[Music] [Music] I team welcome to the session on coffee with PR and today we have our special guest Mr Aditya mukarji this person doesn't need any introduction he had lot of contribution in the society especially in the information security and Mr Addie I I always get and because that's how I respect my seniors so Mr ad is basically having a 18 plus year of experience in cyber security and he had a great contribution to the information security community and I'm sure the Today podcast we are going to discuss about something very realistic which give a great insight to the people who want to make a career and who want to understand what is happening in the S thank you D thank you for taking all the time for this particular session thanks R thanks for having me so another like you know uh everyone starting their Journey with some different roles and all that like if you talk about me I started Journey with it then I moved to security so is it the same with you like uh I always ask this question uh from the aspirants like I always ask this question from the experts who comes to this podcast like how they started the journey like what was a challenge and what was the issues how you overcome that sure so um early on in my career I didn't have anything planned out when I was in my school or my college specifically but somehow what happened is that since my father used to work in the computer Department of one of the largest private banks in India at that time so I had a little inclination towards it in general computers internets it was fascinating because back in the 1990s it was something which was new and coming up and obviously you could explore and find out new things so definitely like a lot of um youngsters I got into gaming and gaming teaches you one thing is to crack the passwords and keens and all of it because you always don't have the money to buy a new CD or a new game so you have to crack it and find ways to work around it so I think that was one of the Inception areas of how I got in later on one of my friend enrolled in uh ethical hacking course and just for the kicks of it I joined with him and through that I realized a lot of things which were being taught like uh looking about fishing emails looking about um you know uh cracking passwords etc those were things that I was familiar with so that's when I realized that this is something where probably I have a little bit of experience and it's up to my liking so this is something that I can definitely explore as a career prior to that I was more interested to look at cloud computing because that was the biggest thing which was coming up everybody was talking about it everybody was talking about uh hyperv Visions uh enhanced storages Etc so started looking into it and after completing that course I I started giving a few workshops for ethical hacking and information security so I covered a few iits andits and a bunch of different colleges and some uh small and medium Enterprises in up Delhi lakau Etc and that's how I got started and uh after a few years of running my own um entrepreneurship I went into the corporate world and it's been a journey since then oh so like normally um you know it's basically a great Journey so far you know started things with ch and all that so this video is normally also view by the lot of freshers and all that so nowadays you have seen there's a lot of change happening last 5 10 years like you know initially what happened we used to start with the concept correct me if I'm wrong like we get the understanding about how DNS Windows uh Linux and everything works and then we discuss about the security and pentesting but if you see today the new new new crowd which is coming new people are coming in this industry they're directly looking for a shortcut like you know going through YouTube videos fuzzing they like try to learn fuzzing and all that so what is what is your message for those people like you know what is your most important thing they want to understand when they getting into cyber security because one side we have this news a lot of people getting placement but on the other side we have a lot of folks who say I don't get any kind of a calls from the companies and all that you know I'm I'm blank so what is your message for them I would say today there's two sides to the coin when it is considered for a fresher to get into any domain in it and specifically into information security the good side is there's lot of information there's a lot of tools there's lot of automation already available so you can just plug in into those courses you can as you said watch few YouTube videos Instagram shot learn from the Twitter tweets about what are the different techniques what tools to use and you can get started but at the end of the day when you're actually working in the trenches if you're working for an organization or if you want to work as a freelancer it's very important that you understand the basic principles and the foundations behind how those Logics work or how those tools work because time and again you will come in certain situations where the tools might not work where you might need to tweak a particular script to make it work for that specific environment so understanding the foundations understanding the fundamentals and how these things are working under the hood is very crucial because even at the end of the day if you're a pass out from let's say not a a list or a B list college but you have good knowledge you can answer the questions which are being thrown at you at the interview you will still have a better shot at making it rather than someone who has a few certifications who is from couple of good programs but doesn't have a very deep understanding of what is happening from a technology perspective excellent point like this is the point I was I'm sorry you know we have a different vision of this podcast and I started with something else and this look more interesting to be Frank if you allow me I have to ask one more question from this area and I'm sure this can be a very important for the listeners also now uh daada is basically opposed into the one particular vertical and it can be two reason one reason is he loves that he he having that passion second is basically someone told so when we see the verticals in cyber security so what is your viewpoint on that like you know what is the most important parameters a freshers has to consider when they see the the this different you know Diversified field of cyber security I think that's a very good question because today there's so many different domains and verticals within infc that one first needs to understand what are the options available to him or her so for example whenever someone reaches out to me who's either a college fresher or he's a fresher who's getting started into jobs they often have questions like I hear about pen testing or I hear about bug bounties and there's a lot of money to be made in that so should I try for it so my initial feedback is first get the lay of the land uh EDM would be you know um put your foot in the water to understand what the wat temperature is there's so many different AI ml there's vulnerability management there's obviously threat hunting threat intelligence there's there's cyber forensics there's audits there's compliance there's a multitude of different options which are available within infosec so if you starting as a fresher first and foremost understand what are the different options available to you it could be through a base level course which gives you a overview of all the different domains or you do your own research that is always going to be the best way possible because for people like you and me we have Googled we have gone to IRC chart channels we have done read multiple documents we have understood the basics and then we tried to find out what is our Niche and where we need to go to so no matter what domain you're starting in it's very important understand the different options by doing your own research or looking at people who have done their research so that they can guide you then find out which is the most feasible field for you based on your skill set as well as your liking now I might like to be a cricketer but that's not my skill set so I cannot become a cricketer but what I can still do is I can I know about Cricket I speak well so I can be a commentator ex so you have to find a good blend between your skills it and your liking so that it can make a good combination for you that's a very important point the reason of I basically ask this question is you know we have a lot of blogs and all that everyone is basically targeting this uh particular platform with 3% top to 4% top so they are more influenced on pen testing sock and all that so that's the reason you know I asked this question and I'm sure those are watching this video you know uh the person who's speaking in front of you you know he he basically came from a very uh down toward platform like example he started with it then moved to cyber and uh you know there's one opportunity where we had our discussions and I can I can sense that what he basically telling it makes sense so that's why that's the reason know I I want to start the session with this particular perspective so the coming back to the things is you know um as a ceso you know now we talking about the topon cesos approach and all that now we have a different uh verticals and cyber security so there is a one organization who has a foreign six sock VAP governance so C is basically handled that then if you work for the product companies the C approach is more about technology and all that today there is a New Concept which is happening is sock Security operation Center or we talking about mssp and all that and there's a lot of bzw around this thread detection engineering and all that so how do you how do you see a ceso okay handle all these metrics because these are more technical in nature so we say ceso should be strategic in nature he should be always there to create a value for business okay that's fine but as a Viewpoint from a sock perspective and all that how AO can see this this perspective I think uh today what has happened is because of the number of organizations which are mandated to have a head of infosec or a cisu in their organization because of the Regulatory and the compliance requirements across the globe there is a good blend of different backgrounds from which cesos are coming in today um majority we see people who have been in information security for some time so these are people who would focus on the technical aspects you have a large chunk of people who are coming from traditional it domains so they are more going to be process oriented because as you rightly said they might not get into the technical nties of how certain operations work and then obviously you have Business Leaders which are coming into the ceso role because of their vast experience in the organization so this might be more of a business stakeholder who is looking to manage information security as part of the overall business risk now apart from the technical ceso who is going to obviously have a very good understanding of what technologies are implemented how they should be fine-tuned I think the other Tool's approach is mly to trust the team in what they're doing ensure that there are guard trails and benchmarks through which he can or she can measure their performance and also see if as a business business unit they are meeting the risk criterias and the holistic return on investment that the organization is making towards a infc practice in the organization so I think that's how in my experience uh that I've interacted with a lot of uh different Cesar that's what their approach is to look at um sock and a lot of other operational cyber security domains are very tactical in nature so every day there are new threats which are being interacted with for the teams so they have to continuously learn they have to continuously improve their detection mechanisms and that's where the detection engineering and all of these aspects come into so you need to have a good set of team members at analyst as a senior analyst level who are doing the actual detection work who are generating new detections and uh engineering algorithms to detect those threats and then operationalize them because only having the detection is half the work you also need to respond to it exactly so I think that's pretty much the overall um Matrix of how things work at large organizations thanks thanks Z thanks for sharing this Viewpoint about this metrix and I really like one of the metrics we talking about you know perspective of engineering and you know technical aspects how you map the things so with that only you know there's a always there's a one concern we have here in the company which is a nightmare for any ceso is data breach so as a ceso you know can you can you share your Viewpoint how to handle the data breach I think uh data breaches are definitely uh as you rightly said an IT me for any organization because you have to first understand the scope how it happened how long has it been happening for and what are the implications going to be uh specifically looking at the significant number of data breaches which have happened over the past few years both in India and internationally it has been significant majorly because one the scale of impact we see um huge amount actually in millions people getting impacted with major data breaches Across the Nation as well as the world we see that one of the first response actions that the organization needs to understand is for how long that breach has been undetected or the thread actors have been in the environment undetected because that goes to showcase the efficiency or the lack of it for the organization to proactively monitor their environment we definitely have a lot of Fallout from that which is the public and the regulatory scrutinies that happen so there might be public sentiment there might be uh Regulators coming down on a specific organization because of a data breach and that might uh bring in more fines which will obviously have business and financial impact as well there's implications from from a consumer trust perspective as well for example also yes absolutely so if you are uh for example there was uh a event in India in this year itself where uh there was a data breach against uh organization or a portal which was maintaining the pensioners details so in those what happen is any new organization which is getting on boarded with that particular entity will think twice because if all those details get out there might be you know larger implications not just for the entity but for the downstream uh pensioners whose money is stored there as well and uh ultimately one of the things that everybody looks at even from um infosec perspective is how timely the response and the remediation efforts are because that helps you show how mature the organization are so one thing that we need to understand is today pretty much every big name in the industry has faced a breach we um any of the front-facing public companies or be at government entities across the globe so breaches and security threats are a part of the operation that we are doing on the world of internet today the importance is how much you're taking steps to prevent it from happening and how ready you are to act on it once a breach is detected D like you know thanks for this particular response so so my my followup question for this is like you know what are the steps you know if you go by the certification we say Okay confirm the incident and all that I want to very up upfront with you okay so this is what the follow people say process as a as a consultant or the one who dealing with this issues and all this what are the most common cause of the breach and U second is what are the first step we always take because why I'm asking this question by by this question you know a lot of people you know those who are making a career in sock and all that they they also get this question in their interview I'm sorry for that but I also have a personal interest behind that absolutely I don't know why which podcast and which content of the podcast is basically creating impact for our freshers so that is why I asked this question it's I'm sure when you also hire a candidate and all that you need to understand the mindset psychological behavior and all that so what is the common causes of breach and as a consultant anyone L1 L2 L3 whatever so how we respond to the first breach which is uh we identified in the organization sure I would say consistently over the years we have seen majorly the trends to be linked to either social engineering or fishing attacks which are targeted at employees across the board there might be spear fishing attempts which are targeted at the executive level or the senior leadership of the organization because obviously they have more accesses and privileges across the environment so having targeted them and getting their credentials is going to be more useful for the attacker the other events which actually lead to breaches often are weak or stolen credentials that we often see as part of uh any data breach so if anybody goes to havan pawn they can see the amount of data which is uh breached and posted on the dark web on pretty much a weekly and a monthly basis we have also seen a majority of data breaches being occurring from either malw or ransomware attacks where there are a lot of different techniques that you encrypt uh the environment using a ransomware attack and then you also sell the data on the darkb forums to extort more money from the victim you have even incidents where Insider threat plays a role where there might be disgruntled employees there might be even contractors Etc so that actually leads to third parties and supply chain impacts as well which might be caused by say you are doing all of your security measures perfectly but your data is being stored or processed by another third party entity or a supplier and they actually do not have as good of a security apparatus at place so that's going to lead to a potential data breach and in my personal experience unpatched vulnerabilities where a thing that we saw a lot in the past in my Consulting experiences and as well as security misconfigurations so a lot of companies hire external candidates and Consultants to implement Technologies and then over time either the configuration is not maintained up to the best practices or the softwares are not patched accordingly so those things definitely lead to the major causes of data breaches and when you talk about you know how do you prioritize a response I would say first and foremost is your activation of your incident response team as well as your crisis management team so every organization should have that which is one a cross functional team which has your uh digital forensic incident responders you have your it teams you have your legal council you have your corporate Communications and you have your impacted business stakeholders so this gives you a good set of people to start taking decisions and also informing them so that the message gets across the organization as to what are the expected steps to be taken on so if we talk about what steps an organizations should take post you know activation of your incident response and your crisis management it would be first to scope and contain the breach so in information security whenever we are talking about a security incident the first and foremost step is to isolate it so that it doesn't spread any further into your environment or your architecture cure per se so isolating whatever is your affected systems your accounts and whatever the malous activity has been observed and then following up with the you know traditional analysis and assessment and um I guess obviously based on the regulatory requirements you might be required to uh notify certain uh regulatory authorities and also communicate with any affected parties such as your customers who are getting impacted or if you're a third party provider and this data breach is impacting your Downstream uh capabilities and abilities you need to inform those Partners as well so uh this is the you know there was one followup question for this because as you said about the Regulatory and all that so how the regulat landscape was changed in this response you know like in last 10 years we have seen the involvement regulatory in the information security it was not there like that take there was a breach we will s it out but today we talk about gdpr 72 hours India 6 hours so as a consultant or as a as a as a individual how how do you see you know a regulat landscape for this data breach how how the company will adapt the regulations parameters and everything when they handle this breach I think from a regulatory standpoint things have got a lot more streamlined in the past decade or so so we have seen stricter data protection regulations kicking in we at your gdpr or your other privacy laws even in India we are looking at one when we talk about the other steps which have really changed the regulatory landscape is obviously the mandatory breach notification which you mentioned we see increased fines and penalties for organizations who are either not putting the due diligence and due care in place or they're not following up with the breach notification in time and making sure that whatever threat has been detected is actually informed in the public forum as well as the regulatory forums we also see certain interest from the leg regulatory standpoint which focuses on the crossb data transfers because that is another big thing that a lot of countries are focusing on because even if you implement certain laws within your nation if the data is not stored there it's not applicable so making sure as to what the law talks about as to how you can share the data or store the data outside of your citizens is also an important aspect now speaking about the response from the companies I think it all goes down to your basic infc practices such as conducting regular risk assessments so that you are aware of what the vulnerabilities are what the risks are you can prioritize them and then you can work on the remediation plans um implementation of stronger security measures so we talk about encryption we talk about access control we talk about monitoring but how well are you actually doing it and if you have a third party to come in and test it such as doing external Audits and external assessments yes not just VP so VAP is obviously there uh but you have different engagements where you have different consulting firms come in and they pretty much do a blackbox or even a white box to test out all of your controls to make sure if a Insider threat was supposed to manifest itself how would it work what are the different detections and mitigations you have in place if let's say your name is posted on a dark web forum and there's a AP which is focusing on taking you down how would a blackbox attack showcase that to you as to what are the different ways through which they would try to get in your organization and exfill the data or Implement um ransomware or malware thanks thanks for the amazing response on that particular question so um you know security when we say but when it come to data breach and all that you know uh India is always on the lowest side we we have very few data breach stories and all that it mean we have a strong team or we have a strong defense center right like well uh 2024 hasn't been very lucky for us so we had a few events even in 2023 we had a few but yes the scale at which we see a lot of different uh Western countries uh I think comparatively it's a little less and Trust factors also play the important role you know how how you basically bu build the Viewpoint about the brege to the market you know PR and all that that also play important role so what is your viewpoint on that I think uh there are two things one is the amount of data breaches that might be happening in India and which are getting reported as per the regulatory or as per the media is concerned I think it has improved over the years but there is still a huge gap which has to be improved okay so I think that's one Under reporting which might be causing less number of data breaches two I think overall organizations from the Western world are more Global in nature because of which if they are being breached the impct is far Reaching Across The Globe because for example if you see Meta or any other service like that getting breached uh their users are across the globe whereas if you see the recent data breach that we had in India for a consumer facing company which makes a lot of speakers Etc so their impact was largely focused only in India because they do not have a very large Global footprint so I think that also makes a difference from an attacker's perspective as to which are the lucrative t targets that they want to go after and I think overall um Indian companies have been doing a good job I would say not comparing with anyone else but since we have a lot of consulting firms which work closely with uh our startup ecosystem as well so there's a lot of uh I would say benefit that they get from that either from a talent perspective or a technology implementation perspective which probably helps them do a better job comparative to some of the other countries thanks thanks so the weakest link in the organization is always a people and if you see the 60 to 70% of the attacks is basically initiated through the fishing or uh this social engineering and all that so what is a role does employe training awareness play in preventing this breach and what is your Viewpoint what is your recommendation to the listeners who are expert who are who are experienced and they are also handling their environment and all that so how we can improve the awareness training and what is the importance of awareness training so I would say Obviously we have all heard that uh you know people are the weakest Ling but they can also be one of the strongest Ling in the chain the reason for that is because if you have a good set of people who are trained in information security awareness and what the latest threats are they can easily identify suspicious activity they can report on anomalies that they observe either as a practice or as a oneoff they can report on fishing attempts which might not be caught by your traditional uh filtering and detection mechanisms in the organization or different social engineering tactics can also be captured through that now it also helps in reducing human errors because if traditionally we see companies where a lot of manual input is being done by either customer service rep or different analysts there's an amount of human error which plays a part in producing or manifesting threat in an organization so that gets reduced you have more adherence towards the Regulatory and the compliance requirements that might be crucial to a cultural shift for the organization towards security I would say um largely best practices would be to conduct regular interactive training sessions because if you're just posting a presentation or just giving a video and asking them to complete we all know we just click the next button and close it as fast as possible so making sure that you have some kind of interactive session and you're able to measure how much The Listener is retaining your knowledge is going to be a helpful Benchmark to know if your Workforce is actually cyber secure and cyber aware uh fishing stimulations pretty much uh every organization which has a security function does that so that helps you build and identify the people who are susceptible to fishing attacks and you can actually focus on training them better there are different data handling and privacy trainings which have come up uh as well and those would help understanding the encryption protocols how you should share information make people aware about Shadow it Etc because those also play a big part when it comes to setting up infrastructures in the cloud which is outside of the traditional it which might not be under the supervision of the security team or being monitored by the security team so making sure your developers and your testers are all aware of how Shadow it works and all these things work is definitely going to be very helpful and I think also uh making sure that you're training your Workforce on emerging threats because today V see AI ml we see a lot of U you know voice cloning happening uh telephone calls which are uh impersonating a CEO or a boss and calling someone up so these things are only going to increase as these uh AIML engines become more mainstream and accessible to people and making sure that your Workforce is actually trained on the emerging threats so that un they understand about rans attacks business email compromise Insider threats I think it'll make them more aware as a person which will ultimately make your organization safer and that is the reason I was about to ask that question and glad you have included that part in your awareness about importance of AI and ml training and deep pick videos because still now I have seen very few uh Enterprises are moving on this AI deep pick videos they just talking about again fishing links OTP and all that but I think things are going now beyond the attack vectors where the talking about uh AI ml then de fake videos then voice cloning I think these are the new modern modern way of attack we have which we have to train our employees on that absolutely so thank you this is the actually summary you know so I want to understand one important Point um you know what is the uh what is a lesson that you you learn from this industry you know cyber security industry and what is the Viewpoint you want to share with the people I would say um looking at my past experience personally early on in the career I had responded to many incidents at Major client locations where these attacks could have been prevented with basic protective and proactive detections timely actions on threat intelligence and decent formability Management Programs so when you look at small and medium scale Enterprises a lot of threats that are faced by them are going to be remediated if you do the basic sanity due care due diligence that we talk about so if you follow any security standard these things are going to be taken care of um my recommendation would be to make sure that you have deployed some kind of enhanced monitoring tools which are basically edrs Etc which are looking at realtime alerts and creating visibility of what your network activity is what your user behavior is and what your system anomalies are so that you can dedicate a set of people to look at that and respond to that which are the most meaningful alerts which are being generated then obviously get some kind of Automation in place which looks at your continuous monitoring so making sure you have all your security logs your audit controls your vulnerability scans everything is automated taken care of and you don't have to spend everyday time looking at those things which can be automated and U are not a higher priority compared to the first one thanks the couple of more points I have yeah so uh another thing is the integration of threat intelligence so we all recall what happened during wry and I talk about this because I recently spoke about wry uh in a different engagement and we knew that the smv vulnerability came out uh few months ago we had the notifications we knew about how the vulnerability can actually impact however very less number of organizations actually focused on patching it because of which we saw such a widespread attack similarly we had solar vins we have a lot of different attacks we have seen where one vulnerability or one zero day is impacting a huge number of organizations so making sure you have a good integrated threat intelligence into your security operations so that whatever thread intelligence you're getting or your vulnerability feeds that you're getting is actually getting operationalized so you're on stop of the emerging threats and attacks and lastly would be conducting regular security assessments as I was mentioning uh earlier having some kind of external engagement with a security firm which can come in and identify weaknesses in your overall security apparatus will help proactively address any potential risks or weaknesses that you have so D like sorry for that so the reason was I was asking about this one question on continuation of the topic so uh you know when you're talking about uh verifying the vendors who can do the assessment for the companies all that so do you have any kind of a recommendations you know when we onboard any vendor for assessing any uh you know we are onboarding a vendor for this assessment and all that so what are the two or three points we should consider instead of having a shallow checklist of 10 controls 20 controls right so um since we speak with respect to the Indian aspect definitely looking that they are aert uh impaneled second making sure that from a security perspective they have done a number of audits and you can actually uh call out for different reference checks or you can reach out to your peers in the industry and get some reference on what kind of audits they did or what kind of assessment they did how helpful it was so that you can Benchmark them against the different competitions in the market so that's two I think three would also be to check for the skill set of what the impaneled analysts and testers they'll bring in your team for doing the assessment so getting some kind of background on their skill set having uh engagement with them to understand what is the process that they are following what are the best practices they are following and that could give you a good idea of what kind of team is coming in how proactive they are and how proficient they are in their security assessment and uh but if I remove for a second certain imp panel from India specific and we have a lot of requirement where things are Global and all that so in that case do you consider validating the technical capabilities or some pocs and all that like absolutely I think uh you can definitely uh recommend for having having a poc in your environment to see but I think when we talk about security assessments uh PC's don't play a rule Because unless you're implementing a tool that is where the PC part is going to come into play when you're doing a assessment with the external party I think it's important to know what their skill sets are what their experiences is and how their reportings are and what the past experiences from other companies who have worked with them which will give you a good idea of what they're going to bring to the table that's that's great now it's a great Insight you know I got in next in last 40 minutes and I'm sure this this podcast going to have a super hit because of three major reason I like three major points in this particular podcast and that is a learning for me I'm going to take from this podcast one is basically about how to handle the data breach it's a very good thing that you have shared second is regulatory aspects and third is the last point which you said about the vendor management and all that and thanks thanks for that though and I'm sure when I'm making a minutes of I'm I will going to update this in the video description also sure actually now normally we always say on gunpoint okay our wish and demand so for me the gunpoint is recording so we are live right now let's take example so are you open for another podcast where you know the freshers want to want to know more about cyber security information security are you open for uh the dis like you know can I can I share your LinkedIn profile in the description box so if someone has a query can they reach out to you because a lot of peoples are there who who want a right advice from the right Mentor so are you open for that sure absolutely thanks Z thank you so much uh you know Saturday Sunday is always a critical but taking on the time on weekend for this noble cause I truly appreciate and really mean it and uh uh you know it is your wisdom your thoughts only which basically make you different from others and that is the reason you know we you know I was requesting if we get you in this particular podcast sure I I would say I was looking forward to collaborate with you in any way possible so I'm happy to be here and happy to be speaking with you thank you D thank you so much for this particular amazing podcast