Shakti Prateek شارما

Carried out the following projects on role with Ericsson in the capacity of a Consultant:


Project ITSAR (Indian Telecom Security Assessment Requirements) - Also known as Mandatory Testing regime involved Testing of Nodes from various security perspective with the guidelines given in the TS33.117 & its product standards, involves:

ITSAR Mandatory Test / 3GPP-TS33 - Security Assurance Specification Security Testing
Telecom Security Assurance - TSA using 3GPP 33.117.
ISO27001 control assessment and Gap analysis.
Vulnerability Assessment, Pentesting, Application Security, Backbox testing and Whitebox testing, etc.
Access and review Hardening of nodes using CIS and Ericsson Benchmarks.
Privacy Engineering and Privacy assessment of Nodes.
Driving the DevSecOps

Testing/assessments of New application and products from Security Threat Landscape (ISO27001/ Privacy by design, Cloud Security principles) and Application Security Framework - OWASP Pen-Testing.
Role as a Lead Solution Architect for LATAM project into Cloud Security designing the scalable PKI framework for X509 adoption telecom wide, Key Risk Assessor in project, use case development for PKI roll-on in 5G networks.
Web Application Security Assessment & Manual Pentesting based on OWASP framework.
Operationalization of ATT&CK framework and review of Breach simulation exercises for a telecom operator.
Contribution towards development of ATT&CK for Telecom.
IoT and 5G security for additional projects (Includes PKI solutioning, Application Security, TRA, and other such areas of concern)

Associated with IBM Security Services as a Security Delivery Specialist- Technical Project Manager, where my role was to understand Business and Technical Risk, Identify Risk in Solution and Countermeasures, and deliver Cyber security resilience, ISO27001 Compliance requirements for customers in line with their Business Risk.

Project 1 (BFSI and Retail Banking) 3 months - PM around 50 + indirect resources - Operations Process development, Implementation, Technical Audit, Blue Teaming): Role of a Project Manager and Solution Architect for transitioning new BFSI customers to IBM, the project involved end to end operations control and delivery of services for PAN India, the activity involved engaging teams Red, Blue and Security implementation, Operations, and assisting the operations team to transition and move into operations by handover from previous MSSP. My activities were focused towards leadership, control, assistance in the areas which required Security and process focus, assisting teams in Internal, External and 3rd Party Audits, ensuring the processes are followed and implementation of RBI guidelines, and other guidelines issued by regulatory agencies, etc.

Project 2 (Defense and Telecom) - Multiple Teams, around 7-8 resources -: Role as Technical Project Manager which involved overlooking and delivering Cyber Security resilience using Blue Teams to Defense Sector. I have governed, delivered and managed the end to end solution for security resilience which includes multiple security technologies, Cloud Security, SIEM, Vulnerability Management, Pen-Testing, PKI etc.

With my long association with HCL Technologies, I was handling primarily the following roles:

Corporate Information Security Team for SSAE16/SAS70, ISO27001, Implementation for projects/OMC departments.
Responsible for MSA and Security compliance of few assigned projects.
(MSA, Security policy, SSAE 16, ISO 27001 and PCI-DSS)
Lead Security Incident investigations in high-profile information security incidents, conduct Technical Security Risk Assessments (TSRA) where there is a high-risk item reported from any of the incidents and report the weakness via forma report to Senior Management at large.
Perform Social engineering attacks on periodic basis at organization covering entire population of around 90000+ resources.
Perform and Monitor a team of Security testers for Blackbox and Whitebox testing of Applications based on project requirements.

Additional Duties from Time to time: In addition to the duties mentioned above.

Deputy Manager - Information Security September 13 - May 15

Onsite PIA (Privacy Impact and Security Assessment-PISA) for a Finnish Telco customer - Ongoing Project which includes compliance with EU Data protection for Infrastructure, Applications, and Operational Privacy along with Security baselines, as per Finish/EU laws.
Hands on Security Assessment where required.
DISO, Delivery Aligned security officer for a brief period taking care of Information and Security requirements for the project, role aligned to meet compliance requirements enforced by client to project/OMC/ODC.

Role 1: Lead Information Security, Corporate Information Security team till September 13.


Lead audit team for Process and Technology clauses for SSAE 16(SAS 70) SOC1 and SOC2 (Service Organizational controls for HCL as well as User Organizational Control’s for various projects), PCI DSS for Banking Projects and Merchant clients, ISO27001, and HIIPA Security rule - audit covers the following domains as per Internal ITGC checklist (Physical security and Access Control, Logical security, BCP/DR, MSA Review’s, Human Resources, Project, Maintenance and I.T Audits).
Responsible for driving regular Internal shadow audits for the SSAE16 and ISO27001, publishing Internal audit plans and reports, also driving the respective Information Security Officers for the closure of findings, thus ensuring smooth and regular compliance for all the controls in SSAE 16 and ISMS.
Suggesting Complementary/Compensatory controls wherever applicable in case the primary control is not meeting the objective it has been designed for.
Security Incident Investigation and reporting includes forensics as and when required.
Implementation, GAP Analysis and Audit of SSAE 16 SOC2 compliance across some of the HCL projects, for the customer security policy and the MSA compliance requirements.
Speaker at Induction and Various Security Awareness Trainings within HCL.


Alternatively, /other than my KRA and assisted the project team thus enhancing my knowledge in current job: -

Revised Internal SSAE 16 SOC1 checklist aligning with internal process within 8 months of my joining one of my significant achievements.
Designed the DISO (Delivery Aligned security officer) Framework for Project level compliance from security baselines point of view.
Assisting Projects with Risk Assessment, Risk Register, designing of compensatory controls, GAP Analysis, Server hardening, Application security audit, InfoSec trainings, etc.

Project 1:

• Overall Security Operations Centre In-charge for SOC Services delivery from Team Wipro to Client. Managed SOC Services and overall Operations specific delivery of routine functions for SOC, Key responsibility for the delivery and management of the SOC CSV’s Critical Success factors, defined procedures and practice of SOC.
• Facilitate in regular ISMS Audit and external audits, including ISO 27001, SAS 70 and PCI additionally hands on experience facing various Internal and External Security Audits.
• Define key baselines and Secure Configuration documents for I.T and telecom devices.
• Sophisticated Tracking and Forward-looking Reporting of issues specific to ISO27001, Internal SAS controls and other general compliance using multiple SIEM and using manual Correlation. Showcasing such reports on regular basis to top management, viz: CISO.
• Creation of reports and a Security Improvement Plan & Risk Tracker of known and unknown potential threats.
• Owner of Several KPI’s including Antivirus, SOC and security devices compliance (SCD’s/device hardening), Server Hardening, ensuring secure devices delivery before go-live.
• Proactively executed audit and assess threats, risks, and vulnerabilities from emerging security issues, publishing security Advisory, newsletter for technical groups and domain leaders and updating them on daily basis for the latest vulnerabilities.
• Identifying the Risk and Information Security requirement of the Organization, Designing Information Security framework for the organization, identifying the current risks and bringing about mitigating controls through process and technology.
• I was responsible for Designing, setup and Leading SOC team members through the distribution of requirements, managing project requirements, and establishes development time lines. Managed process and acted in the lead role for computer security incident response team and suggested appropriate countermeasures in Incident cases.
• Designed architecture level Internet filtering solutions “Websense” for Internet Infrastructure and gateway security.
• Leading team for Vulnerability Assessment for the entire server infrastructure of datacenter included host OS like Unix, Sun Solaris, Linux and Microsoft Windows OS, Identified and recommended remedial measures to mitigate the findings, like unpatched servers, Server and service misconfigurations, and secure firewall configurations on network end to protect the Infrastructure.
• Mentored and trained engineers on security concepts like server hardening, Linux Server Security, Rootkits, firewalls, wireless security and other project activities.

Project 2:

Consulting Project for African clients regarding Security and Hardening of Wintel and UNIX servers for telecom project along with secure configuration of deployment for Juniper and Websense gateways.

GIP- General Intelligence Presidency - Information Security, Riyadh, Saudi Arabia


• Procedural Qualitative Risk analysis for GIP Infrastructure and applications using CRAMM tool (CCTA Risk Analysis and Management Method).
• Technical Risk Assessment of the Entire GIP identifying Vulnerabilities in GIP Infrastructure, Threat modeling, conducting Threat and Vulnerability Assessment for organizational information and technological assets.
• Penetration Testing of various LAN, WAN components of GIP.
• Comprehensive Risk Assessment using CRAMM software, assisted in translation of procedural questionnaire to Arabic language for the local teams to understand based on which periodic audits and GAP Analysis where carried out.
• Designing Information Security framework for the GIP, Identifying the current risks and bringing about mitigating controls through process and technology.
• Identifying new security solutions applicable to the GIP to enhance the security posture of the organization.
• Assess, recommend and coordinate Compliance, Legal and regulatory requirements related to IT Systems.
• Framing of policy, procedures, guidelines and baselines with reference to GIP infra.

Others:

• Checklist based audits and GAP analysis for various clients.
• Penetrating projects for Servers, Network Infra, Web Applications, etc.
• Preparing power presentations for management using SIEM and threat reports.

Achievements:
• Executed a Blackbox and Whitebox Peneteration testing project in Coventry, UK for a Tourism agency, identifying major security loopholes in external and internal applications.
• Secondary assignment for a US based EVDO security testing (mentioned below) : All tests were carried out on a controlled LAB environment, based on team recommendation and further protocol based testing these devices were brought into production by the company.
o Security Audits of the EVDO LAB, each and every single component.
o Vulnerability scanning and exploiting the vulnerable services.
o Service Fuzzing to find vulnerabilities in the device.
o DOS and DDOS attacks on the lab components.
o Review of post attack logs.
o Writing and developing test cases as a part of DTFT (design testing and future testing) team.
o Lab monitoring and alerting.

Tools and Technologies :
Nessus, Nmap, Nikto, Acunetix, Appscan, TFN2K, Stacheldhrat, Trinoo, IDSwakeup. Any available tool that we can lay our hands on for ethical hacking purposes.

Key Technologies : Designed and Deployed Security and Network Infrasctructure, Worked on vendor products like Watchguard, SurfControl, ISA Server, Avast ADNM, Trend Micro, Nessus, Nmap, Window and Linux Hardening, CRAMM, Vulnerability Assesment, Nessus, Retina, etc.

I participate in several projects right from system administration to Security Product deployment like Firewall, IDS & IPS, etc. intensifying my knowledge in the field of Information Technology. I also carried out VA projects for our clients.


Key Skills learnt :
+ Microsoft Active Directory architecure.
+ Cisco Routers and Switches.
+ Firewall Deployments, Checkpoint, Watchguard, ISA Server, etc
+ IDS/IPS Deployments, ISS Proventia, ISS Real Secure, Snort, etc.
+ SPAM Filters, Surfcontrol, Websense etc.
+ Messaging Solutions.
+ Antivirus technologies
+ Content Filtering, Websense and Surfcontrol Web Filter.
+ Vulnerability Assessment, Nessus, Retina and GFI languard.
+ CRAMM.