vulnerabilities, ransomware attackers continue to achieve significant breaches by targeting a small fraction of critical CVEs. This blog explores the focus on these high-risk vulnerabilities, the mechanisms of ransomware attacks, and the primary weaknesses that facilitate these threats. By understanding these factors, organizations can better prioritize their defenses and reduce the risk of devastating ransomware incidents.

 

 

Here is the verbatim discussion:

And you know very interesting thing is this that uh although you know we have security practices to find all possible bugs and vulnerabilities such as business logic vulnerabilities in web apps and mitigating all the info level vulnerabilities medium vulnerabilities interestingly ransomwares Target 1% of nvd I and critical CV is so just 1% of them are being targeted by attackers to achieve this Mega Fe Mega you know result uh now I'll just give you some numbers that uh the number of critical High cves currently as of today are around 50,000 so I'm just talking about CVS greater than uh probably six or seven CV score right in order to consider as high and seven probably seven and above and and then this I'm also referring to the cisa prioritize cves cesa maintains a list of you know cves which are being targeted by ransomwares and they make a news and they get an alert from various teral feeds and they have around um around 500 critical cve is in their list so the figure comes out to be 1% which means 1% of those n high and critical CVS which are there in your nvd database are currently being targeted by ransomwares now I'm sure everyone knows how ransomware works that ransomwares most of the time start externally so there are no way closer physically to your organization they are somewhere sitting in different countries uh it can be any other country any country you know uh and uh one of their primary way to attack an organization is to get a initial foothold right when they will get some access to your servers using um either exploitation or you know various other techniques and once this initial foothold is done then the snowball gets start rolling right and it's very difficult to you know stop this snowball once the ransomwares are in your network uh and they and it starts spreading you know then it it becomes a different game Al together uh so let's you know see what are the weaknesses top three weaknesses that leads to leads you know that helps run someware to get you initial get the initial foothold and uh the the good Insight come from IBM you know and both Verizon reports uh as per IBM xforce report uh you know 80% of three weaknesses leads to 80% of ransomwares and these three weaknesses are exploiting external cves and this leads to 26% of attacks it it basically contribut 26% of uh cases where romare gets initial foothold into organization U then then you know of course the most prominent one is the fishing where uh you know attackers usually send a fishing email on a mass scale or a you know spear fishing and with malicious attachment link and allow users and various other you know techniques which including even social media uh wishing uh which allow user to ultimately give access to this uh to to the malwares and ransomwares on their uh on their systems and from there you know the attack starts right uh apart from that uh 60% of the cases are because of Shadow it which means the assets which are not probably are there are not there in the asset inventory but are left open for the attackers on the on the public internet uh so just give you a number in terms of cves uh we have seen 49 cves being added to the cisa you know uh database from the last few months which have been targeted by ransomwares in just 2023 and 366 CVS were added in 2022 which were you know Target.

 

Highlights:

Targeting High-Risk CVEs:

  • Ransomware attacks primarily focus on a small subset of critical vulnerabilities. Only about 1% of high and critical CVEs from the National Vulnerability Database (NVD) are actively targeted by attackers.
  • As of now, there are approximately 50,000 high and critical CVEs (CVSS score ≥ 7). The Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of around 500 critical CVEs known to be exploited by ransomware, highlighting the targeted nature of these attacks.

Exploitation of External CVEs:

  • External CVEs provide a critical entry point for ransomware. Attackers exploit these vulnerabilities to gain an initial foothold in the organization’s network.
  • According to reports, exploiting external CVEs accounts for 26% of ransomware initial access points.

Phishing Attacks:

  • Phishing remains the most prominent method for ransomware distribution. Attackers use mass phishing campaigns and spear-phishing tactics to trick users into downloading malicious attachments or clicking on harmful links.
  • Social engineering techniques, including vishing (voice phishing), are also used to deceive individuals into granting access to malicious software.

Impact of Shadow IT:

  • Shadow IT, or the use of unauthorized IT systems and solutions, significantly contributes to security risks. Assets not included in official asset inventories are often left exposed to the internet, providing easy targets for attackers.
  • Shadow IT is responsible for 60% of the initial access points in ransomware cases.

Recent Trends and Statistics:

  • In 2023 alone, 49 new CVEs were added to CISA’s list of vulnerabilities exploited by ransomware. In 2022, this number was 366, underscoring the increasing focus on exploiting high-risk CVEs.
  • Ransomware attacks frequently start from external locations, making it crucial to secure perimeter defenses and regularly update and patch vulnerable systems.

 

Ransomware attacks continue to be a significant threat, leveraging a small fraction of high-risk CVEs to achieve considerable damage. Organizations must prioritize the remediation of these critical vulnerabilities to prevent initial access by attackers. By focusing on the most exploited CVEs, implementing robust phishing defenses, and addressing Shadow IT risks, businesses can significantly reduce their exposure to ransomware. Proactive vulnerability management and continuous monitoring are essential strategies in safeguarding against these persistent threats.

 

Speakers:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…

Choosing%20the%20Best%20Antivirus%20for%20Ransomware%20Protection%20Beyond%20Traditional%20Defenses%20(1).png?profile=RESIZE_710x

 

In the realm of cybersecurity, the quest for the best antivirus to shield against ransomware remains a paramount concern for organizations worldwide. While antivirus software plays a crucial role in detecting and mitigating threats, it's essential to recognize that initial footholds can occur on servers and devices where traditional antivirus solutions may not be present. In today's discussion, we delve into strategies to mitigate the risk of initial footholds and explore the efficacy of various antivirus solutions, including Microsoft Defender and Kaspersky, in combating ransomware threats.

 

 

Here is the verbatim discussion:

so what is the best antivirus to protect from ransomware this is very interesting now the ENT the first thing we have to um you know discuss is that initial foothold actually can also happen on servers which you may not install antiviruses which may be devices you know Linux devices which probably have which may not have antiviruses installed but then there are many better versions available uh like kasperski I think we used to use Microsoft Defender I think is doing pretty well um then then there are various you know xdr Solutions available but these all antiviruses and XTR Solutions I think works after initial foothold and what we have covered is is how to reduce how to even you know mitigate uh the chance of getting initial foothold right um so that's how it is U I think Microsoft Defender and you know 2021 which is uh one liity is B file server and this is and it attack surfaces is also extremely large this is a pretty common you know open source you HTTP server used for um you know file you know storing and exchanging files and uh one of the one liity here again is uh which can you know allow attacker to read sensitive information on the local file itself which include credentials of course and as a result um it is easy to exploit.

 

Highlights:

Understanding Initial Footholds:

  • Initial footholds can occur on servers and devices, including Linux systems, where traditional antivirus software may not be deployed.
  • Mitigating the risk of initial footholds requires proactive measures beyond antivirus solutions, focusing on vulnerability management and security hygiene.

Evaluating Antivirus Solutions:

  • Microsoft Defender, renowned for its integration with Windows systems, offers robust protection against ransomware and other malware threats.
  • Kaspersky antivirus is another reputable solution known for its comprehensive threat detection capabilities and proactive defense mechanisms.
  • Emerging Extended Detection and Response (XDR) solutions provide advanced threat detection and response capabilities, complementing traditional antivirus software.

Addressing CVEs and Attack Surfaces:

  • CVEs targeting popular software, such as Apache HTTP Server, underscore the importance of patch management and vulnerability remediation to prevent initial footholds.
  • Securing file servers, a common target for ransomware attacks, requires robust antivirus protection and proactive security measures to mitigate vulnerabilities and safeguard sensitive information.

 

While selecting the best antivirus solution is crucial in defending against ransomware, organizations must adopt a multi-layered security approach that extends beyond traditional defenses. By prioritizing vulnerability management, implementing proactive security measures, and leveraging advanced antivirus solutions like Microsoft Defender and Kaspersky, organizations can enhance their resilience against ransomware threats. Additionally, staying vigilant against emerging vulnerabilities and maintaining a strong security posture are essential in mitigating the risk of initial footholds and fortifying defenses against evolving cyber threats. As organizations navigate the evolving threat landscape, embracing a holistic cybersecurity strategy is paramount to safeguarding critical assets and preserving business continuity in the face of ransomware attacks.

 
 
Speaker:
 

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

 
 
 
Read more…

Addressing Critical CVEs and Ransomware Threats

 

 In today's webinar, we embarked on a journey through the evolving landscape of cybersecurity threats, focusing on the surge of ransomware attacks and critical vulnerabilities affecting organizations worldwide. Led by Jendra Chan, Head of Research at Fire Compass, we explored the alarming trends in ransomware incidents and dissected the intricacies of recent CVEs targeted by threat actors. Let's recap the key takeaways from our discussion.

 

 

Here is the verbatim discussion:

now uh I'll okay let me just summarize I think we have reached the end of the present webinar uh so let me summarize what we have seen we have you know discussed the ransomwares and they are on a rise 20% per year uh per year which means they they are doubling every three years the meantime to remediate has decreased from weeks to days because ransomwares are using Automation and AI to scan the whole internet to craw Technologies and to uh to detect cve and exploit them using automation uh we have also discussed various um latest thread actors and ransomwares and their respective cves that they are targeting uh around six cves we have discussed which are being targeted you know few weeks back up to few weeks back and fixing those can reduce the risk of ransomware by at least 26% assuming we have fixed all the before other CVS and things which have been targeted in the past uh then we discussed you know what are the challenges in current practices uh to achieve meantime to remediate one you know within few days and then we came to few recommendations by combining your current existing practices such as ASM one liity management and Pen testing and threat Intel to identify these critical cves exposure of your attack surface uh and then we have also you know proposed uh you know fire we have also described fire compose day one exposure alerts which will allow you to get alerts within a day of your attack surface exposure to some of these R targeted I think this presentation probably I think 15 days back up to 15 days back if you want latest then we can share you you know you can shoot us an email we will share you the the latest CVS which we have prioritized or you know check out our blogs we will you know publish another blog on you know on on various you know uh CVS that we prioritize on regular basis by the way you can you know get these cves and and lot of more details on our blog you can to our fire compus website and go to resources and blogs you will get uh you know a regular feed of you know prioritize CVS from our research team.

 

Highlights:

Ransomware on the Rise:

  • Ransomware attacks are increasing at an alarming rate, with a staggering 20% annual growth, signifying a doubling in frequency every three years.
  • The advent of automation and AI empowers ransomware operators to scan the entire internet, identify vulnerabilities, and exploit them rapidly, reducing the meantime to remediate from weeks to mere days.

Targeted CVEs:

  • We examined six critical CVEs recently exploited by ransomware groups, emphasizing the importance of promptly addressing these vulnerabilities to mitigate the risk of ransomware attacks by up to 26%.
  • By prioritizing the remediation of these CVEs and staying vigilant against emerging threats, organizations can enhance their cybersecurity posture and safeguard their digital assets.

Challenges in Vulnerability Management:

  • Traditional vulnerability management practices face significant challenges in keeping pace with the dynamic threat landscape, necessitating proactive measures to identify and remediate vulnerabilities swiftly.
  • We discussed the limitations of current practices and proposed a holistic approach that integrates vulnerability management, penetration testing, and threat intelligence to enhance threat detection and response capabilities.

Recommendations and Solutions:

  • Combining existing practices with innovative solutions such as Fire Compass' Day One Exposure Alerts enables organizations to detect and mitigate vulnerabilities within a day of their exposure, bolstering their resilience against ransomware and other cyber threats.
  • By leveraging curated threat intelligence and prioritizing vulnerability remediation efforts, organizations can effectively reduce their attack surface and minimize the risk of exploitation by threat actors.

 

As we conclude today's webinar, we emphasize the critical importance of proactive cybersecurity measures in mitigating the escalating threat of ransomware attacks and exploitable vulnerabilities. By adopting a proactive approach to vulnerability management, leveraging advanced threat intelligence, and embracing innovative solutions, organizations can fortify their defenses and safeguard their digital infrastructure against evolving cyber threats. For the latest insights and prioritized CVEs, we invite you to explore our blogs and resources on the Fire Compass website. Together, let us strengthen our collective resilience and forge a more secure digital future.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…

 

Unveiling%20Critical%20CVEs%20From%20Apache%20Spark%20to%20TP-Link%20Routers%20(1).png?profile=RESIZE_710x

 

Welcome to a comprehensive exploration of critical vulnerabilities that demand immediate attention from cybersecurity professionals worldwide. In this discussion, we delve into the intricacies of vulnerabilities affecting widely used technologies such as Apache Spark, TP-Link routers, and IBM ASA software. Led by Jendra Chan, Head of Research at Fire Compass, this webinar sheds light on exploitable weaknesses that pose significant risks to organizational security. Join us as we dissect the nuances of these vulnerabilities and explore strategies to mitigate their impact on organizational networks.

 

 

Here is the verbatim discussion:

I think we have already covered ZK and for foro anywhere another interesting vulnerability is in Apache spark UI and in very popular you know 40 o path Travers rce uh TP Link router which has which also has a you know huge attack surface and IBM ASA you know software from from IBM which have been targeted by somewh now uh Apache spark UI I think this a very interesting one u a Pache spark as you know that uh is being used by organizations to do you know big data processing and it has a management interface which is exposed outside which can be exposed outside for remote you know word manageability Etc now what has happened is that it has a vulnerability which is which does not require authentication by the way right and where you know you can go and run inject a command that can run on the management on the instance of the Management console and as a result it leads to the remote code execution similar you know vulnerability was another vulnerability which I want to highlight is for 40 path which is in 4et you know Fireballs which are exposed outside which has a path traversability and it exploit is available online you know being exploited in the wild for a while now uh and it has a large attch surface again because it is a firewall exposed it has to be exposed outside and uh you know the one liity what it does it goes and read uh the file location from certain place which can also lead to in certain cases it can also you know allow attacker to go and you know place a file at a specific place and as a result it can lead to remote code execution which is again very dangerous uh because it is on theh may not be available right away so many of these alerts actually are generated even before even the vulnerability scanners may not have the signatures to scan these vulnerabilities right uh and uh there may not be a patch available and even if the patch is available it will not be able to possible the system bash the system so you can go and you know Place some other you know compensatory security controls which include qu your Fireball so that you can make the life of a techer harder uh and then next step will be to safely validate your security control which means go and validate.

 

Highlights:

Apache Spark UI Vulnerability:

  • Apache Spark, a cornerstone of big data processing, faces a critical vulnerability in its management interface.
  • Exploitable without authentication, this vulnerability enables remote code execution, posing a severe risk to organizations utilizing Apache Spark for data processing tasks.

Path Traversal in TP-Link Routers:

  • TP-Link routers, ubiquitous in many networks, are vulnerable to path traversal exploits, allowing attackers to navigate file systems beyond authorized directories.
  • With a large attack surface due to their exposure to the internet, exploited vulnerabilities in TP-Link routers can lead to remote code execution, compromising network security.

Vulnerabilities in IBM ASA Software:

  • IBM ASA software, a staple in many organizational infrastructures, has become a target for ransomware attacks due to exploitable vulnerabilities.
  • These vulnerabilities highlight the importance of proactive vulnerability management and the need for organizations to prioritize patching and securing their IBM ASA deployments.

Challenges in Vulnerability Management:

  • The dynamic nature of emerging vulnerabilities presents challenges for traditional vulnerability management practices.
  • Vulnerability scanners may lag behind in detecting newly identified vulnerabilities, necessitating proactive security measures to safeguard against exploitation.

Implementing Compensatory Security Controls:

  • In cases where patches are unavailable or impractical to apply, organizations can deploy compensatory security controls to mitigate the risk of exploitation.
  • Compensatory measures, such as firewall rules and network segmentation, can impede attackers' ability to exploit vulnerabilities and minimize the impact of potential breaches.

 

As organizations navigate the evolving threat landscape, it is imperative to remain vigilant against emerging vulnerabilities and cyber threats. By understanding the intricacies of critical CVEs affecting technologies like Apache Spark, TP-Link routers, and IBM ASA software, organizations can proactively fortify their defenses and mitigate the risk of exploitation. Let us forge ahead with a commitment to proactive vulnerability management and adaptive security practices, ensuring the resilience and integrity of organizational networks in the face of evolving cybersecurity challenges. Together, we can strengthen our collective defenses and safeguard the digital assets entrusted to our care.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

 

Read more…


Navigating%20Ransomware%20Threats%20Prioritizing%20Critical%20CVEs%20and%20Redefining%20Defense%20Strategies%20(1).png?profile=RESIZE_710x

 

Welcome to a deep dive into the ever-evolving landscape of ransomware threats and the critical CVEs that serve as gateways for cyber adversaries. In this exploration, we unravel the tactics employed by ransomware actors and the imperative need for organizations to prioritize vulnerability management. Led by Jendra Chan, Head of Research at Fire Compass, this webinar sheds light on six pivotal CVEs that demand immediate attention from CISOs worldwide. Join us as we dissect the global impact of these vulnerabilities and unveil strategies to fortify organizational defenses against ransomware attacks.

 

 

Here is the verbatim discussion:

Around now as you can see that the vity does not have this vulnerability does not have external attack surface but it has a huge internal attack surface it can you know depends on the course the whether this feature is enabled or not but it can have a huge attack surface and as a result this uh once the fishing is completed successful uh you know this ransomware can actually go and spread internally yep so these are the six you know uh cves that we prioritized based on the thread actors uh very recently and and and why they are you know have a global impact and as you can see that all of them has few things in common number one they all have a global attack surface presence right and they are easy to exploit not very complex to write exploits and and these uh cves can be easy to exploit and you know utilize a lot of them utilize just vulnerabilities in in very popular standard softwares uh which can be exploited remotely and which can lead to RC remote code execution various organizations and many times you know we have to travel to the to the respective location and we could just to twice in a year because that was the budget of an organization you know they cannot they cannot make us sit there forever it's not possible uh so uh most of the time you know R teami and pentesting is done quarterly but the vulnerabilities which we discuss can can arise you know anytime any day right uh like we are discussing today and tomorrow critical vity can appear right so that is one challenge with the with the existing you know red teaming and pentesting practice which I have seen uh now definitely we have a one Li assessment practice in place uh we do we scan our Network on a continuous basis on a regular basis at least you know in some cases on a weekly basis and we have also seen it extreme you know where where where some organizations also scan their whole attack surface on a daily basis for this become challenging if you have a you.

 

Highlights:

Global Attack Surface Presence:

  • Ransomware actors target vulnerabilities with a significant global attack surface presence, maximizing the potential impact of their attacks.
  • CVEs such as CVE-2023 exemplify this trend, with widespread exposure and exploitation potential across diverse organizational networks.

Ease of Exploitation:

  • The prioritized CVEs share a common trait: ease of exploitation. Attackers capitalize on vulnerabilities that require minimal effort to exploit, facilitating rapid infiltration into organizational networks.
  • Exploitation techniques, ranging from phishing campaigns to remote command injection, underscore the need for proactive defense measures.

Internal Attack Surface:

  • While some vulnerabilities may lack external attack surface, they present substantial internal attack vectors, posing a latent threat within organizational networks.
  • The potential for lateral movement and internal propagation heightens the urgency of mitigating vulnerabilities, even within seemingly secure environments.

Redefining Defense Strategies:

  • Traditional red teaming and pentesting practices may fall short in addressing the dynamic nature of ransomware threats and emerging vulnerabilities.
  • Organizations must augment their defense strategies with real-time vulnerability assessments and continuous network scanning to detect and mitigate vulnerabilities proactively.

Adaptive Security Measures:

  • Adaptive security measures, including regular vulnerability scanning and rapid patching cycles, are essential in mitigating the risk posed by ransomware threats.
  • Collaboration between security teams and threat intelligence experts is critical in staying ahead of evolving ransomware tactics and identifying emerging vulnerabilities.

 

In the relentless battle against ransomware threats, organizations must adapt and evolve their defense strategies to mitigate the risk of exploitation. By prioritizing critical CVEs, fortifying internal defenses, and embracing adaptive security measures, organizations can enhance their resilience against ransomware attacks. Let us unite in our commitment to proactive vulnerability management and collective defense, safeguarding our digital assets and preserving the integrity of organizational networks against the pervasive threat of ransomware. Together, we can navigate the complex threat landscape and emerge stronger in our cybersecurity resilience.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…

 Unveiling%20the%20Ransomware%20Arsenal%20Prioritizing%20Vulnerabilities%20for%20Targeted%20Exploitation%20(1).png?profile=RESIZE_710x

 

 Welcome to the forefront of cybersecurity defense, where vigilance and proactive measures are paramount in safeguarding against ransomware attacks. In today's discussion, we delve into the intricate strategies employed by ransomware actors to exploit vulnerabilities and infiltrate organizational networks. Join us as we explore the evolving threat landscape, dissect prominent attack vectors, and elucidate actionable mitigation strategies. Led by Jendra Chan, Head of Research at Fire Compass, this webinar promises insights that empower CISOs to fortify their defenses and mitigate the risk of ransomware attacks by identifying and addressing critical vulnerabilities.

 

 

Here is the verbatim discussion:

uh then then you know of course the most prominent one is the fishing where uh you know attackers usually send a fishing email on a mass scale or a you know spear fishing and with malicious attachment link and allow users and various other you know techniques which including even social media uh wishing uh which allow user to ultimately give access to this uh du to the malwares and ransomwares on their uh on their systems and from there you know the attack starts right uh apart from that uh 60% of the cases are because of Shadow it which means the assets which are not probably are there are not there in the asset inventory but are left open for the attackers on the on the public internet uh so just give you a number in terms of cves we have seen 49 cves being added to the cisa you know database from the last few months which have been targeted by ransomwares in just 2023 and 366 CVS were added in 2022 which were you know Target vir and somewes and uh and and this trend will continue of course with the end of 2023 lot of other CVS would probably also make it into cisa you know knowledge base of vulnerabilities uh in Shadow it I think one of the most prominent Vector is stolen using stolen credentials in desktop sharing software such as RDP VPN any connect now with the Advent of remote working when the workforce is all around the glob uh the incidents of using stolen credentials uh and get access to your to the you know network and to some of the systems has increased drastically uh this is because you know the collaboration is now right now not limited to within the parameter of the network uh so as a result you know using the stolen kid initials now where are the stolen credentials coming from the these are coming from you know various uh attack and breach databases which were you know published for the last uh maybe you know five 5 to 10 years uh where billions and billions of you know credentials are available on dark web and many of them are being reused by employees you know intentionally non-intentionally uh on other you know systems which probably work works in the Enterprise now let me uh you know talk about some of the cves and you know which ransomwares and are targeting them now ransomwares runs on gas Global attack surface yeah that's a catchphrase uh and then so as I mentioned before uh ransomwares go and Target various uh in scale you know run run scan on internet wide and you know find potential Target so one of the cve you know which we studied is CV 2023 which is in fora go anywhere command injection and uh this CV is being targeted by you know increasingly being targeted by clock R clock ransomware which is uh you know Russian origin ransomware targeting worldwide you know uh organizations and although it uses various attack vectors such as you know fishing you know but then uh in this case recently they have also utilized this uh cve to Target organizations and get initial foothold now why this CV has been targeted by this ransomware the reason being that it has a global attack surface presence uh I mean just doing a search on on few Sudan or other internet search engines you can get a you know exposure of of this cve uh on the like in us the exposure of the CVS like at least 897 targets are right now available with a strict search queries I mean right with after filtering out uh even the uh honey pots you know U and other you know noise uh we figured out that at least 897 uh for go anywhere uh software is being exposed outside just in United States U and uh and as these are exposed outside as you can see that um it is and if there are and this is a latest CV by the way and and as the CV is released if those softwares are not patched within few days as I said then they have a risk of being exploited by uh clo ransomwares now just talking about bit about this vulnerability what now if you just look at this vulnerability it's a command injection vulnerability which means it is remotely exploitable uh and using a HTTP payload so what attacker need to do is craft HTP based you know exploit uh not like RDP you know buffer overflow you know very simple easy probably is one of the you know easier.

 

Highlights:

Exploiting Human Vulnerabilities:

  • Ransomware attackers capitalize on human vulnerabilities through phishing campaigns, leveraging malicious email attachments and links to infiltrate systems.
  • Social engineering tactics and mass-scale phishing campaigns serve as effective entry points for ransomware actors seeking to gain initial access.

Shadow IT and Stolen Credentials:

  • Shadow IT, characterized by unmanaged assets and overlooked vulnerabilities, accounts for a significant portion of ransomware incidents.
  • The proliferation of remote working has amplified the risk of stolen credentials, sourced from breach databases and exploited to access organizational networks.

Targeting Vulnerabilities for Exploitation:

  • Ransomware attackers prioritize vulnerabilities with a global attack surface presence, exploiting weaknesses in widely-used software and systems.
  • Recent trends indicate a surge in targeting vulnerabilities such as CVE-2023, which enables remote command injection and has become a favored entry point for ransomware attacks.

Mitigation Strategies:

  • Proactive vulnerability management is key to reducing the risk of ransomware attacks, requiring organizations to prioritize patching and remediation efforts.
  • Swift remediation of critical vulnerabilities, coupled with robust security awareness training, can significantly mitigate the risk posed by ransomware actors.

 

As ransomware threats continue to evolve and proliferate, the onus falls on organizations to adopt a proactive stance towards cybersecurity. By understanding the tactics employed by ransomware actors, organizations can implement targeted mitigation strategies to fortify their defenses and mitigate the risk of attacks. Through collaboration, education, and vigilance, we can collectively navigate the complex threat landscape of ransomware and emerge stronger in our cybersecurity resilience. Let us unite in our commitment to securing digital assets and preserving the integrity of organizational networks against the pervasive threat of ransomware.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

 

Read more…

Unveiling%20the%20Ransomware%20Arsenal%20Prioritizing%20Vulnerabilities%20for%20Targeted%20Exploitation.png?profile=RESIZE_710x

 

Greetings, esteemed members of the CISO Platform, a beacon of knowledge and collaboration in the realm of information security. Today, we embark on a journey to dissect the modus operandi of ransomware attackers and shed light on their sophisticated strategies for exploiting vulnerabilities. Join us as we unravel the intricate web of factors influencing the prioritization of vulnerabilities, empowering CISOs to fortify their defenses and thwart potential ransomware attacks. In this webinar, Jendra Chan, Head of Research at Fire Compass, will illuminate the path towards proactive vulnerability management and resilience against cyber threats.

 

 

Here is the verbatim discussion:

And as I said you know how Target how ransomwares go and use a old vulnerability to Target right now is because they are scanning the whole internet and they are constantly looking for you know where Global attack surface presence of a vulnerability right uh probably initially they didn't priortize it but then as the one as you know they are like around around 50,000 nvd vulnerabilities are there but their attack surface may not be large may not be a significant value a significant size right so there there are various factors that that comes into picture when uh you the ransomwares uh should use these factors to Target to to you know priortize a vulnerability and one of them probably is having uh pres Global attack surface present which means it should have a significant presence on a global scale second probably is easy to exploit uh the vulnerability should be easy to exploit should bypass you know various security controls like sending a HTTP request probably is one of the way to bypass lot of security controls uh because HTP is being used you know very generically all around uh so as I said this the ZK framework which is a Java framework and this is this one libility works very similar to lock 4J in fact right uh so in this vulnerability the user can send again another you know packet another HTP request to to the server respect server and then it actually go and disclose a one disclose uh information related to sensitive files on the on the local instance which may include even credentials and as a result log bit could actually use those credentials to gain access to the system and uh and this uh uh as you can see that it has it has you know the in United States itself with conservative you know queries written restricted queries written there are around 1,000 instances currently being exposed just in United States right now connect now with the Advent of remote working when the workforce is All Around the Globe uh the incidents of using stolen credentials uh and get access to your to the you know network and to some of the systems has increased drastically uh this is because you know the collaboration is now right now not limited to within the parameter of the network uh so as a result you know using the stolen kid initials now where are the stolen credentials coming from these are coming from you know various uh attack and breach databases which were you know published for the last uh maybe you know five to 10 years uh where billions and billions of you know credentials are available on dark web and many of them are being reused by employees you know intentionally non-intentionally uh on other you know systems which probably works in the Enterprise and not only that uh some of the cases of Shadow it lot of cases in Shadow it also comes from you know code Leakes like the developers when they go when they write open source you know tools they uh leave credentials and API keys in the code and make it you know and publish it on the developer or they can also you know leave these credentials in the build in the software build uh such as gen canes or maybe Circle Ci or maybe other you know any other you know cicd platform right so in one of the incidents which has happened last one month back where you know the after uh doing fishing you know once the attacker got access to one of the systems uh one of the devop systems and then they got access to their uh their cicd system what they have found out is they decompiled the build and then in the build itself there were package of credentials being being you know packaged together with the build and as a result they got access to lot of other systems all around.

 

Highlights:

Understanding Ransomware Tactics:

  • Ransomware attackers leverage old vulnerabilities to infiltrate organizational networks, exploiting weaknesses in global attack surfaces.
  • Factors such as ease of exploitation and bypassing security controls play a pivotal role in the selection of vulnerabilities for targeted exploitation.

Global Attack Surface Presence:

  • Ransomware actors prioritize vulnerabilities with a significant presence on a global scale, maximizing the potential impact of their attacks.
  • A comprehensive understanding of the global attack surface enables organizations to identify and mitigate vulnerabilities proactively.

Ease of Exploitation:

  • Vulnerabilities that are easy to exploit and circumvent security controls are prime targets for ransomware attackers.
  • Techniques such as sending HTTP requests are commonly employed to bypass security measures, highlighting the importance of robust defense mechanisms.

Stolen Credentials and Shadow IT:

  • The proliferation of remote working has led to an increase in incidents involving stolen credentials and Shadow IT.
  • Attackers capitalize on leaked credentials and API keys, as well as vulnerabilities in code repositories and CI/CD platforms, to gain unauthorized access to organizational networks.

Case Studies and Real-World Incidents:

  • Jendra will delve into recent incidents where ransomware attackers exploited vulnerabilities in DevOps systems and CI/CD pipelines to infiltrate organizational networks.
  • These case studies serve as cautionary tales, illustrating the critical importance of securing software development environments and mitigating vulnerabilities at every stage of the development lifecycle.

 

As we navigate the evolving threat landscape of ransomware, proactive vulnerability management emerges as a critical imperative for organizations seeking to safeguard their digital assets. By prioritizing vulnerabilities based on factors such as global attack surface presence and ease of exploitation, CISOs can effectively mitigate the risk of ransomware attacks and enhance their overall cybersecurity posture. Let us harness the collective wisdom of our community to fortify our defenses, mitigate vulnerabilities, and stay one step ahead of cyber adversaries. Together, we can forge a resilient future in the face of evolving cyber threats.

 

Speaker:

Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

https://www.linkedin.com/in/jitendrachauhan/
https://x.com/jitendrachauhan

Read more…