We are happy to announce our upcoming DCPP training program on January 30 & 31, 2020 in Mumbai.   

The training program is designed to equip a candidate with the requisite Data Privacy domain overview, key concepts and necessary inputs & understanding required for the DCPP Certification Exam.

The program would be conducted by Arrka experts, who are experienced and recognised Data Privacy practitioners. For more details on DCPP, please visit https://arrka.com/dsci-accredited-training-for-dcpp/

Duration: January 30 & 31, 2020, 9:30am to 5:30pm (both the days) 

Venue: Arrka, Work Square, 2nd Floor, Marathon Chambers, Mafatlal Mills Compound, (same compound as Marathon FutureX), NM Joshi Marg, Lower Parel East, Mumbai, Maharashtra 400 013 

Please write to us dcpp@arrka.com for additional information.

The batch size is restricted to 15 aspirants. Hence, we request you to block your seats early if you are interested in joining this batch. 

India’s Personal Data Protection Bill
Key Takeaways for Organization

Shivangi Nadkarni, Co-founder & CEO

This is a quick, first-cut list of key take-aways, implications & ‘what lies ahead’ for organizations from the Personal Data Protection Bill 2019 that was introduced in Parliament on December 11, 2019.

Note: This was done as a series of tweets – so have collated them as-is here

Acronyms used:
PD: Personal Data
DP: Data Principal – the individual whose PD we are talking about
DF: Data Fiduciary – the orgn who collects & processes PD
DPA: Data Protection Authority – the regulator to be set up

Personal Data categorized as PD, Sensitive PD (SPD), Critical PD. Children’s PD also looked at separately.

Key: Collect only what you need – minimize the Personal Data you collect. Use only for the purpose(s) stated and not beyond.

#SomethingNew: “Data is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments”. Implies another facet to classifying and categorizing your data within the organization.

Consent primary ground for processing.

Grounds other than consent: ‘reasonable purposes’. Includes:

  • processing for prevention & detection of any unlawful activity including fraud;
  • whistle blowing;
  • M&A;
  • network and information security;
  • credit scoring;
  • recovery of debt;
  • processing of publicly available PD;
  • operation of search engines.

#SomethingNew: If processing Children’s PD: To verify age and obtain the consent of parent or guardian

#SomethingNew: Organizations operating commercial websites or online services directed at children or processing large volumes of children’s PD to be classified as Guardian Data Fiduciaries.
CANNOT profile, track, do behavioural monitoring of or do targeted advertising directed at children

  • Privacy Notice required to be given to DPs. Notice to state:
  • WHAT PD is being processed,
  • WHERE have you got it from (if from a 3rd party),
  • WHY,
  • on WHAT BASIS,
  • WHOM are you sharing with,
  • is it crossing borders,
  • how long will you keep it,
  • how to withdraw consent,
  • whom to complain to &
  • your Data Trust Score

Retain Data only for how long it is required and not beyond, unless specifically consented to by the DP or required by some other law.

Right to Confirmation & Access: Inform DP WHETHER you are processing or have processed the DP’s PD, WHAT data and WHAT PROCESSING activity has been undertaken (brief summary), with WHOM it has been shared and what PD categories are they

Right to Correction & Erasure: Enable DP to correct/update her PD and erase if no longer required for the purpose. Ensure 3rd Parties who have this data also update/erase.

Right to Data Portability: For processing done via ‘automated means’, DP can ask for following PD in a ‘structured, commonly used and machine-readable format’: PD collected, obtained from elsewhere, generated or part of DP’s profile info.

Can also ask to be transferred to another DF

Right to be Forgotten: DP can ask to restrict or prevent “Continuing Disclosure” of her PD when it has served its purpose or consent has been withdrawn.

For actioning this, DP needs to apply to the Adjudicating officer who can issue an order to this effect

Rights to Confirmation & Access and Correction & Erasure to be serviced free. Fees (to be specified by regulations) can be charged for the other two. Response time for requests to be spelt out in regulations

#SomethingNew: A ‘Privacy by Design’ (PbD) policy. Needs to be submitted to the DPA for certification. To be published on your website and the DPA’s. Apart from the Notice.

PbD policy to contain:

  • practices & tech systems designed to ‘anticipate, identify and avoid harm’ to the DP;
  • obligations of DF,
  • tech used is as per accepted/certified stds;
  • Legit business interests do not compromise privacy interests;
  • protection of privacy thru the PD lifecycle;
  • processing is transparent;
  • interest of DP accounted for all thru processing

#SomethingNew: DP can use a ‘Consent Manager’ to manage her consents – an entity that ‘enables a DP to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform’. #NewBusinessOpportunity

#SomethingNew: Breach Notification: Any breach to PD likely to cause harm to the DP to be reported to the DPA. Time period to report to be specified by regulations. DPA to determine if DP needs to be informed or not. DPA may require breach details to be posted on your and its own website.

#SomethingNew: Some DF’s to be categorized as ‘Significant Data Fiduciaries’(SDFs) – based on volume, sensitivity, risk of hard to DP, new techs used and/or turnover.

Extra Obligations include: (1) Conduct DPIA (2) Maintain Records (3) Appoint DPO <See details of each below>

#SomethingNew: Social Media Intermediaries defined as those who ‘primarily or solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using their services’.

ISPs, search-engines, on-line encyclopedias, e-mail services or online storage services not included here.

#SomethingNew:Data Protection Impact Assessment’ (DPIA) to be carried out by an SDF. To contain description of proposed processing operation, nature of data being processed, purpose of processing, assessment of potential harms that may be caused to a DP by this processing, measures to manage/minimize/mitigate/remove these harms.

DPA to specify (a) When a DPIA needs to be carried out and (b) Whether it needs to be done by a Data Auditor. DPIA to be reviewed by your DPO and submitted to the DPA. DPA has the power to stop/ put conditions on your processing operations subject to the DPIA

#SomethingNew: Data Auditors to be ‘registered’ by the DPA. Criteria for Data Auditors to be specified. Data Auditors to conduct audits to check compliance of DFs to the requirements of the Act – details to be specified by DPA. Also, they will assign a Data Trust Score <see below>

#SomethingNew: Data Trust Scores. A metric for rating a DF based on a Data Audit conducted by a Data Auditor. Criteria to be specified by the DPA. Score to be displayed on DF’s Privacy Notice

#SomethingNew: Data Protection Officers (DPOs) need to be appointed by SDFs. They need to be based in India and would represent the organization under this Act.

Cross Border Transfers: Sensitive PD CAN be transferred outside India but a copy needs to be kept in India.

(1) Explicit Consent by DP
(2) Pursuant to a contract or intra-group scheme approved by the DPA
(3) Country or Entity/Group approved by the DPA
(4) Specific SPD/Class of SPD approved for transfer by DPA for a specific purpose

Critical PD cannot be transferred outside India except (1) for provision of health services or emergency services or (2) Country or Entity/Group has been approved by the Central Govt (not DPA)

Exemptions from this Act for (a) processing for research, archiving, or statistical purposes (b) manual processing done by small entities

Sandbox creation by the DPA for encouraging innovation in AI, ML or any other emerging technology in public interest

Codes of Practice to promote good practices and facilitate compliance can be

(1) specified by DPA
(2) developed by Industry bodies or sectoral regulators, Statutory Authorities, Govt Depts or Ministries and approved by DPA

Penalties & Liabilities:

  • Upto 5 Cr/2% of global turnover- for failure to comply with some obligations/ not take action in case of a breach.
  • Upto 15 cr/ 4% of global turnover- violations wrt privacy principles, grounds of processing, PD of Children, transfer of PD outside India & not adhering to security safeguards.
  • Smaller fines for smaller violations/ contraventions specified.


Imprisonment upto 3 years and/or fine upto 2L for re-identification of de-identified data or further processing of re-identified data

So How can one Prepare for to comply?

  • DISCOVER, IDENTIFY & MAP your PD. How much of it is PD, SPD, Critical PD, Children’s PD. How is it flowing in & flowing out. What is crossing borders. Ask ‘why’, ‘who’, ‘how’. This takes TIME!
  • Do a Gap Assessment vis a vis this Bill … plus all other laws/regulations applicable to you
  • Develop Remediation Plan
  • Execute in phases. DO NOT bite off big chunks!

Call us at Arrka if you need help. privacy@arrka.com

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!


Data Privacy has started getting the much-needed attention it deserves in India today. With the
Indian Personal Data Protection Act around the corner, the EU GDPR and other countries’ laws
already applicable and the general awareness levels having increased amongst consumers, Indian
organizations are starting to take concrete steps towards implementing privacy. Hence the demand
for professionals having the necessary skills and knowledge about Data Privacy has increased and
will continue to grow rapidly.
We at Arrka are pleased to contribute towards building this capability amongst Indian professionals
– via our Learning &amp; Awareness division. Arrka is the first accredited training partner of DSCI (a
NASSCOM Body) for their DCPP (DSCI Certified Privacy Professional) certification program.

We are happy to announce our Fifth training program for the DSCI Certified Privacy Professional (DCPP) certification on 21st and 22nd June 2019 in Mumbai..

Program Details:

About the Program: The training program is designed to equip a candidate with the requisite Data
Privacy domain overview, key concepts and necessary inputs &amp; understanding required for the DCPP
Certification Exam. The program would be conducted by Data Privacy experts from Arrka, who are

Duration:  21st and 22nd June 2019, 9:30 to 17:30 each day


Venue: Arrka Consulting, Work Square, 2nd Floor, Marathon Chambers, Mafatlal Mills Compound,
(same compound as Marathon FutureX), NM Joshi Marg, Lower Parel East, Mumbai, Maharashtra

*Training Fees: There are two options offered:

Option #1: Only Training
This includes two components: (1)Training fees to Arrka (Rs. 12,500 + GST) + (2) Privacy Book of
Knowledge (PBOK) from DSCI (2,575 + GST). Total: Rs. 15,075/- + GST = Rs.17,788.50.
Candidates opting for this would need to sign up separately for the certification exam later with DSCI
and pay for that separately. Those fees would be Rs.15,000/- less Rs 2,575 (PBOK component) =
12,425 plus GST

Option #2: Special Bundle: Training + Certification Fees
This includes (1) Training + (2) PBOK + (3)Certification fees to DSCI)
Total: Rs. 24,750 + 18% GST = Rs. 29,205/-

** The bundles option gives the candidate a discount of 10% – where the candidate pays only
24,750/- plus GST instead of Rs. 27,500/- plus GST which the candidate will effectively need to pay if
s/he opts for the certification payment separately.

To confirm your participation or for any further queries, please write to us with the following details
at dcpp@arrka.com

  • Name and designation
  • Organization name
  • Mobile number
  • Mail id
  • Preferred Training Option: Option #1 (Training Only) OR Option #2 (Bundled Training +

I am aware that my Personal Data has immense value. It is like money for many. And hence I will do all it takes to ensure it remains Private and Protected.

I will not give out my personal details at unknown locations in return for freebies and discounts. I will avoid participating in lucky draws asking me to fill out forms giving away my Personal Data.

I will think twice and ask ‘Why’ when I am asked for my mobile number, email id and other personal details at places where they are not required.

I will not give away any personal data to unknown individuals and callers who claim to be official representatives of a company or government department. I will first verify their identity before I engage with them.

I will make sure I shred or destroy documents containing my important data before I throw them away. I will be especially careful about address labels and financial statements.

I will download only those Mobile Apps that I need. I will switch off the dangerous permissions not required in the App. I will download Apps only from trusted sources. And I will delete Apps that I don’t frequently use.

I will turn off 3rd Party Cookies & Browser History from my browser and use private browsing mode whenever possible.

I will think twice about what I post online. I will remember and be conscious of the fact that whatever I post online is forever and will become public at some point in time.

I will be particularly conscious about whatever I post online about children.

I will switch off smart devices in the house when I am not at home and in the nights.

I will refrain from using public or free wifi, unless I absolutely need to. Even if I do, I will not use it for logging into any sites, especially banking & financial transactions’ sites.

I will not share my Passwords, PINs and Account Numbers with others. I will look for and turn on OTP and other Security & Privacy settings offered by Websites, Apps, Social Media and others.

I will adopt basic security hygiene in my online habits: I will frequently change my passwords, I will not visit suspicious sites, I will install and update anti-virus on my devices, I will regularly apply patches to my apps (mobile/ laptop) as soon as they are released, I will not share pen drives and other storage devices.

I will back up my data from time to time.

I will remember that there is no FREE LUNCH – and if something is being offered free, it means that someone is benefitting from my interaction in some other way that may not be known to me.

Why is the bill such a big deal?
– by Shivangi Nadkarni, Co-Founder & CEO – Arrka

The much awaited Indian Personal Data Protection Bill was released by the Shrikrishna Commission yesterday. How is this of any relevance to YOU? You – the Savvy ‘Digital’ Indian, the user of smart phones, apps and social media, the one who does almost everything online? Read on to know how the road ahead had just gotten a lot more optimistic for YOU….

Some background : If you recollect, last year, the Supreme Court of India ruled that Privacy is a Fundamental Right. This bill helps translate this right into tangible action in the context of Information or Data Privacy. The bill is now out for public comments. Based on inputs gathered and various debates that are sure to emerge, many amendments would be made. Finally, it should find its way to Parliament to translate into a law. However, no matter what the ultimate version of the bill that gets passed, certain realities are here to stay and won’t change.

At the core of this bill is the fact that it clearly makes YOU – the individual – the OWNER of YOUR Personal Data. Does this come as a surprise to you? You probably assumed this has always been the case, right? Well..you were wrong. Till date, whichever entity took your data was considered the owner of the data. Now, the ownership would be back with you. In fact, the bill calls you the ‘DATA PRINCIPAL’. So now whichever entity gets hold of your personal data holds it only in a ‘fiduciary’ relationship. Which means the entity shall hold your data in ‘good faith and trust and responsibility and act in your best interests’.

Personal Data itself is defined as any data that can make you ‘IDENTIFIABLE’ – either directly or indirectly. Which means it is not only your demographic/financial/ health data but also data like your IP address, location data, the meta-data that gets tagged to your emails, your mobile device identifier, etc. In short – all elements of your digital self that are today used to identify you, track you, build your profile and, subsequently, to influence you.

Incidentally, this bill applies to entities even outside India who may be selling something to you or just tracking & profiling you. It is not just Indian entities who would come under the ambit. Secondly, this applies to the Indian government as well – not just corporates.

So, as the ownerof your personal data, what are going to be your prerogatives? Some key ones are summarized below:

  • Your data can be collected from you (either directly or via someone else) only after the entity tells you WHY it is collecting it (the purpose). And they can USE it only for that purpose and not for anything else. So, for eg, a company or government department cannot collect data from you saying it is for providing you a particular service – and then proceed to sell it to some marketer without telling you.
  •  WHAT data they collect has to be only to the extent needed to meet the purpose they have told you about. Which means soon gone will be the days when you walked into a store to buy a pair of shoes and they asked you for your mobile number and address… and if you asked them why they needed your mobile number, the answer typically would be ‘the (billing) system needs it, Maa’m’. Stores cannot get away with such stuff anymore.
  •  The entity would have to tell you all this CLEARLY and in language that you can understand – not tuck it away in the midst of fine print or legalese which you never read. Plus they need to get your CONSENT to this. By the way, you can withdraw this consent at any point in time that you wish to. Of course, if this in the middle of a service you are enjoying from the entity, then they can stop providing you the service.
  •  Further, this data that is collected cannot be retained forever. As soon as the purpose for which it was collected is fulfilled, it has to be deleted – unless it is specifically required to be retained for some legal purpose.
    That’s not all…you will now enjoy some rights too:

 Right to know if any data about you is there with a particular entity or not

-if yes,
– what is this data
– is it correct and up-to-date.If not, you can correct it

Therefore, guessing games can be put to rest and you can actually ask companies to confirm if they have your data

Right to be forgotten

-Which means if you want some entity who may have your data in their records to erase it completely, they
would need to do so (as long as it doesn’t affect the service/product they are offering you)
– Further, they would need to ensure it is deleted from the records of all other entities they may have shared
it with in the past
– In short, you have a right to be ‘forgotten’ by this entity in all respects

Right to data portability

– Gives you the freedom and power to easily migrate between different entities without having to worry about
the pain of migrating all your data as part of the process
-Of course, there are legitimate exceptions to each of the above – but they are for specific cases which are
mostly to do with law & order situations or others logical reasons.

In today’s day and age – where cyberattacks happen regularly and data gets stolen or leaked out – an entity that has your data would be required to inform you of a data breach if your data is amongst the affected cases and the breach is likely to cause harm to you. This is a big step forward from the current situation where no entity in India is obliged to inform you if your data has been compromised.

You will have the facility to file complaints on anything to do with your personal data with a grievance officer that the entity would be required to appoint. So, we can soon bid good-bye to the days when you wonder where to complain and whether at all your complaint would be heard in the first place. If you don’t get a response, you can escalate it to the Data Protection Authority that is being set up under this Bill.

While all this seems like a dream, your cynical self is likely to ask “Why would any entity bother about complying with this law?” After all, we have so many laws in place that nobody seems to really bother about.Well, there is good reason to hope this law will be taken seriously – simply because the fines for not complying are fairly steep. They can be upto Rs. 15 Crore or 4% of global turnover or Rs. 5 crore or 2% of global turnover of an entity– depending on what kind of violation has been done. What’s more, there is also imprisonment mentioned for certain types of violations.

Of course, the bill covers many other areas and has a whole lot of other provisions and clauses for entities to comply with. This note isn’t getting into that.

Let us now wait and watch how this develops. Remember – India is the second largest digital market in the world and the fastest growing. Hence the pressure is significantly high to have a Data Protection Law in place.

The bill and the accompanying report of the Shrikrishna Commission is available at: http://meity.gov.in/data-protection-framework

comments & feedback welcome at privacy@arrka.com

There has been a lot of delay for getting this out, and partly due to the workload coming our way. There are multiple incidents happening all around us, and I feel it is mainly because we have missed the crucial steps in putting together our defence. This series is attempting to give you the ammunition to take this forward, and I sincerely hope this has been useful to you.

Thank you for reading through this. This article is the next in the series. Your feedback means a lot and I appreciate the comments coming my way. In case you have missed the earlier articles, the links are below.

We conducted a Risk Assessment and identified the risks we want to mitigate in the previous article.
We defined policies n procedures as listed in Article 3 –http://arrka.com/index.php/2017/09/13/step-1-define-the-policy-for-both-digital-and-cyber-information-security/
We will now look at Implementation and Rollout of the mitigation actions we described.

Our implementation comprises of three major components

  • Governance and changes to the policies based on what we need to mitigate
  • Process and Procedure implementation
  • Technical areas implementation

The governance here comprises of identifying the changes required and the updating of the policies. We did prepare some policies earlier which we now revisit. Why these changes – because we are now more aware of our risks and the threats to our environment. A simple example is related to password policy. E.g. we had an earlier policy which said that all passwords will not be re-used for 2 times, so we cannot use the password for at least 2 turns of password change. However, we have now identified that this is not enough for some applications which are internet facing. The risk is higher here because our passwords become predictable and can be guessed easier. Hence, we may make a change to the policy saying no re-use for at least 5 times. The policy now needs to roll through a change management procedure which records the why and what of the change. We may also decide to have different password policies for different types of applications and this also needs to be recorded and approved.

This policy now needs to be converted into a procedure. The procedure also needs to be communicated. The process implementation now comprises of the actual procedure rollout into operations by inserting this bit into their work instructions. By putting this in line with operations rather than having a separate line item for security enables the team to embrace and follow this easily. Else, the common refrain is “why are you adding to my work load?”. The other aspect is to make this audible and so we should go and update the audit checklist as well with the various scenarios so that the correct scenario will be tested. One last aspect is to include this into our security baseline documentation and the business continuity / disaster recovery documentation. That way, our testing and actuals during recovery does not impact the security controls during disaster. We don’t want security to be weak when things fail and we recover with lesser security than the one during business as usual.

Some of the actions for threats may relate to configuration / rule changes. This needs to be actioned as well. This is part of the technical rollout and implementation. Ensure that during the technical rollout, you test the changes in a test system and then rollout to production. Rollout to production needs to be taken very carefully. In addition, you must always have a backup set which can be used to restore the system to the last known state immediately. Don’t try to troubleshoot on the production system in case of any failure, just restore and get it working. This is true when it comes to patches to be applied to the system as well. Trying to troubleshoot the production system will only increase the time lost due to downtime, and you will panic as the time goes by. Not to mention the credibility of the team at stake. Time lost due to troubleshooting will be far more difficult to explain rather than a failed implementation. All of these are learnings which can be used to implement on the test system and check for different scenarios. The OEM may also have advisories for your scenario. Check with them, so you know you are not the only ones facing this. Have support available during these changes. And lastly, do document the final changes back into the procedure, baseline documents, bcp/drp documents etc.

Next we will explode Step 5 – Review of implementations like Log Review, Incident Review, SIEM, Monitoring of the various access, set up a helpdesk etc. All of these can be implemented via Open Source solutions.

Till then, stay safe and if you need emergency response/ help, shout out to

In case you have missed the earlier part of the series, it is at

twitter: @sameeranja

Last week, over lunch, our Privacy team was excitedly discussing the upcoming Data Privacy Day on Jan 28th. Being enthusiastic privacy consultants, they had a whole list of things they wanted to do to mark the day. In the midst of the chatter, someone popped up and said ‘Hey…all this is fine! But end of the day, I worry about my mom who is all the time on her smartphone, clueless about privacy – while here I am, a privacy consultant by profession.”

This got everyone thinking about their friends and family…. and how typical end users like them – smart and enthusiastic gadget users – usually have no idea about what they should be careful about. So the ‘corpo’ discussion got put aside and the team decided that they should actually mark this Data Privacy Day with something that would be useful to a typical user. And Swati from the team volunteered to take their inputs and put together a guide specific to Android – as that is the most commonly used smartphone around us.

So here goes the ‘Privacy and the Android Ecosystem’ guide – a ‘how to’ note on how you can make the most of the settings available on your Android Phone and Google, in general, to maximise your privacy. Hope you find it useful.

Download Here : Privacy and the Android Ecosystem PDF

Hello All! As we run into the final laps of the year, we realise the importance of CyberSecurity for all of us. As we round up an exciting year and one in which Arrka is growing; we sincerely thank all of you out there who have supported us and had faith in our abilities to deliver. We look forward to a truly more exciting 2018 – and a very secure and safe one. Our quest for enabling security for our stakeholders, customers, partners continue and we remain focused in getting this together. This series is a way to spread the awareness.

Hello All! As we run into the final laps of the year, we realise the importance of CyberSecurity for all of us. As we round up an exciting year and one in which Arrka is growing; we sincerely thank all of you out there who have supported us and had faith in our abilities to deliver. We look forward to a truly more exciting 2018 – and a very secure and safe one. Our quest for enabling security for our stakeholders, customers, partners continue and we remain focused in getting this together. This series is a way to spread the awareness.

Thank you for reading through this. This article is the next in the series. Your feedback means a lot and I appreciate the comments coming my way. In case you have missed the earlier articles, the links are below.

Article 1 – http://arrka.com/index.php/2017/07/12/exploring-the-ciso-role-especially-for-the-smb/
Article 2 – http://arrka.com/index.php/2017/08/13/smb-ciso-series-article-2-going-digital-what-dangers-are-you-walking-into/
Article 3 – http://arrka.com/index.php/2017/09/13/step-1-define-the-policy-for-both-digital-and-cyber-information-security/
Article 4 – http://arrka.com/index.php/2017/10/15/step-2-create-the-security-architecture/

So now, we have defined policies, created a security architecture in line with the policy. Most security practitioners at this point will say, “we should have assessed risks first. Why do this after the policies are defined?” This is actually a very valid question. However, there are some advantages of doing this later. I will explain as we move forward.

Let us understand Risk first. The layman answer is risk is like a dare, and it is a catalyst for making a decision on whether the challenge/dare should be accepted or not. Everyone has a threshold, in risk terms this is called a Risk Appetite. We tend to take risks (or as we called earlier challenges) based on our understanding and perception of risk appetite. I use the words understanding and perception because risk is always subjective. We have all tried to make this scientific, objective, numbers driven; however, there are exceptions that are made when decisions are taken on basis of your gut and instinct. These are feel behaviours which are tough to justify and are more prone to belief in yourself than anything else. E.g. Instinct is what drives innovation and should we choose to ignore this, we will never get a new idea conceptualised and created. Hence some subjective behaviour patterns are expected during a risk exercise.

Now the semantics of risk. All of us speak of assessing risk, this is ancient. The risk profile has become so dynamic that we cannot think of this as a static once in time work. Risk now needs to be managed and assessed for damage while managing and containing risk. To ensure this happens, we always need a company baseline. The world baseline will throw us in a tizzy and there are more 200 types of threats emanating into risk exposure for an organization in information security. If we look for technical vulnerabilities, it is 30000+ and growing everyday! All of these are not applicable to us and so the approach advocated here is, “Make policy statements which you require and then apply the risk principles for the ones applicable so we know what kind of risk exposure we are working with.”

So as part of risk management, the following comes through

  • Identify Risk Appetite (am I ok to live with medium threat risks or low threat risks, you cannot have zero risk)
  • Conduct initial assessment vis-à-vis policies to identify threats that are applicable
  • Conduct a more thorough assessment for the applicable threats. We will also identify the probability of someone exploiting this threat exposure/ vulnerability. Usually, if incidents have happened before, that means we are at high risk. At times, there is an actual assessment carried out (as a part of Penetration Test, Social Engineering, Testing for Security etc.) to determine the probability of success
  • Once we have identified all risk (essentially a product of threat and probability applied on all information processing assets – like people, technology, facilities, applications etc.); we will get into a selection process. The selection will decide if risk is in one of the below stages
    -Reduce – our exposure is high and we need to reduce this by fixing some issues
    -Avoid – We will replace the particular item causing risk with another set so that the risk is avoided completely.
    -Transfer – We will transfer our risk exposure to others. E.g. insurance
    -Accept – This risk exposure is below my risk appetite. So we will let it be and monitor to make sure this does not go above my appetite
  • We need to decide on one of the above for each risk area. Depending on what we select, we will go ahead with additional actions. Some may require expense and some may not. Some could be as easy as changing policy controls.
  • Now we have identified risk, we need to monitor the risk and threats to ensure they are in line with our requirements. This is possible via a combination of real-time technology monitoring and process audits. Many of the staff contribute also by reporting incidents. Another major input comes from external sources (experts sending out newsletters), focus groups on security, our awareness of the sorroundings, e.g. next door company data was stolen implies we are at risk as well.

Considering the above, we have a more effective way of managing risk and also having quick wins. Getting into risk assessment first will take time and that is the time we are not protected at all. While running an organization, we cannot remain unprotected for long and so this needs to come after some semblance of policy is defined and is already being rolled out.

Next we will explode Step 4 – Rollout of policies, procedures, awareness for users
Till then, stay safe and if you need emergency response/ help, shout out to Sameer.anja@arrka.com In case you have missed the earlier part of the series, it is at
Article 1 – http://arrka.com/index.php/2017/07/12/exploring-the-ciso-role-especially-for-the-smb/
Article 2 – http://arrka.com/index.php/2017/08/13/smb-ciso-series-article-2-going-digital-what-dangers-are-you-walking-into/
Article 3 – http://arrka.com/index.php/2017/09/13/step-1-define-the-policy-for-both-digital-and-cyber-information-security/
Article 4 – http://arrka.com/index.php/2017/10/15/step-2-create-the-security-architecture/

This article highlights various ways in which cyber criminals use and create different methods & scenario’s to launch cyber attacks on individuals and through them on organisations and how they can be safe by using some safe cyber security practices.
In todays dynamic environment where Internet has become the ubiquitous part of our daily lives cybersecurity has taken the driving seat. Internet can become a live time bomb one is sitting on without cybersecurity. Cybercrimes have not only risen in numbers but also in the sophistication. From attacks on individuals or businesses as specific targets to now targeting the repositories of data, the cybercriminal has come a long way. Apart from these orchestrated attacks are those where innovative use of technology makes committing crime quite easy.

Cyber-attacks can be caused due to negligence and vulnerabilities. Few latest examples

The attack

“By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. Targeted search keyword combinations include “nordea sweden bank account number”, “how to cancel a cheque commonwealth bank”, “al rajhi bank working hours during ramadan”, “free online books for bank clerk exam”, “bank of baroda account balance check”, and so on.

The poisoned search result would seem to be appropriate and benign, because the crooks have compromised legitimate websites that have been rated positively by many users:
Users who follow the malicious links are redirected via JavaScript through a number of compromised, intermediary sites, to the final one that serves a malicious Word document. The document is downloaded automatically, and the victims are prompted to open the file. If they do, they are prompted to “Enable Editing” and click “Enable Content”. This triggers the execution of a malicious macro, which finally downloads and executes the malware – in this case, a variant of the Zeus Panda banking Trojan – in several stages.

The malware does not run and removes itself if the target system uses the Russian, Belarusian, Ukrainian, or Kazakh language; if it detects that it is running in a virtual or sandbox environment (virtual sandboxing allows technology users to run unknown or suspicious programs in a controlled environment without sullying their entire network); or if it detects the presence of one of a number of tools and utilities that malware analysts usually run when analyzing malware.

Malware peddlers also usually employ spam, malvertising the practice of incorporating malware in online advertisements.), and watering hole attacks (Watering hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region. In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected) to target users. Search result poisoning, is an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results) is more often employed for tech support and fake AV scams (Some of you may remember the golden age of rogue antivirus software (AKA FakeAV) circa 2008. These programs that were often pushed via aggressive advertising and bundlers were designed to look like security scanners. However, they were stuffed with intentional fake detections for all sorts of Trojans and Worms)

The business model is simple but yet very effective. By using scare tactics to trick people into believing their computers were severely infected, the crooks were able to make millions of dollars selling license keys for the bogus software.
In fact, the redirection system and associated infrastructure the researchers mapped in this attack has previously been used to do just that and used the excuse of a Zeus infection (Trojan horse malware package) to trick users into contacting the fake tech support.
DDoS attacks, which flood their targets with junk data in order to knock them offline, have grown larger and more powerful every year since the teenage hacker MafiaBoy ushered in the year 2000 with an online assault which took down then-nascent e-commerce sites like Amazon, eBay and Yahoo.

We can use some effective cyber security practises to ensure our safety. Few of them are as follows:

  • Whether you are about to create a new social media account or you already have one, only enter the basic information required to get the account activatedand never provide excessive information that could put you at risk. If you’ve already added excess information set it to hidden; or better still, remove it from your profile.
  • Enable Privacy Settings, increase the default security settings, and set up alerts
  • Many social networks are open by default, privacy is basic or turned off, and security is optional. Review the privacy and security options available to you and enable them. Use an Authenticator application like Google, Microsoft, Symantec. Enable alerts and notifications on your accounts so you are quickly advised of any suspicious activity. Get notified when anyone attempts to tag you. Use $tr0ng3r passwords and change them at least once per year
    Never use the same password multiple times.
  • It’s best not to use a public Wi-Fi network without VPN. Rather use your cell network when security is important(3G/4G/LTE). Disable Auto Connect Wi-Fi or enable Ask to Join Networks. Hackers use Wi-Fi access points with common names like ‘Airport’ or ‘Café’ so your device will auto-connect without your knowledge.
  • Never opt to remember the Wi-Fi network on public access points. Use the latest web browsers as they have improved security for fake websites. This prevents someone from hosting their own ‘Facebook’ website, for example, waiting for you to enter your credentials. Do not click on suspicious links like videos, even via social chat.
  • Beware of advertisements. They could direct you to compromised websites.
  • Use a least privileged user or standard user while browsing as this will significantly reduce the possibility of malicious malware being installed. Always assume someone is monitoring your data over public Wi-Fi..
  • Do not access your sensitive data like financial information over public Wi-Fi. Do not change your passwords, and be wary of entering any personal credentials while using public Wi-Fi. If you have a mobile device with a personal hotspot function, choose this over public Wi-Fi where possible—but still be cautious. Limit on how often you like a status, follow a page, or allow an application to access your social media profile.
  • If you’re a frequent user of any social media platform be aware of the risks of liking posts, following pages or allowing different applications to access your profile.You’re accumulating a trail of activity that is time consuming, or even impossible to reverse. Before clicking on anything, stop, think and check if it is expected, valid and trusted
    We are a society of clickers; we like to click on hyperlinks.
  • Be cautious of any message you receive that contains a hyperlink, even if it looks like a legitimate message from a friend or a trusted organization. Stop and ask yourself if this message was expected. Do you know the person who sent it, and is it really from them? Or could they have been hacked? Could it be a phishing email—a message that looks exactly like one you might receive from a familiar organization but is really a set-up to get your information. If you’re unsure of the authenticity of the message contact the sender by phone or via a newmessage and ask if they sent you the link. It could be malware, ransomware, a remote access tool or something that could steal or access your data. Nearly 30% of people will click on malicious links.

We all need to be more aware and cautious. Before clicking, stop and think. This way you can stay safe rather than veer towards avoidance of technology and its innovative uses, emerging government policies and processes including making India ‘digital’ or ‘smart’ may make learning; not just to use technology but to also enable reasonable security practices as mandatory. The promotion of digital payment systems across India is just one example of government encouragement of use of technology in everyday life.Innovation and growth and changes that they bring about are inevitable, and running away from technology is definitely neither the answer to avoid harm nor is it really going to protect us in the long run. Stay Alert & Stay Safe !!

This article is by Shilpa Anja. Shilpa is one of our Senior folks at Arrka and loves to put various items together to make this a safer place for other citizens of the web.