Author Archives: Prasanna

Community Building And Volunteering Experience

volunteer pic courtesy pixabay

As the Silicon Valley of India, Bengaluru is often looked up to for all the latest in Technology ranging from Cloud to Product management. When it comes to Information Security there are limited groups and communities that meet regularly. Among these, ISC2 Bangalore chapter is one such group of folks primarily comprising security practitioners in various domains of security. Started in 2015, it now has over 200 security professionals across a broad range of companies, consultants, freelancers and we used to meet regularly offline and online since last two years (due to Covid).

Recently my term as the Board Member of ISC2 Bangalore Chapter ended and am sharing my experience of volunteering for the board here. 

I was one of those folks who used to attend the meetings and mostly wondered what goes behind the scenes when it comes to running multiple events all around the year. Not wanting to be bothered about all the efforts and planning that goes behind like selecting topics, speakers,  talking to sponsors, shortlisting a venue, gauging the participation of the folks, logistics including lunch / snacks/ coffee/ tea. But all that changed when I made the leap. Thanks to many folks including the past and the present board members who nudged. 

Volunteering for the board was a great experience that helped me expand my knowledge not just about InfoSec but many areas of life professional and personal as well. Many of us are worried about the time it requires from our busy commitments both professionally and personally. But all it requires is a little bit of planning in setting aside some time and then executing it. Importantly, once you realize the impact it will have on the community then I am pretty sure you will make time for it. There are many lessons I learned in the course of the term which was three years.

Dealing with Adversity & Ambiguity

Before Covid struck, we used to conduct 4 offline events every year and this used to benefit the members in multitude of ways: 

  • Staying abreast of the latest in the world of Information Security
  • Networking with the peers and share and learn from experiences
  • Aid in garnering of the CPEs
  • Contributing to the community through Safe and Security Awareness programs

When Covid struck it affected us all, but like any security professional, the goal was to keep the business moving (just FYI we are not-for-profit ). We had to ensure our financials were strong enough to support us through the covid times. As the revenue from attendance fees would no longer be possible, we had to innovate and look for alternate streams of revenue for the chapter. A lot of the hard work from the past and present board members resulted in us getting the sponsors who had noticed the quality content we were bringing in and we rolled out quarterly virtual events. Once the sponsorship poured in, we invested this money in enhancing our capabilities.  

We were using a basic mailing solution provided by the hosting provider and there was no client to check them on the go and the lack of mobility was hurting in collaboration. After evaluating many vendors we migrated to G-Suite, along with it came Drive, Sheets, Docs and Meets. This allowed us to meet frequently (albeit virtually) ideate, document and exchange plans in a structured manner. 

Learnt about newer technologies

As a volunteer, I got to experiment, explore and launch newer tools and technologies in expanding the community. Since we were all virtual, our events needed to be online and we needed a video conferencing solutions.  We experimented with various video conferencing tools like Zoho, Zoom, Google Meets and Microsoft Teams with the capability to record and livestream the events. There were times where we did live troubleshooting with one of the VC vendors’ support team during an event! In fact we supplied a lot of use cases and feature requests which even their team wouldn’t have thought of. 

One thing led to another! Since we had the video recordings, we decided to upload and share all the content from the sessions for anyone to access from anywhere.  We started small and today our Chapter ISC2 Bangalore Youtube Channel has over 250 subscribers. Likewise I got the opportunity to use my creative hat as well. A little bit of engagement on the social platforms allowed us to grow our twitter base to over 300 followers ( a 10x growth in follower base). Not a small feat for a volunteer driven efforts in building the community. This has also allowed other organisations to collaborate with us in expanding their events.

Grow with the Network

We got a chance to interact closely with speakers across the globe and also learn about their perspectives, challenges, tools and the tech they were working on. Many of these folks are very seasoned folks including entrepreneurs, retired military veterans who worked on interesting assignments, distinguished scientists, speakers at various conferences etc

We also did a Security Awareness program for parents and kids in association with IEEE WIE Bangalore section touching upon aspects like staying safe online, cyberbullying, games and ratings. We got to see the perspectives of parents and kids on how they view the online world and how we as security professionals can simplify security for them. 

I also got an opportunity to share my knowledge in the form of a workshop on AWS security for security practitioners working in the areas of governance and compliance. Apart from focusing on the technical security aspects, we did a deep dive on compliance parts, passing audits, looking for artefacts needed for regulatory requirements. A lot of interaction on the groups messaging platform also helped me improve my reading list of books.

Working for a common goal despite differences

I would be lying if I say running a chapter is easy and all smooth, more so with us security professionals who have our own priorities in professional and personal life. There may be different paths towards the same goal and the one I or another person chose becomes just a path rather than right or wrong. Purpose driven meetings and discussions allowed us to focus on the bigger picture without tripping our egos. For some roles like Treasurer it’s a way to explore areas outside infosec and volunteering creates a path to express those desires and interests.

Hope this encourages you to take up volunteering and feel free to drop me a note, if it did.

Reading list: Fiction, Non-fiction

Here is a list of books that I have enjoyed reading and listening to and I will update this book as and when I complete with a small one liner:

Cult of the Dead Cow

Fascinating book on the journey of Hacker Culture, the origin of DefCon, Blackhat, hacktivism, CyberLegal stuff and a lot more

Why I Am an Atheist and Other Works

This is the collection of letters Indian Revolutionary Bhagat Singh wrote while he was imprisoned

Permanent Record

Biography on Snowden, great  insights on inner workings of surveillance program at NSA

The Phoenix Project

Book that made concept of DevOps popular

Ikigai

Self-help / motivational

Talking to Strangers

Non-fiction and a book that touches upon Inherent biases and how it affects our judgements

Zero to One

From the Startup guru Peter Thiel, its actually notes from his lecture classes which a student compiled

Essential Calvin and Hobbes

Calvin fan, hence 🙂

An Astronaut’s Guide to Life on Earth Chris Hadfield

Fan of Space and Astronauts, hence

The Goal

More like a precursor to The Phoenix Project, can draw parallel to modern day monolits

Outliers

Name says it all

The order of Time

A good read on the captured history of time measurement. Felt this was philosophical as well during the listening of audiobook, probably will listen to it again.

Atomic Habits (still listening)

The Almanac of Naval Ravikant (still reading)

Fintech Security & Compliance — Part 1

Fintech Security & Compliance — Part 1

image created using wordclouds

Fintech is one of the most happening sectors in India & world over with a wide array of services being delivered in lending, insurance, payments, stocks and mutual funds. While founders, product and engineering managers are busy in building the products and delivering them to the people in a rapid and scalable way, there is one huge challenge they must overcome. And that’s the Cyber Security aspect of it. I have had the opportunity to architect and implement controls around these requirements in the last few years and would like to share some thoughts here.

In India, Fintech regulators are:

  • Securities & Exchange Board of India (SEBI)
  • Reserve Bank of India (RBI)
  • Insurance Regulatory and Development Authority of India (IRDAI)

Each of these regulators have their own cybersecurity requirements and these span across multiple domains of cybersecurity like IT Governance, Information Security Audits (IS Audits), IT Outsourcing, IT Risk Management, Business Continuity Management (Good luck on a single region currently offered by the leading cloud vendor in India 🙂 ), Policies, Physical & Environment Security and etc

Apart from these, compliance with PCI DSS/PA DSS is a common requirement for all the fintechs handling credit card transactions. When it comes to PCI DSS, the magnitude of security requirements vary based on the volume of transactions. There are Four Merchant levels starting with Level 4 wherein a merchant handles 20,000 plus transactions and compliance requires that you fill a Self Assessment Questionnaire to Level 1 where 6 million plus transactions are handled annually. Level 2 and 1 have very comprehensive requirements to fulfil and are audited by a third-party.

Not all the Fintechs have the license to operate independently and they leverage the agreements with Banks/Financial institutions to offer the services. It would be surprising to know that banks themselves can offer most of the services which fintechs are offering. The key underlying factor here is Technology, which perhaps banks are yet to come to terms with. When it comes to security requirements and compliances, banks pass on these to the partnering fintechs. So multiple audits in a year are not unheard of in the fintech space.

RBI has Master Directions for entities operating in the banking/non-banking space covering Lending, Loans, Prepaid Payment Instruments, Non-Banking Finance Company (NBFC), Peer to Peer Lending companies, Full fledged banks, Payments Banks and so on.

IRDA has two two major cyber security requirements and one of them is meant exclusively for insurance offered on e-com channels like web/mobile/app channels called ISNP — Insurance Self Networking Platform. As most of the new-age insurance companies are ecom based, they are forced to comply with both (there is some overhead here).

IRDA’s requirement has a cybersecurity checklist with 307 controls and also mandates a Chief Information Security Officer (CISO) to be appointed by the insurance company! While these may be easier to implement for a legacy company with the monolithic architecture, startups usually find these difficult and herein lies the challenge.

SEBI’s framework for Stock Brokers and Depository participants is published here — What I found cool about SEBI’s directives on Cyber Security in comparison to RBI and IRDA is its forward looking approach and in sync with current demands and realities. For example they suggest using Bcrypt / PDKDF2 for hashing passwords, usage of passphrases vs complex passwords:

Also has a reference to Crypto Shredding, must confess I did not know such a terminology existed:

It makes me wonder if the major innovations in the fintech space in India is in the segment operated by the SEBI for reasons like these.

I am thinking of writing in detail about the challenges in complying with the security directives by the regulators in coming writeups but for now will focus on what this augurs for cybersecurity professionals in startups/fintechs.

There is going to be a huge demand for not just Developers, Product Managers, Architects, Data Scientists, but also Cyber Security professionals. When I say Cyber Security, it does not just limit to Pentesters / AppSec / Network / Cloud Security professionals. I see a demand for Data Privacy, Compliance and Legal folks who can understand, interpret complex regulations from the Regulators like RBI, SEBI & IRDA and help implement them in a creative, scalable and rapid way. I am currently working for an emerging Fintech company and a good chunk of my time is spent with the Legal team apart from the engineering folks in interpreting and helping fit newer technologies and controls around regulations, compliances, working on contracts, assessments, Third Party Risk management and etc

As a cyber security professional, I wouldn’t have expected to work this closely with the legal team, but no complaints and am beginning to see things from multiple perspectives! Remember that most startups live by the mantra:

“It is better to ask for forgiveness than permission”

At the end of the day, it’s all about solving problems.

If you have any questions, comments, feel free to post them here and I will try to answer them.

#fintech #cybersecurity #fintechsecurity #RBI #SEBI #IRDA #PCIDSS

The Art Of Shaving Your Head!

rajini motte boda thalaiva boss bald

The lockdown has forced people to look and feel differently. While the fashion of beard still continues to rule, ponytails and long hairs are not so much in the vogue these days. Quite a few people have asked me how do I manage to shave my head. Yes, I do it myself and what started off in 2015, is now a monthly or weekly routine.

Hoping this will help all you people who are on the fence whether to give their heads a cleanup either with the help of a barber, partner or all by themselves.

Shaving the head is not for the faint-hearted and Very few people understand the change a bald head brings about. It’s a process, it’s a journey to lose one’s identity. No wonder the first thing many criminals do after a crime is to shave their head 🙂 or at least that’s what I have read and understood from reading the news paper reports.

Jokes apart, it’s a tedious process to get rid of the hairs on your head, especially if you are going to do yourself. The first time I decided to let go of the hair, it was by myself. There were lot of thoughts on what would others say especially the family, friends and colleagues who will pose a zillions of questions ! More importantly what would you say to yourself ? The moment I got the courage and calmness to accept, rest of the process was just technical.

Here are few things that you should know before embarking on this journey:

  • It’s a time consuming process, you need to be patient and willing to spend some time
  • You must invest in right tools
  • Be ready to clean up the mess!
  • Face the consequences (including funny faces from young and old, get questioned on why? )

Prerequisites:

  • A good trimmer
  • Good razor
  • Shaving foam & an aftershave
  • Towel
  • Mirror(s)
  • Old newspaper/waste papers

Preparation:

Shaving your head takes a good amount of time and it’s not something you can do on a daily basis. It can take anywhere between 20–60 minutes depending on which part of the learning curve you are. Its best done when you are relaxed and have sufficient time in hand. I prefer weekends when I don’t have to rush into any meetings. And this is the time you will need to invest every time you want to shave your head.

You do not start off by trying to shave with a razor directly. That would be disaster in the making. Buy yourself a good hair-trimmer, I was using a Panasonic trimmer for close to 10 years until the battery died. I even dismantled and got it working with a standalone battery but I screwed up while putting the covers back and broke a tiny hinge.

old trimmer, whose yellow hinge i broke

A trimmer is an engineering marvel, so many tiny parts working in such harmony. Unfortunately here in India it is not easy to get the original replacement blades and you might as well pick a new trimmer instead of trying to source the replacement items for the same price!

The choice of trimmers is yours: Corded or battery operated, and each one has its own pros and cons. Corded ones are usually powerful and trim the hairs faster and better. But if you live in a household where there is frequent power-cuts I suggest buying a trimmer that also provides battery.

I currently use this which supports both corded and cordless operation, it has a battery backup as well.

A big and a good mirror is beneficial, bonus points if you have a smaller hand held mirror that will come in handy to see the back of your head.

pic courtesy: https://bit.ly/3A2jzO5

You can move the trimmer as shown above.

I would advise putting a newspaper on the top of the sink (make sure there are no traces of water and its dry) and putting all the cut hair onto it directly. There’s a trick on how to do it. Using a trimmer start from the back of the head (as shown in the pic) and move it slowly till it reaches forehead. After every stroke make sure you clean the blades with a brush. You can bend and drop the cut hairs directly onto the newspaper . Repeat the process multiple times to shave all the hair. Be careful when you shave the hair behind your ears as you move the trimmer, chances are you might get a cut. Once you have shaved fully its good enough for a stubbly look or you can proceed further to shave using a razor for a smooth finish. If you intend to shave, I strongly suggest using a shaving foam instead of gel or cream as its easier. Buy a good brand of foam, after all its your head.

For the razor I have used Schick till the blades ran out and now have settled down with Gillete Mach-3. I have never bothered with the pro-glide or razors with n number of blades 🙂 I also tried with a foil shaver but its not good for the head.

Paste the foam all over your head and give it a minute to settle down and then like the trimmer, start from the back of the head and all the way till forehead. Rinse the blades generously. I use a mug of water with a few drops of dettol. Be careful when shaving behind ears, be slow otherise the sharp blades can result in small cuts on ears. Once done with the shaving I use aftershave / balm. No preference, use the one you are comfortable with, but do dab few drops and not take the shower directly after a shave.

Now comes the hard part. If you love a hot shower like I do, lower the temperature or keep it luke warm as your head now no longer has the cushion of hairs otherwise the hotness will hit you.

Take a look at your bald head in the mirror and savour it. You will find a new in you.

pic couresy: https://thebaldbrothers.com/20-bald-quotes/

You are vulnerable

All seasons are harsh on the bald head. In summer the sunlight is intense, while in winters the chill hits your head. I had a tough time at the office sitting in an Air-Conditioned environment and you will find it colder than usual so much that, you may catch sinus. Invest in good hats, caps and scarfs, baclavas or even the neck warmers. Same is if you commute in metro trains where the temperature is much colder (especially Bengaluru Metro).

I now have close to 5 caps and an equal number of scarves. Go on and show off the fashionista in you. Nights are harsher than days and usually wrap my head with a scarf while sleeping for atleast the first 1–2 nights, otherwise the next morning will have a runny nose. If you exercise regularly, buy few headbands or scarves as there are no hairs to hold off the sweat.

Be ready to be the center of attraction and also some pun, especially when surrounded by the kids. India is not kind to bald men. People make fun of you, stereotype you as motte, taklu, boda and what not. Even there are some religious restrictions that you cannot shave heads…

Anyways, now that you have let go of your hair, enjoy everything that comes with it…I no longer have to worry about carrying a comb, not worry about the shampoo or the conditioner, take headbath only twice a week etc

Smile when you bump into a bald head, next time.