Data Privacy, Facebook and Cambridge Analytica

Introduction

In the latest in the data leak controversy, Cambridge Analytica has been accused of breach of data with inappropriate usage of Facebook data, privacy breaches and psychological manipulation.

Cambridge Analytica systematically and knowingly ran campaigns based on psychological and personality profiles mined from the Facebook data in 2017. The firm has been accused of harvesting private information from the Facebook profiles of over 50 million users without their permission, making it the largest data breach in the history. This information was revealed by a former employee and founder Christopher Wylie to the Observer and the New York Times. Wylie explained how he worked with Aleksandr Kogan, an academic from Cambridge University, to obtain this data and exploit users.

The misuse of data may have allowed the company to build a psychological profile of a large proportion of the American electorate targeting them with specific marketing material and targeted ads, thereby swaying the results of 2016 presidential elections.

Criticality

Most people do not think about the data they share via social media, banking and other large corporate and government, as there is a general level of trust that there are adequate laws and protections, and that by and large there is nothing to worry about, as organizations are assumed to be ethical. While there are growing levels of distrust across the community, taking proper security measures is critical in slowing the decay.

This criticality of the context is not the data issue, but the way data was used. Cambridge used the data records of 50 Million Americans to have a premeditated psychological influence by false Facebook ‘advertising.’ Posts were targeted at potential voters precisely targeting their vulnerabilities.

A data breach is when someone who is not authorized to handle specific information obtains access to that information. It’s a non-trivial failure of the security measures a responsible company or reasonable individuals would have in place. It implies wrongdoing, it implies malice, it implies a victim/attacker relationship.

But when data is harvested and used with the unknowing opt-in of thousands of people, that’s not a breach. There are no hackers here; just people who knew how to use freely-given personal data to manipulate not very technically astute people to some political end.

Data breaches are being revealed for years now. Interestingly, no one hacked into Facebook’s servers exploiting a bug, like hackers stole the personal data of more than 140 million people from Equifax. No one tricked Facebook users into giving away their passwords and then stole their data, like Russian hackers broke into the email accounts through phishing emails.

Facebooks has become a massive data collection machine with 2.2 billion active users, but almost having no guardrails on how they are used. Facebook allowed a third-party to implement an application for the sole purpose of gathering user’s data. Furthermore, Facebook is aware about this issue for more than two years, and only now they acknowledging their mistakes once it has been made public.

The Facebook story rang a similar tune to a story from September about Tinder harvesting user data as well. Judith Duportail requested Tinder to send all of the personal data they have stored for her. They sent back 800 pages containing her deepest, darkest secrets, things she didn’t even know she preferred. It is another perfect example of how social media apps will harvest any personal data they can to sell and make a profit.

Big data breaches are unsettling given the power tech titans now exercise. How to rein them in is a huge challenge. A good example is Facebook, that offers its service free, but people then entrust it with every detail of their lives. It’s a myth that users own the data and content they post on Facebook, and control how it’s shared. The reality differs. Facebook will flog the data to enrich itself, which the Cambdrige Analytica case clearly demonstrates.

Road Ahead

In this context, the laws like GDPR may play a good role. The users can request any large service provider in the world (who has any connection with the EU whatsoever which is everyone) to obliterate your data forever and they must oblige. Or you can request your data to be handed to you in a “portable” format that you can take with you.

Beyond GDPR there is more that the consumer needs to take control of. In the case of Facebook, this is limiting what 3^rd party apps have access to. And this can be confusing with apps constantly “complaining” that they will not work properly without access to body sensors, contacts or the camera. And the user needs to ultimately start with a point of zero-trust—turn off all access—and then test for themselves how the app behaves and then gradually turn on permissions as needed.

It is not in reality but hitting the easy button will have consequences of the “analytica” kind. And then we will act outraged when it happens.

We are in a journey where the privacy boundaries are going to be constantly tested. Expecting the platform vendors to suddenly start doing the “morally” right thing is too naïve. Consumers need to be savvier and assume extreme ownership of their own data. GDPR provides the framework, it is our duty to exercise it.

Stay safe, secure and do due diligence before making your personal data public through social media.

Advertisements

Categories: Security | Tags: Cambridge Analytica, Data Privacy, Facebook | Permalink.

GDPR – The Essentials

Preface

Data Privacy and protection are gaining attention wordwide. In line of the same trend, the European Union, has introduces a new framework to safeguard data and privacy for its citizens.

The same is termed as General Data Protection Regulation (GDPR). It supersedes the UK Data Protection Act 1998 and will be applicable form 25^th May, 2018. Hence the companies attached to EU need to prepare as soon as possible, taking into account some obligations may be expensive and the implementation will be time-consuming.

The new regulation introduces a set of rules, which require organizations to implement controls to protect personal data. The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organizations to be more accountable for data protection.

GDPR compliance demands strong compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies, procedures and Technology are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.

With the appropriate compliance framework in place, not only organizations be able to avoid significant fines and reputational damage, they will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.

What is personal data?

GDPR is designed to enable individuals to better control their personal data.

“Personal data” is defined in the GDPR as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. In other words, any data or processes that can identify the subject comprise that individual’s personal data.

A piece of personal data that allows one to identify a specific person. That’s the shortest and most practical definition. Lets understand the context with use of few email addresses.

info@infoconglobal.org – is not a piece of personal data, as it isn’t assigned to a specific person at a company. It doesn’t imply who the owner of the address is. It points to a company, not a person.

sushobhan@infoconglobal.org – is a piece of personal data, as it is assigned to a specific person at a company. It does imply who the owner of the address is, or at least it gives you enough information to identify a specific person at a company.

sushobhanm@gmail.com – is a piece of personal data, as it is assigned to a specific person.

Whether we work within a B2B or a B2C domain, we administer or process some kind of personal data. It’s most probably the data of your clients, our prospects, our users, our email list subscribers, or our employees.

GDPR is not about regulating email sending. It’s about regulating the ways in which you administer and process personal data of EU citizens in general. Email address is just an example here. In various contexts data like telephone numbers, addresses, identification numbers etc. may be treated as personal data as well.

Requirements of GDPR 2018

The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:

• Articles 17 & 18– Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
• Articles 23 & 30– Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
• Articles 31 & 32– Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
• Articles 33 & 33a– Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
• Article 35– Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
• Articles 36 & 37– Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
• Article 45– Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
• Article 79– Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

GDPR Checklist

GDPR comprises a list of specifications on how businesses should process and handle personal data. In effect, this regulation is to ensure that private data is processed with transparency under the new law, for a clearly-stated purpose, with end-user’s consent. Once fulfilled, the data should be deleted, provided there are no legal-binding regulations in the country or business.

The GDPR allows users for more flexibility over what they have shared. Users have the right to access, modify, rectify, delete altogether their data, among other things. The regulation will also set the foundations for a uniform set of data protection policies throughout the European Union. In other words, where there used to be different sets of rules per country, now is. Dated as they were, this radical change in data protection rules was much needed.

Inline with the first step for compliance, mapping the data flow to enable us to assess our privacy risks. This includes understanding and documenting the following:

• What kind of personal data is collected (e.g., name, email, address)?
• How is it collected (e.g., form, online, call center)?
• Where is it stored?
• How is it processed?
• Is the data encrypted?
• Who is accountable for personal data?
• What is the location of the systems/filing systems containing the data?
• Who has access to the information?
• Is the information disclosed/shared with anyone (e.g., suppliers, third parties)?
• Does the system interface with or transfer information to other systems?
• How long do we keep it?

GDPR impacts

The GDPR impacts many areas of an organization: legal and compliance, technology, and data

• Legal & Compliance: The GPDR introduces new requirements and challenges for legal and compliance functions. Many organizations will require a Data Protection Officer (DPO) who will have a key role in ensuring compliance. If the GDPR is not complied with, organizations will face the heaviest fines yet –up to 4% of global turnover. A renewed emphasis on organizational accountability will require proactive, robust privacy governance, requiring organizations to review how they write privacy policies, to make these easier to understand.
• Technology: New GDPR requirements will mean changes to the ways in which technologies are designed and managed. Documented privacy risk assessments will be required to deploy major new systems and technologies. Security breaches will have to be notified to regulators within 72 hours, meaning implementation of new or enhanced incident response procedures. The concept of ‘Privacy By Design has now become enshrined in law, with the Privacy Impact Assessment expected to become commonplace across organizations over the next few years. And organizations will be expected to look more into data masking, pseudo-anonymization and encryption.
• Data: Individuals and teams tasked with information management will be challenged to provide clearer oversight on data storage, journeys, and lineage. Having a better grasp of what data is collected and where it is stored will make it easier to comply with new data subject rights –rights to have data deleted and to have it ported to other organizations.

Controller vs. processor

There are two types of responsibilities regarding the protection of personal data: data “controllers” and

data “processors.” Specifically, any business that determines the purposes and means of processing personal data is considered a “controller.” Any business that processes personal data on behalf of the controller is considered a “processor.” For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced in paper by the bank.

In fact, some organizations have no control over the data they store from their customers. The question is: within the EU GDPR, what are the responsibilities of these organizations if they store personal data? Are they covered by the new European regulations?

According to Article 4 of EU GDPR, different roles are identified as indicated below:

• Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
• Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

Both organizations are responsible for handling the personal data of these customers.

EU GDPR vs ISO 27001 and 27018

The ISO 27001 standard is a framework for information protection. If the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the EU GDPR requirements will be covered.

The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Here are just a few of the most relevant ones:

• Risk assessment – Because of the high fines defined in EU GDPR and major financial impact on organizations, it will be natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information), “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
• Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations in the implementation of a data policy and protection of personally identifiable Information. For cloud services providers, ISO 27018 control A.11.1 (Geographical location of PII) recommends that contractual agreements for international transfer of data must be available to cloud service customers.
• Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” For cloud service providers, ISO 27018 has control A.9.1 (Notification of a data breach involving PII), with specific recommendations for preparation and handling of data breach incidents. According to EU GDPR, data subjects (“a living individual to whom personal data relates”) will also have to be notified, but only if the data poses a “high risk to data subjects’ rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
• Asset management – The ISO 27001 control A.8 (Asset management) leads to inclusion of personal data as information security assets, and allows organizations to understand what personal data is involved and where to store it, how long, its origin, and who has access, which are all requirements of EU GDPR.
• Privacy by Design – The adoption of Privacy by Design, an EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.” For cloud service providers, ISO 27018 control A.4.2 recommends that secure erasure of temporary files should be considered as a requirement for information systems development.
• Supplier Relationships – The ISO 27001 control A.15.1 (Information security in supplier relationships) aims for the “protection of the organization’s assets that are accessible by suppliers.” For cloud service providers, ISO 27018 recommends explicit definition of responsibilities of cloud service provider, sub-contractors, and cloud service customers.

Way Forward

The implementation of ISO 27001 covers most of the requirements of the EU GDPR; however, some Controls should be adapted to include personal data within its Information Security Management System.

In addition to ISO 27001, some measures will have to be included in order for an organization, either controller or processor, to ensure compliance with EU GDPR, such as Procedures for ensuring the exercise of the rights of data subjects, Mechanisms for the transfer of data outside the EU, Minimum content of the impact assessment on data protection, and Procedures to be followed in case of violation of personal data. All these controls can be integrated into the Information Security Management System, allowing the guarantee of legal compliance and continuous improvement, even more so when the ISMS and EU GDPR are aligned.

The organizations covered by the EU GDPR have until May 2018 to implement a set of measures that may imply a drastic change in their way of operating. Not knowing where to start can make this whole process unnecessarily complex. Therefore, the implementation of an ISMS compliant with ISO 27001 is a sure step for an organization to achieve compliance with EU GDPR.

• Gap analysis: Experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR.
• Data flow audit: Data mapping involves plotting all of your data flows, drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.
• DPO as a service: Outsourcing the DPO role can help your organization address the compliance demands of the GDPR while staying focused on its core business activities.
• Implementing a personal information management system (PIMS) :Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favorably by the regulator when it comes to DPA compliance.
• Implementing an ISMS compliant with ISO 27001
• Cyber-Health Check: Combination of on-site and remote vulnerability assessments to assess your cyber-risk exposure.

GDPR compliance may be tough, but data security and privacy are worth for the extra effort. Any company that complies GDPR, spreads a message that they do care about customer data privacy.

Be proactive on Data Protection, Privacy , Confidentiality and Integrity. Enjoy the benefits of GDPR.

Categories: Technology | Tags: GDPR, ISMS, ISO 27001 | Permalink.

Wordcon 2018 – Freelancer’s International Conference

“Wordcon 2018”, 3^rd International Conference by Freelance Foundation took place last Friday (9th February, 2018) at the Park, Kolkata.

The first one was in Jameson Inn in 2015 followed by 2^nd one in 2017 at Sonnet, Saltlake.

In these three years, the journey was not only exciting, but also evolved lot many opportunities, ideas and off course synergies across the globe. Freelance Foundation core philosophy revolves around harmony and collaboration. The activities were focussed towards handshaking between freelancers across the borders. Apart from two major conferences, it has taken many interesting and innovative steps like EPIC (entrepreneur’s picnic), Global Exchange Program at United Kingdom (Oxford, London, Birmingham and Glasgow), Outbound Programs (Hyderabad, Silk Route, Orissa, Silchar, Siatale, Dhaka), Musicals (Hammer and Violin / Spring – Summer) , Cricket Match (Fructus et Virtus) and many others.

The key dimensions for Freelance Foundation and Wordcon are as follows:

• Uniqueness and Diversity of Audience: Wordcon is Eastern India’s only and perhaps the country’s only Platform of Freelancers. Since freelancers are everywhere in the economy, the audience is diverse and layered.
• Solving the fundamental business problem: Every business would like to configure the right talent, the right price and the right timing to deliver value to the client. HR’s greatest problem is achieving this configuration consistently. Freelancing answers this problem, especially for smaller organizations and by building relationship with freelancers, you have local talents whom you may not get through the employee route and the additional advantage of cost flexibility and overhead reduction.
• International Access: Our international sponsors are looking for Indian partners for access to Indian markets in segments. Wordcon is increasingly becoming a credible platform and it is wise to be associated with such a platform at an early stage.

In line with the same flow, this years’s conference was designed. The theme for this year’s conference was “Freelancing – a unique way to earn income, leisure and fame”.

Eminent personalities like Mr.Bruce Bucknell (British Dy.High Commissioner), Dr.Parthasarathi Bhattacharyya (Renowned Pulmonologist and Founder-Director IPCS), Swami Sarvalokananda Maharj (Secretary, Narendrapur Mission), Mr.Jawhar Sircar (ex-CEO, Prasar-Bharati ), Mr. Nirupam Sen (Regional Head, BSI), Mr.Gaurav Purkayastha (Advocate, Calcutta High Court), Mr. Mohammad Zahinul Islam (Managing Director, Inter Exchange Solutions Ltd, Bangladesh), Mr. Kashinath Bhattacharyya (Sports Journalist),  Mr.Gobinda Roy(Research Scientist, VGSOM, IIT-Kharagpur), Mr. Subhasish Chatterjee (CEO, Connect India), Mr.Sanjay Sen (Renowned Football Coach),  Mr. Saurabh Mukherjee (A certified Master Practitioner and International NLP Trainer with NFNLP, A certified Practitioner of Transactional Analysis), he is also a certified Past Life Regression Therapist) Mr. Goutam Choudhury(Founder of salilda.com and Music Researcher and Archivist, Rotterdam, Netherlands), Mr.Jigar Kantharia (Translator from Ahmedabad), Mr.Abu Sayed Ahmed (CA from Bangladesh), Mr.Joyshankar (Surma-Dohar Musical Group), Dr.Devasis Ghosh (Mental Health Professional and Holistic Healing Researcher) and other dignitaries had graced the occasion with their deep insight.

The Agenda, Speakers, Panels, Topics were designed in a fashion so that diversified domain experts starting from music, sports, accounts, healthcare, translation, Media etc. could open up areas of engagement for the audience.

Overall 120+ attendees, 30+speakers, 20+ Press People, 10+ Sponsors joined the program to make it a grand success. Great networking, sumptuous foods, Awards for Recognition, Music were few additional areas of attraction.

Pease kachuri, Peas and Corn Pulao, Chana Dal with Coconut, Dhokar Dalna, Matar Paneer, Grilled Fish with Lemon Capers, Chicken Rezala, Mixed Raita, Chanar Payesh, Gajar Ka Halwa were few gracious items in the lunch menu.

The event witnessed the launch of three books:

• Bootstrapping Market Innovation – a book by two freelancers as how to build an effective and reality-tested marketing plan with virtually no financial cost.
• Freespace – Freelancer’s Journal – 3^rd Edition
• অবকাশ সমগ্র (Collected works of Leisure) by Dr. Abakash Ranjan Kar

Wordcon will continue conducting small – local and hyper-local events with freelancers, followed by cultural, musical and literary showcasing.

The spirit of “Wordcon” is briefed through the small assemble of limericks:

ভাল্লাগে না বদ্ধ জীবন, রোজের চাকরী খাতায়,
মুক্ত স্বাধীন ভাবনাগুলো চড়কি কাটে মাথায়,

সম্মেলনের আসর ঘিরে,
পার্ক হোটেলে জমাট ভীড়ে,

ওয়ার্ড কনের মঞ্চে সকল ফ্রিল্যান্স সন্ধি পাতায় |

Last but not the least, Wordcon and Infocon both feel that there is an increasing conflict in our life and livelihood and we are missing quality leisure and healthy social mixing.

Stay tuned thorough our website (www.wordcon.in). Three cheers for “Wordcon”.

Categories: Wordcon | Tags: Freelance, Wordcon | Permalink.

Happy New Year 2018

Year 2017 has passed and we have landed into 2018. With best wishes of the New Year, let us try for few simple resolutions collectively and make our lives more meaningful. I have listed few pointers as it came to my mind:

1. Let’s build, ratain and carry forward Human Connections. This only matters, not internet of things.

2. Enjoy the time which is present, lets not worry about Past and futures

3. Let’s accept whatever comes to us instead of being judgmental.

4. Let us keep it simple.

5. Never give up, Be patient and stick to the situations. It is just about time when everything will turnaround.

6. Lets be brave, handle situations with courage, fight to win the battles in life.

7. Let us forgive.

8. Let’s relax and respond to to the situations in life instead of reaction and having panic.

9. Be positive and enthusiastic to spread the vibes around us.

10. There needs to be secrets and mystery in life. Let us not blow the covers always.

11. Let us acknowledge and appreciate those who helped.

12. Spread the message of love and peace. Nature belives in harmony, let us not break it.

Do you have any more suggestions?

Look forward for your inputs.

Season’s greetings – wish you and your family a wonderful year 2018 ahead!

Categories: Uncategorized | Permalink.

Only Present Time Exists, neither Past nor Future

In about 48hours we are about to bid adieu to the ongoing year 2017. Before you are flooded with messages, wishes and carried away with celebrations in welcoming new year 2018,  I thought of spreading my lesson as I have learnt through life.

I had started writing seriously in the year 2014 through this English blog with the inspiration of one of my close friend. But the same  lost it’s track again while I have started writing in Bengali, mainly short poems (limericks) and essays. But my non Bengali friends kept on complaining as that they could not understand anything about it. Hence this year end post is dedicated to everyone , mainly for the people who could not understand any of my Bengali creations.

Anyways, let’s come to the topic !

Last week I met one of the senior fellow entrepreneurs of Bengal and got an extremely thought provoking insight. He said he learnt bathing in his old age (60+) from his grandson. I felt extremely curious. He said while concluding one day bathing session his 4 year’s old grandson told him” Relax grandpa, Bathing is not about just washing the body, but also to enjoy. Let me enjoy my bathing for few more moments”. I was speechless, how deep understanding of life from a just 4 year old kid.

The People of my generation (in mid forties) are not only in crisis, but also always in confusion. We have seen both the worlds, the world before connectivity and the aftewards. Hence even if we are addicted towards google, Facebook, Twitter, we keep on missing our older disconnected times. With the rise of connectivity we keep on getting overenthusiastic on hyped technologies like cloud, internet of things (IoT), Big Data, Blockchain and so on. People might be jumping on arguing on this , but may not disagree to the fact none of these are able bring peace to our life. Human lifes are becoming miserable day by day.We are worried about future with the knowledge of past and become too engaged in transactions. The aim is always to have greater future. But in the strive of having bright future we can not experience our present. In our life only present moment of time persists. Past is gone, future is unseen. But unfortunately none of us are able to enjoy the present. 

What ever is happening around us, we are not happy about it. We want something else and feel that will make us happy. Last day me and my family were enjoying the laser show in Lumbini Park , Hyderabad. Due course of the show of around 30minutes, my little son (6years old) poked me at least five times tos get a promise from me about playing mobile games once we are back home. We visited a family marriage ceremony few months back with my kids. Immediately after reaching venue, my daughter (10years) started persuing me for mobile games as she was getting bored. These are just some indicative samples to illustrate the facts. There are plentiful of similar examples to complement my thoughts. We keep on talking about external noises, sound polutions. However our internal noises are so vivid, it is not allowing us to live our present time happily.

In continuation of the little kid’s philosophy on bathing, please think how many of us are giving real importance on bathing. Bathing is always a hurried approach like a compliance of our daily routine life while the mind is internally talking about what all things are to be done post bathing and what all not went well or remained pending before the bathing. Same is applicable for every instances of life. Suppose I am writing something now and my mind is thinking about family activities to be done tomorrow, I have not written english blog frequently this year and next year I need to ramp up. Let’s assume we have bagged a project from a customer. Immediately during kick-off, i am thinking how fast I can finish this project, get the money and do some more businesses there. In life we keep on saving money for family, kids with a thought process while everything will get settled, then I will enjoy. By the time all settled, kids grown up, my age also travelled a long way with several physical problems like sugar, pressure, arthritis and so on. In effect I can not enjoy now as well. In life all three parameters like time, place and the entity get altered with time. Hence whatever is valid now, may not be relevant in the very next instances.

“The secret of health for both mind and body is not to mourn for the past, worry about the future, but to live in the present moment wisely and earnestly.” – Buddha

What does it mean to live fully in the present moment? It means that your awareness is completely centered on the present. We are not worrying about the future or thinking about the past. The past and future are illusions, they don’t exist. As the saying goes “tomorrow never comes”. Tomorrow is only a concept, tomorrow is always waiting to come around the corner, but around that corner are shadows, never to have light shed upon, because time is always now.

Can we deep drive in this year end and have a resolution in the coming year 2018 to enjoy every moment of our life?

Categories: Uncategorized | Permalink.

“Infosec Global 2017”, International Infosec Summit in Kolkata

Preface

Winter in Kolkata has different charming flairs and “InfoSec Global” added a new feather in her cap through a mega InfoSec Summit since last year.

This year “InfoSec Global 2017”, the international InfoSec summit took place at The Park, Kolkata on 3^rd November, 2017

Even though there is a lot of buzz around Cyber Security, there are many gaps as well. The areas of concerns touch everyone, our ignorance, over confidence and complacency. We keep on complaining that things are not happening the way we think it should be. However, there are many things happening as well. We need to open our minds and have a convergent thinking. It’s time to complement instead of complaining.

Govt is devising many strategies for the benefit of citizens on cyber. Law enforcement authorities are doing their work at the ground level. Enterprises taking lot of initiatives to implement tools, technologies, processes.

The challenge is how to bind these all-together, how to aggregate efforts, consolidate and converge in order to make it meaningful for the society and civilization? InfoSec Foundation is trying to drive this across the globe.

InfoSec Foundation intends to work as voice of citizen where we bring in all stakeholders together to create a more aware and responsive ecosystem. Connect and extend initiatives that have not reached the targeted audiences, find gaps and demand raise the silent voice so that it reaches the ears of policy makers and functionaries.

Summits, CIO Roundtables, Print Journals, Cyber Security Help lines, Cyber Security Curriculum for next generation – these are few envisaged areas we have already started working in India, Bangladesh, UK and Africa.

InfoSec Global 2017 is the outcome of same vision driven by Infosec Foundation.

Infosec Global 2017, Kolkata

Ignite cyber security!! That’s the mantra. And to enkindle it, Infosec Foundation had taken the important responsibility through the Iinternational InfoSec Summit. The first summit took place last year 18^th November, 2016 and the same is followed by this year on 3^rd November, 2017 in Kolkata. The event was important for the eastern eco system to leverage the opportunity to meet the best CYBER SECURITY EXPERTS from all across the subcontinent and gather some of the most tenacious knowledge regarding cyber security.

Theme of the Event

‘International Security in Digital India-Threat, Challenges and Opportunities’ was the theme for the 2^nd International Infosec Summit in Kolkata this year. The program was designed for the leaders from the field of IT Infrastructure, Data Security, and Information Security.

Major topics were discussed in the event are cyber security issues in Bangladesh, Digital Forensics, creating new generation cyber militants, Cyber Economics, and much more.

The event was conceptualized exclusively for creating a mutual platform for all the stakeholders who are engaged in Information Security.

Speakers and Topics

The event had witnesses array of speakers across industry. Dr.Sanjay Bahl, Director General, Indian Computer Emergency Response Team (ICERT) was the Chief Guest of the program. Mr.Shyamal Datta (IPS – Retd., Former Director – IB, Former Governor of Nagaland) , Mr. Debasish Sen (Additional Chief Secretary-IT, Govt of Bengal), Mr. Vineet Goel, IPS (Addl CP I, CISO-Govt. of Bengal) and  Mr. Hari Kusumakar, IPS (Addl CP IV) joined him alongwish the Infosec Foundation Chairman in the gracious inaugural ceremony.

   

Other eminent personalities like Mr. Bratya Basu (Honourable MIC-IT, West Bengal), Ms.Rama Vedashree (DSCI-NASSCOM); Dr. B. M. Mehtre (IDRBT); Col Inderjeet Singh (Smartcity Expert, Ex-Director – Military Intelligence at Ministry of Defense); Mr. Vivek Srivastava (ReBIT – Reserve Bank); Mr. Deepak Kumar (Digital Forensic Expert), Mr. B.M.Zahid-Ul Haque (CISO-Brac Bank Bangladesh), Mr. Harish Agarwal (Partner, Ernst & Young), Mr.Somak Shome (Director, PWC) had enriched the audience with their deep insight in the domain.

   

Cyber Security Domain experts like Mr.Shrikant Shitole (FireEye), Mr.Nitin Varma (Palo Alto Networks), Mr. Sudeep Das (IBM), Mr. Manuj Kumar (Symantec), Mr.Kapil Awasthi (Checkpoint), Mr. Rishikesh Kamat (Netmgic), Mr. Subramanian Udaiyappan (Cisco Systems) Mr. Akshay Verma (Global Insurance), Mr.ParthaSarathi Das (Tata tele Services) had also added substantial valued to the content of the conference.

     

There was interesting topics like “Cyber Security Readiness for Digital India”, “Cyber Economics”, “Creating Next Generation Cyber Warriors”, “ The Cyber Security Architecture of the Future”, “Building a robust Cyber Security Architecture with Integrated Cyber Defense Platform”, “Machine Learning for Cyber Security”, “Cyber Security Challenges in West Bengal”, “Digital Forensics”, “Opportunities in Cyber Security space”, “Next Generation Cyber Security Trends”, “Cyber Thereats on Internet of Things”, “Threat intelligence strategy to strengthen cybersecurity posture for the financial sector”, “Cloud security”etc.

Audience

There were 250+ people attended the event with delegations from all leading corporates, enterprises, academia, government, law enforcement agencies, manufacturers, providers etc.

Anandabazar Patrika (ABP), Accenture, Allahabad Bank, Bandhan Bank, UCO Bank, United Bank of India(UBI), BRAC Bank-Bangladesh, Balmer Lawrie, Bridge & Roof, BSI, Capgemini, CESC, West Bengal State Electricity Transmission Company (WBSETCL), Criminal Investigation Department (CID) – West Bengal, Bidhannagar Cyber PS, Kolkata Police,  Exide, Genius, ICRA, ISACA, Jadavpur University, Jayashree Textiles, Linde Global, M.N. Dastur, MCKV Institute, Meghbela  Broadband, Meghnad Saha Institute of Technology, NASSCOM, National insurance, Neotia Group, NIA, CBI, NIC, NSHM, Onprocess Technology, Protiviti, PWC, Ernst & Young, Sahaj E-Village, Sillycon, Simplex Infra, Spencers, SREI Infrastructure Finance, Srijan Bhumi, TCG Digital, Techno India, TATA Pigments, Tractors India, TUV, Vedant Fashions, Vikram Solar, VISA Steel, Webel, ITC were few names of the key attendee organizations.

 

The audience were mainly from senior management, decision makers in the stature of MD, CEO, CIO, CFO, COO, GM etc.

There were 30+ Media Houses from print, television, radio and web platforms who were keen to spread the buzz to the mass audience.

Takeaways

The event had great deliberations in exchanging thoughts, knowledge, ideas, and case studies on cyber security among the speakers, audience, attendees, participating stakeholders. The same had not only generated great enthusiasm over networking, but also generated direct business opportunity.

The event has raised several voices, concerns from the community, extended government / policy makers’ roadmap, articulated steps on synchronization between stakeholders and surely created platform for enriched knowledge in order to have better wisdom. It was indeed a great platform for students, cyber aspirants to learn, engage and contribute.

4^th Edition of InfoQuest (the dedicated print journal of Information security) got unveiled during the summit. The print journal is working as a great tool as the mouthpiece of the industry in cyber security domain.

The event strengthened the thoughts driven by Infosec Foundation with the overwhelming support from all corners and laid the foundation for more positive vibes towards upcoming Infovision(CIO Roundtable), InfoQuest (Print Journal), Infoconnect (Cyber Security helpline) and well as next years International Infosec Summit.

It was amazing to see people had joined in the breakfast (before the day event for mixing sessions with the speakers) and continued to stay with the initive till late evening (cocktail dinner with the speakers and partners).

Infosec foundation had recognized several individuals for their significant contribution in the domain and the same was was followed by instrumental music.

   

Stay tuned for many interesting things ahead. Do join the movement, contribute, engage, explore and be the part of historic movement generated from Kolkata, the city of joy.

Detailed Analysis can be fetched from the link below:

Infosec Global 2017 Report

Categories: Infocon, Infosec Global, Security, Technology | Tags: cyber, information security, infosec foundation, Infosec Global, infosec17 | Permalink.

Beware of Sarahah App

Preface

Sarahah is a website created by the developer from Saudi Arabia Zain al-Abidin Tawfiq. Sarahah means candor and honesty. It has become very popular in very short time because it allows you to send messages anonymously. After registration, you got a link which you can share your friends or post it publicly. Any person can send anonymous messages using via the link you have shared.

The receiver cannot find who sent the message. The services started by the motive to allow employees to give feedback to the higher authority or employers without any fear of being fired. After getting a positive response, a mobile app is also launched to expand its huge mobile audience. After getting a positive response, he also launched a mobile app to expand its huge mobile audience. On June 13 of this year, both its iOS and Android versions of Sarahah was also released.

Sarahah was designed to be used in a workspace environment as an anonymous way to get a bit of constructive criticism. The website’s tag line reads “Get honest feedback from your coworkers and friends”. In addition, there is a dedicated section on the site about how Sarahah can be helpful at work.

But Sarahah is topping the download charts because of teenagers who are currently on summer vacation. Teenagers are putting up links on their Snapchats to get the word out.

How does Sarahah app work?

– You need to download this app and set up your profile with a custom url (For e.g, XYZ.sarahah.com)

– After registering, you will get four options:

• Messages (consists details of your sent, received and favorited messages)
• Search
• Explore (work in progress)
• Profile

– Once you log in, you can search other friends or users you want send messages to.

– Upon selecting, a message box appears, prompting the user to ‘leave a constructive message’.

– Those who want to comment can press the send button. Currently it allows only texts as messages and no graphics.

Features:

• Sarahah is unique in a couple of ways. Previous anonymous apps like Yik Yak were more of social networks. Someone could post something anonymously and anyone (either close by or online) could read the post. This is why Yik Yak was ultimately used for bullying and negative remarks. However, in Sarahah, the user is actually soliciting feedback by signing up for an account and creating the link. They’re also then deciding where to share the link so that only specific people can have access to it. The combination of these two features has so far kept the interactions as mostly positive.
• Unlike previews anonymous messaging apps, a user creates an account, produces a link and shares it with people on social media sites. Both users who are registered or not registered on Sarahah can leave a comment for the user anonymously.
• The Sarahah not only provides all essential features for anonymous messaging but privacy features also. By default, you are set to do not appear in search and non-registered users cannot send you messages.
• Sarahah provides more control to its users to the user to prevent misuse or cyber bullying which mostly happen with anonymous messaging services.
• According to the website, the intention behind the app was to strengthen the areas for improvement and enhance areas of strength. It could make drastic changes and improvement to make better professional environment if implemented everywhere.

Concerns:

Sarahah was created in the Middle East as a way for co-workers to anonymously share feedback about each other, in a region where face-to-face confrontation is not socially acceptable. Protect Young Minds goes on to say that Sarahah skyrocketed in popularity due to a new SnapChat feature that allows users to share links within their snaps. Once SnapChat users started linking to Sarahah, it went from #1500 on the iTunes charts to #1 in just 12 days.

The anonymous messaging is the convertible thing from when it has begun. Most of the people use it as a medium to threaten others. This kind of apps is used by cyber-bullies or frauds. Many Sarah users have reported the inappropriate or abusive messages.

The advent of “smart” technology has made parenting for our generation more challenging than ever before. By many, they are viewed as “fun,” “normal,” and “no big deal.” Sadly, when it comes to social media that is FAR from the truth. After reading over the weekend about the newest app, that is a threat to our kids mental and social health.

We need to know about Sarahah:

• Anonymity within apps breeds bullying and predatory behavior. Anonymity is a great enabler for those who seek to do wrong and for immature teens who do not have good impulse control.
• The foreign app makes it very difficult for law enforcement to find and prosecute those responsible if the app is used for illegal behavior like grooming potential victims or masquerading as a teen in order to get someone to meet you in real life. Other apps like Ask.fm and Kik are foreign-owned and this has proved to be a huge challenge as well.
• The Access can be blocked. The parents need to prevent access to the iTunes App store and Google Play to control an app like Sarahah

Think and apply your mind before being flown with the trend!

Categories: Security, Social | Tags: sarahah, sarahah app | Permalink.