Sushobhan Mukherjee


1 Comment

GDPR – The Essentials

Preface

Data Privacy and protection are gaining attention wordwide. In line of the same trend, the European Union, has introduces a new framework to safeguard data and privacy for its citizens.

The same is termed as General Data Protection Regulation (GDPR). It supersedes the UK Data Protection Act 1998 and will be applicable form 25th May, 2018. Hence the companies attached to EU need to prepare as soon as possible, taking into account some obligations may be expensive and the implementation will be time-consuming.

The new regulation introduces a set of rules, which require organizations to implement controls to protect personal data. The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organizations to be more accountable for data protection.

GDPR compliance demands strong compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies, procedures and Technology are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.

With the appropriate compliance framework in place, not only organizations be able to avoid significant fines and reputational damage, they will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.

What is personal data?

GDPR is designed to enable individuals to better control their personal data.

“Personal data” is defined in the GDPR as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. In other words, any data or processes that can identify the subject comprise that individual’s personal data.

A piece of personal data that allows one to identify a specific person. That’s the shortest and most practical definition. Lets understand the context with use of few email addresses.

info@infoconglobal.org  is not a piece of personal data, as it isn’t assigned to a specific person at a company. It doesn’t imply who the owner of the address is. It points to a company, not a person.

sushobhan@infoconglobal.org  is a piece of personal data, as it is assigned to a specific person at a company. It does imply who the owner of the address is, or at least it gives you enough information to identify a specific person at a company.

sushobhanm@gmail.com  is a piece of personal data, as it is assigned to a specific person.

Whether we work within a B2B or a B2C domain, we administer or process some kind of personal data. It’s most probably the data of your clients, our prospects, our users, our email list subscribers, or our employees.

GDPR is not about regulating email sending. It’s about regulating the ways in which you administer and process personal data of EU citizens in general. Email address is just an example here. In various contexts data like telephone numbers, addresses, identification numbers etc. may be treated as personal data as well.

Requirements of GDPR 2018

The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:

  • Articles 17 & 18– Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
  • Articles 23 & 30– Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
  • Articles 31 & 32– Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
  • Articles 33 & 33a– Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
  • Article 35– Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
  • Articles 36 & 37– Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
  • Article 45– Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
  • Article 79– Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

GDPR Checklist

GDPR comprises a list of specifications on how businesses should process and handle personal data. In effect, this regulation is to ensure that private data is processed with transparency under the new law, for a clearly-stated purpose, with end-user’s consent. Once fulfilled, the data should be deleted, provided there are no legal-binding regulations in the country or business.

The GDPR allows users for more flexibility over what they have shared. Users have the right to access, modify, rectify, delete altogether their data, among other things. The regulation will also set the foundations for a uniform set of data protection policies throughout the European Union. In other words, where there used to be different sets of rules per country, now is. Dated as they were, this radical change in data protection rules was much needed.

Inline with the first step for compliance, mapping the data flow to enable us to assess our privacy risks. This includes understanding and documenting the following:

  • What kind of personal data is collected (e.g., name, email, address)?
  • How is it collected (e.g., form, online, call center)?
  • Where is it stored?
  • How is it processed?
  • Is the data encrypted?
  • Who is accountable for personal data?
  • What is the location of the systems/filing systems containing the data?
  • Who has access to the information?
  • Is the information disclosed/shared with anyone (e.g., suppliers, third parties)?
  • Does the system interface with or transfer information to other systems?
  • How long do we keep it?

GDPR impacts

The GDPR impacts many areas of an organization: legal and compliance, technology, and data

  • Legal & Compliance: The GPDR introduces new requirements and challenges for legal and compliance functions. Many organizations will require a Data Protection Officer (DPO) who will have a key role in ensuring compliance. If the GDPR is not complied with, organizations will face the heaviest fines yet –up to 4% of global turnover. A renewed emphasis on organizational accountability will require proactive, robust privacy governance, requiring organizations to review how they write privacy policies, to make these easier to understand.
  • Technology: New GDPR requirements will mean changes to the ways in which technologies are designed and managed. Documented privacy risk assessments will be required to deploy major new systems and technologies. Security breaches will have to be notified to regulators within 72 hours, meaning implementation of new or enhanced incident response procedures. The concept of ‘Privacy By Design has now become enshrined in law, with the Privacy Impact Assessment expected to become commonplace across organizations over the next few years. And organizations will be expected to look more into data masking, pseudo-anonymization and encryption.
  • Data: Individuals and teams tasked with information management will be challenged to provide clearer oversight on data storage, journeys, and lineage. Having a better grasp of what data is collected and where it is stored will make it easier to comply with new data subject rights –rights to have data deleted and to have it ported to other organizations.

Controller vs. processor

There are two types of responsibilities regarding the protection of personal data: data “controllers” and

data “processors.” Specifically, any business that determines the purposes and means of processing personal data is considered a “controller.” Any business that processes personal data on behalf of the controller is considered a “processor.” For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced in paper by the bank.

In fact, some organizations have no control over the data they store from their customers. The question is: within the EU GDPR, what are the responsibilities of these organizations if they store personal data? Are they covered by the new European regulations?

According to Article 4 of EU GDPR, different roles are identified as indicated below:

  • Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Both organizations are responsible for handling the personal data of these customers.

EU GDPR vs ISO 27001 and 27018

The ISO 27001 standard is a framework for information protection. If the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the EU GDPR requirements will be covered.

The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Here are just a few of the most relevant ones:

  • Risk assessment – Because of the high fines defined in EU GDPR and major financial impact on organizations, it will be natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information), “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
  • Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations in the implementation of a data policy and protection of personally identifiable Information. For cloud services providers, ISO 27018 control A.11.1 (Geographical location of PII) recommends that contractual agreements for international transfer of data must be available to cloud service customers.
  • Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” For cloud service providers, ISO 27018 has control A.9.1 (Notification of a data breach involving PII), with specific recommendations for preparation and handling of data breach incidents. According to EU GDPR, data subjects (“a living individual to whom personal data relates”) will also have to be notified, but only if the data poses a “high risk to data subjects’ rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
  • Asset management – The ISO 27001 control A.8 (Asset management) leads to inclusion of personal data as information security assets, and allows organizations to understand what personal data is involved and where to store it, how long, its origin, and who has access, which are all requirements of EU GDPR.
  • Privacy by Design – The adoption of Privacy by Design, an EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.” For cloud service providers, ISO 27018 control A.4.2 recommends that secure erasure of temporary files should be considered as a requirement for information systems development.
  • Supplier Relationships – The ISO 27001 control A.15.1 (Information security in supplier relationships) aims for the “protection of the organization’s assets that are accessible by suppliers.” For cloud service providers, ISO 27018 recommends explicit definition of responsibilities of cloud service provider, sub-contractors, and cloud service customers.

Way Forward

The implementation of ISO 27001 covers most of the requirements of the EU GDPR; however, some Controls should be adapted to include personal data within its Information Security Management System.

In addition to ISO 27001, some measures will have to be included in order for an organization, either controller or processor, to ensure compliance with EU GDPR, such as Procedures for ensuring the exercise of the rights of data subjects, Mechanisms for the transfer of data outside the EU, Minimum content of the impact assessment on data protection, and Procedures to be followed in case of violation of personal data. All these controls can be integrated into the Information Security Management System, allowing the guarantee of legal compliance and continuous improvement, even more so when the ISMS and EU GDPR are aligned.

The organizations covered by the EU GDPR have until May 2018 to implement a set of measures that may imply a drastic change in their way of operating. Not knowing where to start can make this whole process unnecessarily complex. Therefore, the implementation of an ISMS compliant with ISO 27001 is a sure step for an organization to achieve compliance with EU GDPR.

  • Gap analysis: Experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR.
  • Data flow audit: Data mapping involves plotting all of your data flows, drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.
  • DPO as a service: Outsourcing the DPO role can help your organization address the compliance demands of the GDPR while staying focused on its core business activities.
  • Implementing a personal information management system (PIMS) :Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favorably by the regulator when it comes to DPA compliance.
  • Implementing an ISMS compliant with ISO 27001
  • Cyber-Health Check: Combination of on-site and remote vulnerability assessments to assess your cyber-risk exposure.

GDPR compliance may be tough, but data security and privacy are worth for the extra effort. Any company that complies GDPR, spreads a message that they do care about customer data privacy.

Be proactive on Data Protection, Privacy , Confidentiality and Integrity. Enjoy the benefits of GDPR.

Advertisements


Leave a comment

“Infosec Global 2017”, International Infosec Summit in Kolkata

Preface

Winter in Kolkata has different charming flairs and “InfoSec Global” added a new feather in her cap through a mega InfoSec Summit since last year.

This year “InfoSec Global 2017”, the international InfoSec summit took place at The Park, Kolkata on 3rd November, 2017

Even though there is a lot of buzz around Cyber Security, there are many gaps as well. The areas of concerns touch everyone, our ignorance, over confidence and complacency. We keep on complaining that things are not happening the way we think it should be. However, there are many things happening as well. We need to open our minds and have a convergent thinking. It’s time to complement instead of complaining.

Govt is devising many strategies for the benefit of citizens on cyber. Law enforcement authorities are doing their work at the ground level. Enterprises taking lot of initiatives to implement tools, technologies, processes.

The challenge is how to bind these all-together, how to aggregate efforts, consolidate and converge in order to make it meaningful for the society and civilization? InfoSec Foundation is trying to drive this across the globe.

InfoSec Foundation intends to work as voice of citizen where we bring in all stakeholders together to create a more aware and responsive ecosystem. Connect and extend initiatives that have not reached the targeted audiences, find gaps and demand raise the silent voice so that it reaches the ears of policy makers and functionaries.

Summits, CIO Roundtables, Print Journals, Cyber Security Help lines, Cyber Security Curriculum for next generation – these are few envisaged areas we have already started working in India, Bangladesh, UK and Africa.

InfoSec Global 2017 is the outcome of same vision driven by Infosec Foundation.

Infosec Global 2017, Kolkata

Ignite cyber security!! That’s the mantra. And to enkindle it, Infosec Foundation had taken the important responsibility through the Iinternational InfoSec Summit. The first summit took place last year 18th November, 2016 and the same is followed by this year on 3rd November, 2017 in Kolkata. The event was important for the eastern eco system to leverage the opportunity to meet the best CYBER SECURITY EXPERTS from all across the subcontinent and gather some of the most tenacious knowledge regarding cyber security.

Theme of the Event

‘International Security in Digital India-Threat, Challenges and Opportunities’ was the theme for the 2nd International Infosec Summit in Kolkata this year. The program was designed for the leaders from the field of IT Infrastructure, Data Security, and Information Security.

Major topics were discussed in the event are cyber security issues in Bangladesh, Digital Forensics, creating new generation cyber militants, Cyber Economics, and much more.

The event was conceptualized exclusively for creating a mutual platform for all the stakeholders who are engaged in Information Security.

Speakers and Topics

The event had witnesses array of speakers across industry. Dr.Sanjay Bahl, Director General, Indian Computer Emergency Response Team (ICERT) was the Chief Guest of the program. Mr.Shyamal Datta (IPS – Retd., Former Director – IB, Former Governor of Nagaland) , Mr. Debasish Sen (Additional Chief Secretary-IT, Govt of Bengal), Mr. Vineet Goel, IPS (Addl CP I, CISO-Govt. of Bengal) and  Mr. Hari Kusumakar, IPS (Addl CP IV) joined him alongwish the Infosec Foundation Chairman in the gracious inaugural ceremony.

   

Other eminent personalities like Mr. Bratya Basu (Honourable MIC-IT, West Bengal), Ms.Rama Vedashree (DSCI-NASSCOM); Dr. B. M. Mehtre (IDRBT); Col Inderjeet Singh (Smartcity Expert, Ex-Director – Military Intelligence at Ministry of Defense); Mr. Vivek Srivastava (ReBIT – Reserve Bank); Mr. Deepak Kumar (Digital Forensic Expert), Mr. B.M.Zahid-Ul Haque (CISO-Brac Bank Bangladesh), Mr. Harish Agarwal (Partner, Ernst & Young), Mr.Somak Shome (Director, PWC) had enriched the audience with their deep insight in the domain.

   

Cyber Security Domain experts like Mr.Shrikant Shitole (FireEye), Mr.Nitin Varma (Palo Alto Networks), Mr. Sudeep Das (IBM), Mr. Manuj Kumar (Symantec), Mr.Kapil Awasthi (Checkpoint), Mr. Rishikesh Kamat (Netmgic), Mr. Subramanian Udaiyappan (Cisco Systems) Mr. Akshay Verma (Global Insurance), Mr.ParthaSarathi Das (Tata tele Services) had also added substantial valued to the content of the conference.

     

There was interesting topics like “Cyber Security Readiness for Digital India”, “Cyber Economics”, “Creating Next Generation Cyber Warriors”, “ The Cyber Security Architecture of the Future”, “Building a robust Cyber Security Architecture with Integrated Cyber Defense Platform”, “Machine Learning for Cyber Security”, “Cyber Security Challenges in West Bengal”, “Digital Forensics”, “Opportunities in Cyber Security space”, “Next Generation Cyber Security Trends”, “Cyber Thereats on Internet of Things”, “Threat intelligence strategy to strengthen cybersecurity posture for the financial sector”, “Cloud security”etc.

Audience

There were 250+ people attended the event with delegations from all leading corporates, enterprises, academia, government, law enforcement agencies, manufacturers, providers etc.

Anandabazar Patrika (ABP), Accenture, Allahabad Bank, Bandhan Bank, UCO Bank, United Bank of India(UBI), BRAC Bank-Bangladesh, Balmer Lawrie, Bridge & Roof, BSI, Capgemini, CESC, West Bengal State Electricity Transmission Company (WBSETCL), Criminal Investigation Department (CID) – West Bengal, Bidhannagar Cyber PS, Kolkata Police,  Exide, Genius, ICRA, ISACA, Jadavpur University, Jayashree Textiles, Linde Global, M.N. Dastur, MCKV Institute, Meghbela  Broadband, Meghnad Saha Institute of Technology, NASSCOM, National insurance, Neotia Group, NIA, CBI, NIC, NSHM, Onprocess Technology, Protiviti, PWC, Ernst & Young, Sahaj E-Village, Sillycon, Simplex Infra, Spencers, SREI Infrastructure Finance, Srijan Bhumi, TCG Digital, Techno India, TATA Pigments, Tractors India, TUV, Vedant Fashions, Vikram Solar, VISA Steel, Webel, ITC were few names of the key attendee organizations.

 

The audience were mainly from senior management, decision makers in the stature of MD, CEO, CIO, CFO, COO, GM etc.

There were 30+ Media Houses from print, television, radio and web platforms who were keen to spread the buzz to the mass audience.

Takeaways

The event had great deliberations in exchanging thoughts, knowledge, ideas, and case studies on cyber security among the speakers, audience, attendees, participating stakeholders. The same had not only generated great enthusiasm over networking, but also generated direct business opportunity.

The event has raised several voices, concerns from the community, extended government / policy makers’ roadmap, articulated steps on synchronization between stakeholders and surely created platform for enriched knowledge in order to have better wisdom. It was indeed a great platform for students, cyber aspirants to learn, engage and contribute.

4th Edition of InfoQuest (the dedicated print journal of Information security) got unveiled during the summit. The print journal is working as a great tool as the mouthpiece of the industry in cyber security domain.

The event strengthened the thoughts driven by Infosec Foundation with the overwhelming support from all corners and laid the foundation for more positive vibes towards upcoming Infovision(CIO Roundtable), InfoQuest (Print Journal), Infoconnect (Cyber Security helpline) and well as next years International Infosec Summit.

It was amazing to see people had joined in the breakfast (before the day event for mixing sessions with the speakers) and continued to stay with the initive till late evening (cocktail dinner with the speakers and partners).

Infosec foundation had recognized several individuals for their significant contribution in the domain and the same was was followed by instrumental music.

   

Stay tuned for many interesting things ahead. Do join the movement, contribute, engage, explore and be the part of historic movement generated from Kolkata, the city of joy.

Detailed Analysis can be fetched from the link below:

Infosec Global 2017 Report


Leave a comment

Data Leakage using Social Fun App

“What was the old age?”

“Who is your favorite friend?”

“How many lovers you have?”

“Which celebrity looks alike you?”

“Who will kill you?”

Do you feel you have heard these questions several times in recent past? Yes you are right. This are the questions and answers generate by a Fun App Named “Testony” (https://en.testony.com/ ). There are few more similar fun Apps like Nametest (https://en.nametests.com/), http://en.quizzstar.com/, https://sharmin.me/ , http://meawquiz.com/ and so on. Out of these Testony seems to be more popular as facebook got flooded with the output results.

How do these Apps work? They want to get some access permissions mainly Facebook (or similar social applications) and in return they get useful datas like email, message, contacts, profile, about, date of birth etc. In some cases, you have to log in to Facebook and have to apply the application to an approved application, so your information can be seen by all those applications, so it is not impossible to know the password with backend scripts.

Did you ever think how collection or leakage of data has become a cakewalk with this revolutionary marketing intelligence. This is a Honey Trap where using social media, using funny Apps, unknowingly all information and information about the persons are getting collected with user’s consent. These kind of Apps are nothing but an algorithmic Data Collection Software with various sample sizes, segments, across the globe.

Mostly everyone have been trapped by this for only getting fun. Unintentionally, all your online information, content, email lists, phonebooks, surfing patterns, browsing history are being collected by an unknown third party and being retained in their repository. Do they have any accountability? What do we know about the millions of information that they are getting used to? There is no guarantee of spamming or hacking using this information?

It is clearly defined in “Testony” site that they can use your information in business. You might get newsletters, mails, SMS as a part of Targeted advertisement for several products. This is applicable for the countries of America and Europe though nothing explicitly defined for India and other countries.

We are laughing with the friends about it, but how we are putting ourselves to the danger zone by revealing all personal data to the hacker.

Hacking/Phishing from these informations may be a child’s play for a hacker.

Immediate Resolution

To keep yourself on a safe side follow these steps to secure yourself :

  1. Hide all the testony app posts from your timeline.
  2. If you already have used this app then you must have to change your password immediately. If your Facebook email and passwords are interrelated with any email or etc then you must change that as well.
  3. Now go to applications settings tab on your Facebook account and remove that app from your list.

  1. But as you will be able to see a note there: Testony.com may still have the data you shared with them. For details about removing this data, please contact testony.com or visit the testony.com privacy policy.

 

Way Forward

We all see daydream. Everyone would love to be compared with a Super Hero, A Politician, A sportsman, A historic character. And then you feel proud or overwhelmed while getting likes/comments in social media with emotions.

We are being flooded to enough Internet data, but we need to learn to use it, rather to avoid misuse of it.

Time has come to be careful and do not share your valuable and secret information to any third party in this manner.


Leave a comment

Resolution for WannaCry ransomware

What has happened?

UK hospitals, Telefonica, FedEx, and other businesses were hit by a massive ransomware attack on last Friday (12-05-2017). Around 75,000 computers in 99 countries were affected by malware known as “WannaCry”, which encrypts a computer and demands a $300 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public by the Shadow Brokers group last month.

Among those infected were more than a dozen hospitals in England, a telecom in Spain, FedEx’s offices in the United Kingdom, and apparently, the Russian Interior Ministry. Within half a day, there were instances detected on six continents.

Several firms in Europe were the first to report having their mission-critical Windows systems locked, showing a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.

Brief on WannaCry ransomware

WannaCry/Wcry ransomware is a relatively new ransomware variant which has been popped up using the file hosting service Dropbox. This comes on the heels of a Torrent Locker variant that was using abused Dropbox accounts to spread its payload.

Wcry initially spreads via an email, a malicious website, or dropped by another malware. Once the malware gains access to a user’s system, it drops its prerequisite files and components, after which it prompts the user to download files from Dropbox URLs (Dropbox has already been notified of these links, which have since been removed). These files include the TOR Browser Bundle and the executable file “!WannaDecryptor!.exe”. If the user clicks on the executable file, Wcry will display the ransom note shown below:

Who are affected?

This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.

WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.

What does WannaCry ransomware do?

WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.

WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.

Observations

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options – details: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges to copy payload to and transfer control to it later.

By remotely gaining control over victim PC with system privileges without any user action, the attacker can spray this malware in local network by having control over one system inside this network (get control over all system which is not fixed and affected by this vulnerability) and that one system will spread the ransomware in this case all over the Windows systems vulnerable and not patched to MS17-010.

Behavior:

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File-size of the ransomware is 3.4 MB (3514368 bytes)

Authors called the ransomware “WANNACRY” – string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ‘ProgramData folder with the file name of “tasksche.exe’ or in C:\Windows\ folder with the file-name ‘mssecsvc.exe’ and ‘tasksche.exe’.

Examples:

C:\ProgramData\lygekvkj256\tasksche.exe

C:\ProgramData\pepauehfflzjjtl340\tasksche.exe

C:/ProgramData/utehtftufqpkr106/tasksche.exe

c:\programdata\yeznwdibwunjq522\tasksche.exe

C:/ProgramData/uvlozcijuhd698/tasksche.exe

C:/ProgramData/pjnkzipwuf715/tasksche.exe

C:/ProgramData/qjrtialad472/tasksche.exe

c:\programdata\cpmliyxlejnh908\tasksche.exe

Ransomware is granting full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

Using a batch script for operations: 176641494574290.bat 

What can we do?

WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.

Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:

Patching

  • The ransomware exploits a vulnerability in SMB server. Patching is critical for defending against attacks that exploit security flaws. A patch for this issue is available for Windows systems, including those no longer supported by Microsoft. Here is the patch details from Microsoft.
  • Additional patches for older OS’es not already included in main MS17-010 bulletin above (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
  • Upgrade from obsolete Windows versions to the latest one. In case there is a concern about commercials, you may easily migrate to linux environment.
  • In case there is old hardwares (which does not support latest windows version), then better to go for desktop virtualization (thin client/zero client) so that next operation/management strategies will be better.
  • The WannaCry ransomware appears to only attack unpatched computers running Windows 10. But this doesn’t mean those whose computers run on Apple or Linux code should feel smug. They, too, should regularly update with software patches as they’re issued.

Endpoint and Gateway Security

  • Ensure Desktop/Laptop/Mobile devices are protected with antivirus, personal firewall, antimalware etc. If possible, it is better to go for total protection from an OEM, which are already internationally bench-marked.
  • Deploying firewalls and intrusion detection / prevention systems can help reduce the spread of this threat. WannaCry reportedly also uses spam as entry point. Identifying red flags on socially engineered spam emails that contain system exploits helps. IT and system administrators should deploy security mechanisms that can protect endpoints from email-based malware
  • A security system and practice must be deployed for continuous monitoring and management for proactively action on potential attacks in the network.
  • WannaCry drops several malicious components in the system to conduct its encryption routine. Application control based on a whitelist can prevent unwanted and unknown applications from executing. Behavior monitoring can block unusual modifications to the system. Ransomware uses a number of techniques to infect a system; defenders should do the same to protect their systems

Regular Backup

  • Ransomware will target the files and software in your system. So it is best to keep them backed up regularly. The best way to protect them offline using external harddisk somewhere away from the reach of the internet.
  • Incase backup is taken on cloud; the backup mechanism should run on intervals. It should not be always connected.
  • Ransomware infects at the system level. Hence complete backup of your Windows OS will also be helpful

Connectivity

  • Ransomware attacks are all through the internet. Hence it is essential to have a control on the path between your computer and the Internet.
  • WannaCry encrypts files stored on local systems and network shares. Implementing data categorization helps mitigate any damage incurred from a breach or attack by protecting critical data in case they are exposed
  • Network segmentation can also help prevent the spread of this threat internally. Good network design can help contain the spread of this infection and reduce its impact on organizations.
  • Whenever connectivity is not needed, the path should be closed or connectivity should be disconnected.
  • When you’re using public WiFi networks, make sure you tell your system that you’re on a public network (many will ask if it’s a public or home computer.) That tells your operating system that it’s functioning in a potentially threat-filled environment and it will close off some of its more vulnerable software ports to the outside.

Proactive Measures instead of Reactive

This is not end of it. Rather more destructive versions will be popping up soon. Hence remediation of present threat will not give us a resolution. Security is a journey, not a resolutions. Hence below measures should give us some breathing space:

  1. Network and Application Audit on regular intervals (vulnerability Assessment and penetration testing)
  2. 3rd Party Risk Assessment and Business Continuity Planning
  3. Information Security Process Adherence as per international bench-marking , certification, compliance and regular governance.
  4. Remediation as per GAP Analysis continuous basis
  5. Deployment of tools and technologies for proactive measures.
  6. Close harmony between people-process and tools.


Leave a comment

INFOCON 2016 – Mega Infosec Summit in Kolkata

Winter in Kolkata has different flairs like charming weather, sweets prepared from “Nolen Gur”, Circus, Picnic, Hopping between Zoo-Museum-Science City-Nicco Park, Different Fairs-Exhibitions-Summits. With the emerging problems of Global Warming, Kolkata is not far behind to experience diminishing winter along with other fading glories.

The charms of life, spirits of soulmates, passion of humanities are still stands ahead with any of the advanced city across the globe.

This November 18, 2016, Kolkata proved it once again. The winter in Kolkata adds a new feather in her cap through a mega Infosec Summit called “Infocon Kolkata 2016” at CII-Suresh Neotia Centre of Excellence, Saltlake.

15037351_1276608482360564_4208566999011637013_n 

Infocon Global is essentially an idea which has manifested itself through deliberations, practice, my running day to day business operation as CEO of Prime Infoserv LLP and interactions with clients, competition, colleagues and peers.

The more we converge towards an increasingly connected world, information keeps on flooding between anything to everything and then of course information security becomes a point of concern. People start panicking and common sense takes back-seat. But there is a solution to every problem and counter measures to defend, protect and launch offensive attack do exist as well. But the mechanism, process and knowledge are in silos and in effect are not meaningfully available as a whole. Different and piece-meal, adhoc and fragmented measures are being projected as solutions resulting in people becoming more anxious, confused and decision making culminates into dilemma.

“Infocon Global” is being envisioned as a platform to address the burning concerns in the community. The idea is to engage different stake holders including partners, customers, manufacturers, policy makers, academicians, regulators, end-users to cross pollinate and create unbiased and true wisdom through awareness and sharing of best practices. Infocon2016 today is a continuation of this search for collaborative wisdom. Prior to that, two similar events were organized on this theme by us – one in Bangladesh and the other in the United Kingdom, again in a collaborative model.

13094176_1119602198061194_3615704183204259374_n 13043398_1119607848060629_6421677602274232411_n 13015215_1119633218058092_9009829898258885427_n

“Infocon Kolkata 2016” is more like a milestone in a relay race because the issue is truly global and will affect not only us but our next generation. In an information intensive society, all the components of the society will be impacted by any cyber-attack or security breach. In order to have as much harmony and totality, we have brought experts and organizations related to Technology, Process and People Consulting, Law Enforcement, Financial institution, Policy Making, Data Handling, Cyber Law, Policing and so on. What is interesting to observe is that all these diverse fields of society find mutual overlap just like Internet is going to overlap all the areas of our lives and we call this Internet of things.

The event was inaugurated by the Chief Guest, Shri H K Kusumakar Additional CP IV, Kolkata Police alongwith Swami Vedatitananda, Ramakrishna Mission Shilpamandira, Belur Math; Mr.Nirupam Chaudhari, Regional Head – Nasscom , Mr. Manjit Nayek, Additional Director – STPI Kolkata Centre., Mr Hemant Chhabria, Member of COMPASS, Founder of justvideos.

_dsc0065 _dsc0068 _dsc0075

The first session after inauguration was by Mr Sukhminder Singh Sidana, National Manager- Government & Public Sector Business, Sonicwall on “How to Protect Your Organization from Ransomware”, a burning topic in today’s world.

_dsc0155

The number of successful cyber-attacks continues to increase, threatening financial and personal security worldwide and cyber forensics is undergoing a paradigm shift. Mr. Jayanta Parial, Principal Engineer, CDAC. Conducted the next session on “Cyber Forensic needs and current Scenarios”.

_dsc0164

Next session was covered by Mr. Joydeep Bhattacharya, Chief Operating Officer at TCG Digital Solutions Private Limited. The audience was stunned with the relevance and depth of the topic “Creating Real World Simulation for Training and Network Resiliency”.

_dsc0190

Further deliberation was for Data Centre Securities through a panel discussion. The panel was led by Mr. Shyamal Bhattacharya, CEO of Technoplace Consultants.  The eminent panellists were   Mr. Siddhartha Chakraborty, Officer-in-Charge, Cyber Police Station, Kolkata Police;  Mr. Suketu Vichhivora, Vice President – Sales and Solution, Nxtra Data, Mr.Saibal Sarkar, NIC and  Mr. Vivek Gupta, DGM and CISO in Allahabad Bank.

_dsc0219

The last session before the lunch was from Mr Kanchan Mallick, Regional Manager at Trend Micro for Eastern India, Bangladesh, Bhutan & Nepal. His insights on targeted attacks were major takeaways for the audience.

_dsc0269

The lunch was designed with authentic Bengali touch of winter season. The peas kochuri, chana dal,  diamond fish fry, cauliflower roast, dhoka curry, Dahi Fish, Mutton, Chatni, Gulab Jamun, Ras malai , Ice-cream all were bundled with personal touch and traditional bengal’s aroma and taste.

Post lunch, the summit had witnessed the launch of our journal and mouthpiece on Information security named Infoquest. Infoquest is a journal with broad-spectrum treatment of the theme of Information security with interdisciplinary stakeholders. Infoquest captures in the lens of words the kaleidoscopic perspective on the theme with contributions from a wide group of authors in India and abroad. Infoquest was formally launched by Sri Syed Waquar Raza, IPS, SS(Spl), CID, West Bengal alongwith  Editor-in-Chief, Mr Pritam Bhattacharya, Mr. Kamal Agarwal, Chairman, Eastern  Regional Product Council-Nasscom and me as chairman of Infocon Global. We were overwhelmed by the contributions we received when we launched our Call for Papers. Infoquest is planned to be a quarterly journal and we hope it shall continue to receive your patronage and co-operation.

_dsc0289

Our next session was a workshop on “Real Time Information Security Issues Handling as per Best Practices Worldwide”. It was conducted by Mr.Pritam Bhattacharyya, Founder and Chief Wordsmith, Wordsmith Communication and Mr.Kaushik Bhattacharyya, Business Strategy Consultant. The workshop was designed to derive solutions of real life problems with the audience inputs and expert panel validation. This was clear cut distinctive differentiation of other conferences in order to have audience engagement in a better way.

_dsc0364 _dsc0361

Mr. Koushik Nath, VP Systems Engineering India- & SAARC, Cisco Systems, had conducted the next session on “Advanced Security Threat Analysis”. Mr.Nath was instrumental with his audio-visual presentations and unmatched style to hypnotize the audience.

_dsc0366 _dsc0368

Next session was meant for the Ground Reality in Cyber Crime by the people who handles those in their professional life every day, This was presented by CID – Cyber Crime Technical Expert Team.

_dsc0375

The session further was orchestrated by Mr. Ravindra NR, Sr. General Manager, IT & ITES, BSI. The topic “Cloud Security” was relevantly new for the audience, but was truly an eye opener in present emerging trends.

_dsc0390

Next was a panel discussion on the topic – Latest Cyber Security Threats and Mitigation Strategies. The panel was moderated by Mr. Arun Agarwal, Chairman and Managing Director, Ebizindia Consulting with eminent panellists Mr. Sandeep Sengupta, MD – ISOAH; Mr. Rajarshi Banerjee,Technical Lead, Cyber Crime, CID; Mr. Angsuman Pal, STF, Kolkata Police and Mr.Biraj Karmakar, Mozilla Reps and Mentor . The session revealed key take aways on today’s always connected generation.

_dsc0401

The final session of the day was on Large Enterprise Strategy of Information Security Handling, presented by Mr.Abhijit Chatterjee, CIO, Karam Chand Thapar Group. It was like hearing from horse’s mouth to understand the real strategies taken in real life situation.

_dsc0432

Further we had moved from Information Security to some soul-warming music through the musical performance by a Bengali folk band – Surma Dohar, led by Joyshankar.

_dsc0439 _dsc0441

In between the music, we had recognized significant contribution in different spheres like best three articles in our journal, ICT Promotion, Cyber Law, Cyber Crime, IT strategy and consulting, Data Science and Analytics, video as new media, cloud communication, Business Intelligent Architecture and Bengali folk music. We further acknowledged the contribution of our core team and volunteers. Without them such a mega summit could not be seamlessly organized.

_dsc0451 _dsc0452 _dsc0453  _dsc0489

_dsc0505 _dsc0463 _dsc0506 _dsc0511

Information security industry really has no frontiers. The current and emerging problems not only need global collaboration but it will need a huge workforce with a certain identifiable skill set. In its objective to build awareness, disseminating ideas and training younger generation, Infoconglobal has already become a pioneer in a global theme from Bengal.

Infocon Kolkata 2016 is just a beginning. We hope to see all of you once again on 24th November 2017 at Kolkata where we shall walk again with Kolkata and you.

Photo albums are visible in two sources : Source 1 and Source 2


1 Comment

Cyber Attack Prevention Strategy

Entire India is into turbulence with the latest banking fraud. All print media, news channels, internet are discussing on the same topic and some kind of panic situations are spreading across. Security breaches are very common; but this time something ‘Worst’ has happened. Yes, this biggest financial data breach has affected 32 lakh debit cards. As a result of this, banks have blocked their ATM cards, without any advance notice. But these kind of attacks are not new or unusual.  With the increasing trend of Internet connectivity, online shopping (e-commerce), mobile wallet usage, IoT (Internet of Things), these kind of threats are bound to increase due to casual approach to the situations. We tend to be highly technical, keep on spending money on high end appliances, softwares and intent to forget basics without applying common sense.

The approach to the situations are always reactive. The moment some attack place, the entire echo system works towards protection of the same forgetting in the near future the hacker will come back with a new strategy instead of repeating the same method. The success of the story lies in continuation, blending between people-process-tools (technology), synchronized approach of different hardware/softwares instead of running in silos. The core problems lies in outsourcing in multiple layers and several layers who always declines to own responsibility. In the whole chain the accountability, ownership completely missing. Think of Indian banking threats, Bangladesh cyber-attacks where the incidents were suppressed by the authorities for months so that the ripples in the community floats lesser. Imagine if the compromise of data, the impact of the loss could be known to the common man beforehand, they could have more cautious and more impacts could be avoided.

First and foremost important factor is framing policy, law and enforcement of the same by government so that Banks (their downstream providers), BFSI organizations,  3rd party payment gateways,  money wallets are to be bound strictly by compliance, governance and penalty clauses in case of defaulters. The debit card or credit card protections strategies are already internationally benchmarked by PCI-DSS framework with below subsets:

  • Security Information and Event Management (SIEM)
  • Vulnerability Assessment
  • Data Leakage Protection (DLP)
  • File Integrity Monitoring (FIP)
  • Host Intrusion Prevention (HIPS)
  • Web Content Filtering
  • End point Encryption
  • Web Application Firewall (WAF)
  • Endpoint Security
  • Penetration Testing (PT)
  • Privilege Account Management (PAM)
  • Identity Management (IDM)

Information Security is covered under ISO 27001:2013, IT Service is covered under ISO 20000, Business Continuity under ISO 22301:2012, Risk management by ISO 31000, Software industries are covered by CMMI compliances. Hence following the standards and enforcements by the authorities will enhance the situations.

Moreover periodic monitoring of infrastructure, security infra, co-relation and reporting, vulnerability assessment, penetration testing, proactive measures before a threat occurrence will minimize the chances of failures.

Now what can be simple strategies by poor common man? Here are few very simple, but powerful strategies driven by common senses:

  • Change ATM/Debit/Credit card pins in regular intervals.
  • Link cards with mobile number, email address if not already done.
  • Immediately go for chip based card, grid card and enable with two factor authentication (OTP sms/mail etc.).
  • That’s not all. Avoid creating pin/password with names, surnames, date of births, anniversaries (yours/parents/spouse/children) combinations as these can be predicted very easily through your social spread. Try implementing alfa numeric passwords stitched with special character.
  • Using benchmarked standard antivirus (better Total Protection) in both desktop/laptop/mobile/tablet are essential. Free or cracked software is to be avoided. Saving INR 2000 yearly may lead to some major problem.
  • Any banking/ecommerce site should be used through secure site (ssl) i.e instead of “http://”, it should reflect “https://” .
  • Saving online banking, ecommerce site, mail password etc to be avoided for convenience.
  • Password is not be kept anywhere is writing in any form (not word, excel, cloud, printed paper, handwritten paper)
  • Any non-standard games / application are to be avoided as lot of applications are being framed to sniff data.
  • Latest smartphone/tablets are having application control mechanism. Please block unwanted access of all application (like contacts, sms, camera etc whichever is not relevant for that application).
  • Any information related to password, pin are not to be floated through mail, WhatsApp etc. so that there are chances to have repository.
  • International transactions which does to imply two factor authentication (i.e only CVV applies), we should avoid transacting there except renowned players (here government should also force Master/VISA to relook at policies and enforce two factors as well).

These are not all. There are lot more in these arena. I was discussing on this subject in few television channels last few days and thought of writing few basic tips for common man as lot of people requested me.

high-tv2 img_20161023_192136

We will be discussing and brainstorming in depth in our upcoming Conference Infocon and we will be coming a Printed Magazine on same context as one of it’s first kind.

We will be discussing for technology oriented knowledge sharing on targeted attacks like ransomware, APT (advance persistent attack), cyber forensics etc.

Stay tuned for more excitement on 18th November, 2016 at CII Suresh Neotia Centre of Excellence, Saltlake.


Leave a comment

Time to rethink on Infrastructure

Wish you all the greetings of “Subha Bijoya”. Trust you have enjoyed the days with your friends, family and loved once during Durgapuja holidays.

So far in my blog I had generally not written anything on Technology, Process etc. which are the core competency of my organizations. Few of my friends insisted me to write them as well. Here is the first one in the series.

OND (October, November, and December) quarter is always dull in terms of business in India, especially in Bengal. The season starts with Durgapuja, followed by Lakshmi Puja, Kalipuja, Diwali and followed by Christmas and off course Winter Vacation (since year ends at December, there are pressures to liquidate casual leaves). In effect generally business /investment happens little lesser compared to other quarters. But this is the time look back at investments done so far or review upcoming plans.

An enterprise typically is having heterogeneous environment where business is in need of different elements like Internet Bandwidth,  Router,  Switches, Firewall /UTM, Load Balancer, Servers, Storage, Backup, Desktop, Operating Systems, Database, Applications, Virtualizations, End Points, Wifi, CCTV/IP Camera Based Surveillance, Biometric Attendance, RF ID based Access Control and so on. In addition to this there is a huge Non-IT infrastructure needs to support these IT infra like UPS, DG Set, Building Management System, Cooling Systems (PAC, CAC), Civil, Interior etc.

One sample architecture is attached below to make all of you understand how critical it can be.

test1

But how an Enterprise / Organization invest on these aspects? Is it possible for the IT administrator/Systems Incharge to handle such a wide spectrum of systems with his own domain knowledge, evaluate, finalize and implement as per organization objective?

Answer is “No”.

Then how it happens? It happens by “Assumptions” and OEM/SI “Influence”.

There are wide variety of OEMs in almost all variants. Few of the examples are as follows:

  • Internet Bandwidth: TATA, Reliance, Airtel, Sify and so on,
  • Computing: HP, Dell, IBM, Fujitsu, Lenovo, Acer, ASUS and so on,
  • Routing/ Switching: Cisco, HP, Juniper, Brocade, Avaya, Allied Telesis, Dlink, Extreme, Digisol, Netgear and so on,
  • Security: Fortinet, Cisco, Juniper, Cyberoam, Dell Sonicwall, Symantec, Kaspersky, Trend Micro, Palo Alto and so on,
  • Virtualization: VMware, Citrix, Microsoft, Ncomputing, VXL, Enjay and so on,
  • Wireless: Ruckus, Motorola, Cisco, Aruba, Ubiquity, Engenius, Digisol, Ubiquiti, Netgear, Dlink, Alcon and so on.
  • Gateway: 24 Online, Nomadix, Ucopia, Peplink, Radware, Bluecoat, Allot, F5, Citrix and so on
  • Surveillance: Sony Ipela, Samsung, LG, Tyco, Bosch, Honeywell, Pelco, Zicom, Alcon, CP Plus, Sparsh, Hikvision, Digisol and so on.
  • Video Conferencing: Polycom, Huawei, Cisco, VU, Avaya and so on.
  • Networking: Schneider Electric, Tyco, R&M, Systimax, Siemon, Molex, DAX, Dlink and so on.
  • Software: Microsoft, Redhat, Novell, CA, IBM, HP and so on.
  • UPS : Eton, APC, Emerson, Delta etc
  • PAC : Emerson
  • DG : Kirlosker, Jakson etc

Now it is literally impossible for an individual to avoid influence from almost all the above. Everyone pitches it’s superiority compared to the other and intends to prove the other one does not suit the customer requirement.

There was a situation of a customer where they had best of the bread products in almost all layers, but still they had application access issues (SAP with Oracle Database) through its blade server. They used to restart the gateway UTM, remove cables from the server etc. kind of short term break fixes instead of identifying the real root cause. The moment they spelled out to their existing service providers, all different stake holders were prone to sell their products. Internet service provider wanted to upgrade the bandwidth since the issue was due to over utilization of the bandwidth as per them. The UTM supplier and OEM wanted to sell the higher Box through Buyback since it apparently got over utilized as per their observations. Similarly LAN vendor wanted to change the entire cabling from Cat 5 to Cat 6 to improve performance. And off course customer was literally confused. Finally the troubleshooting revealed the configuration issues of their existing resources. On configuration of VLAN and deployment of the core switch in L3 mode with inter VLAN routing sorted out the problem. The problem was the generation of malicious traffic from the LAN machines which were part of same broadcast domain with the servers. Moreover, it has also been found the kind of resources they had in terms of the infra was surplus and would suffice their future needs at least for three years.

This is not uncommon in nature. Generally this is the pattern where market is inclined to sell more and more products/ services of theirs instead of doing due diligence to actual needs.

Let me give you one more example. One of the leading hospitality customer was having wifi implemented in the property from one of the leading renowned brand. The property had 67 no.s of access points installed in total 7 floors. The product was leader in the segment. But still customer was having lot of Wifi related issues with specifically apple devices. The moment they approached the provider, they suggested to have 20 more access points! Adding more and more devices can never solve the problem (moreover only problem in Apple devices cannot be a wifi coverage issue, it is bound to be a configuration issue). Wifi deployment needs proper survey and deployment plan as per needs not just deploying devices here and there. Additionally they bought the devices for some extraordinary features (which are true), but none of those were being used by them (as was not required for them). Later on they procured low cost devices (one fifth of the cost of existing devices) and their purpose was served with satisfaction.

Hence the idea should be to have a stock of the existing infra, understand it’s utilization, configuration and organization objective in order to select a product / solution. It is not only about selection of a product as per need, but also it is important to configure/customize as per organization business need in order to synchronize with the objective and have fruitful result.

With the blessings of Goddess Durga, it is high time for all of us to go back, understand the situation of our existing infrastructure before we invest further in products. Also let us enlighten ourselves to choose a right product, evaluate as per needs, not just by name.

Evaluation of existing infrastructure (which is already built and running) is not possible manually in case proper process are not in place. This is done by deployment of some automated tools which generate several logs and consultants manually correlate the logs and assist organizations with report on GAP Analysis and Remediation Plans.

Any queries from the interested readers, I will be happy to address.