Author: DKALYA

It Starts With a Simple Question

Today, a family friend asked me, “Is it okay if I email a copy of my passport to this small business? They need it for registration.” A few weeks ago, another friend reached out—this time, asking whether it was safe to send their Social Security Number and driver’s license via email for some ‘official paperwork.’

These are not isolated incidents. These are smart, thoughtful people, just trying to get things done—sign up for a program, submit documents, move life forward. But they’re also unknowingly exposing themselves to serious risks.

That’s when it hit me: this problem is everywhere. From small businesses to afterschool activities, visa agents to insurance brokers, people are regularly asked to send highly sensitive documents over insecure channels. And most of the time, they do it, because they don’t want to delay the process or seem difficult.

This article is for them and for all of us. It’s time we talk about why sending your SSN, passport, or ID over email or WhatsApp can be a terrible mistake, and what safer alternatives look like.

How We Got Here
We’ve normalized risky communication habits without realizing the potential consequences.

  • Emails for Everything: Schools, doctors, after-school programs, and visa agents regularly ask for SSNs, IDs, and documents over email.
  • Messaging Apps as a Crutch: WhatsApp and Facebook Messenger are often used to exchange documents—but they aren’t truly secure for sensitive data.
  • Shared Email Accounts: Small businesses (especially local gyms, afterschool programs, and mom-and-pop shops) may use a single shared email account—leaving your personal documents open to whoever logs in.

Why It’s Dangerous
What feels like a simple action could expose your most personal information to attackers.

  • Man-in-the-Middle (MITM) Attacks: If you’re on public Wi-Fi or a compromised network, your email or WhatsApp message can be intercepted.
  • Email Account Compromises: If the receiver’s inbox is hacked, your SSN and ID documents are exposed.
  • Reused Credentials: Many small businesses and agents don’t follow security best practices and often reuse passwords across accounts.

Real-World Consequences
When your data lands in the wrong hands, the damage isn’t just digital—it’s personal and financial.

  • Identity Theft: SSNs are gold for cybercriminals—they can open credit lines, file false tax returns, and more.
  • Medical Fraud: Using your SSN and personal details, someone could receive healthcare under your name.
  • Immigration Scams: Agents asking for passport and visa information via email have been known to sell or mishandle documents.

Industries That Have Secure Guidelines (But Still Fail)
Even regulated industries fall short when individuals or agents take shortcuts.

  • Medical (HIPAA): Health providers are supposed to use secure portals—but many still ask patients to email records.
  • Finance (PCI-DSS): Credit card processors are bound by standards, yet small tax offices may ask for full details over email.
  • Immigration & Legal: Agencies know better but commission-based agents often bypass safeguards to close a deal quickly.

Why “WE” Still Do It (possibly)?

Even when we know better, we often give in—because getting things done feels more urgent than staying secure. We want to move forward quickly: book the ticket, start the class, submit the paperwork, or get approved without delay. The person asking for our documents may seem professional enough, or we assume “everyone else is doing it, so it must be fine.” On top of that, there’s often a subtle pressure to not be the difficult one—so we stay quiet, comply, and send off highly sensitive information without a second thought. Unfortunately, that’s exactly what bad actors and poor systems rely on.

So What Can You Do Instead?

You have safer options, you just need to know how to ask for and use them. Most organizations today have secure systems in place, even if the person you’re dealing with doesn’t mention it upfront. Always ask for a secure portal or encrypted submission method. Many institutions offer these but rely on the user to request them.

If no portal is available, consider sending your documents using encrypted file-sharing services like ProtonMail, SecureDrop, or cloud-based services like OneDrive or Google Drive with restricted permissions. For added protection, you can use password-protected ZIP files—but share the password through a separate channel, like a phone call or text message.

Also, be cautious about the network you use. Avoid shared or public Wi-Fi when sending sensitive documents, and always use a secure, trusted device. Most importantly, don’t be afraid to demand better. Whether you’re dealing with a tutor, immigration agent, or afterschool program—politely ask for a secure alternative. Your personal information is worth protecting.

How to Push Back (Respectfully)

It’s absolutely okay to ask for better—doing so not only protects you but also helps raise the standard for everyone. If someone asks you to email your SSN or ID, you can simply say:

This small statement is powerful. It signals that you’re aware of the risks and encourages the person or business to rethink how they handle sensitive data. And remember, if they mishandle your personal information, it could become a legal or reputational liability for them too. By speaking up, you’re not being difficult—you’re being responsible.

Packt Publishing Ltd: Book Release by Durgesh Kalya – July 2025 Pre Order Available Now.

Originally intended as a personal documentation of my knowledge and research on the often-overlooked yet vital area of incident management, this book has grown into a comprehensive resource aimed at elevating awareness and preparedness for cyber threats in industrial control systems (ICS) and critical infrastructure. It simplifies complex ICS challenges, emphasizes the importance of coordinated incident response, and equips professionals with practical tools, techniques, and training exercises for real-world application. Designed to empower both new and seasoned professionals, this book also highlights the collective efforts in the field of ICS cybersecurity, offering a structured approach to safeguarding organizations against evolving threats. Pre-order now to secure your copy and enhance your ICS cybersecurity skills ahead of its July 2025 release.

Industrial Cyber: Addressing OT cyber risk management threats and attacks with risk registers and tabletop exercises

Understanding the Importance of Risk Registers in OT Cybersecurity

OT cyber-risk encompasses a wide range of threats and vulnerabilities that can disrupt industrial operations, lead to financial losses, and even pose safety hazards. Risk registers are essential tools in managing these OT cyber risks, offering a structured approach to identifying, assessing, and prioritizing the risks that could affect an organization’s OT environment.

In a recent discussion with Industrial Cyber, cybersecurity experts shed light on the crucial role of maintaining risk registers in OT cybersecurity. They also explored how often these registers should be reviewed and updated to stay effective.

Marco (Marc) Ayala, President of InfraGard Houston Members Alliance, emphasized the foundational role of risk registers in ICS/OT cybersecurity. He stated, “A risk register is indispensable for identifying, assessing, and prioritizing risks that could impact operational technology. By maintaining this register, organizations ensure they systematically address potential vulnerabilities and allocate resources where they are most needed.”

Ian Bramson, Vice President for Global Industrial Cybersecurity at Black & Veatch, highlighted the importance of a risk-based approach to cybersecurity. “Companies have limited resources to keep up with a constantly changing threat environment. A risk-based approach to cyber is key to optimizing security posture and effectively investing resources. Developing and managing a strong risk register is essential for adapting to evolving threats.”

Durgesh Kalya, Network Security Expert at Covestro, further elaborated on the critical role of OT in ensuring business continuity, particularly in the process industry. “Operational Technology (OT) is a crucial enabler for automation and is closely linked to the license to operate, as many environmental and monitoring systems fall under OT. It’s vital for organizations to clearly define what constitutes OT within their specific context, as this can vary widely.”

Sinclair Koelemij, an ICS security professional, outlined the multiple benefits of maintaining a risk register in OT cybersecurity. He noted that it provides a comprehensive view of potential risks, enables prioritization and mitigation, ensures accountability, aids in regulatory compliance, supports informed decision-making, assists in incident response and recovery, and fosters continuous improvement in risk management. By maintaining a risk register, organizations can manage risks on a daily basis.

This conversation underscores the significance of risk registers as a foundational element of effective OT cybersecurity, helping organizations navigate the complexities of protecting their critical infrastructure.

iSMG – govinfosecurity.com on Robust Incident Management for Critical Infrastructure

Full Interview: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373

In an interview at the Cyber Security for Critical Assets USA Summit, Kalya addressed the importance of robust incident management frameworks, collaboration between organizations and ICS vendors, and the need for understanding and segmenting systems to mitigate ransomware risks. To view the video and the original excerpt of the interview with Tom Field, check out the link: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373

Ensuring the security of critical infrastructure necessitates managing both legacy systems and emerging cyberthreats. Durgesh Kalya, an OT network security expert at Covestro LLC, emphasized the necessity of integrating the incident command system—initially developed by the Federal Emergency Management Agency and the Department of Homeland Security—with industrial automation systems. This integration promotes active participation and collaboration among industry stakeholders.

“Essentially, everyone is a cybersecurity engineer because they work on computer systems. It’s not possible to update software on hardware that is decades old; modern hardware and equipment are required,” Kalya explained.
Field, T. (2024) Robust incident management for critical infrastructure, Government Information Security. Available at: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373 (Accessed: 02 June 2024).

Picking up on Cybersecurity Skills

Maximizing Your Cybersecurity Learning Potential

Are you aiming to become a cybersecurity expert but finding your learning progress slower than you’d like? I recently found inspiration in a valuable concept presented by Elizabeth, a medical student, in her informative YouTube video titled “You’re Not Slow: Become a Speed Learner in 20 Minutes” (Source: https://youtu.be/_wzJnWCBWkI?si=hnskSM0k4tWFFtTv). I’ve adapted her idea to help you accelerate your journey toward mastering Cybersecurity.

Here are some key insights, influenced by Elizabeth’s wisdom, to expedite your Cybersecurity learning:

Building a Strong Foundation: Start by establishing a solid knowledge base.
Ask yourself:
What are the core principles of Cybersecurity?
Why are these principles crucial?
How do they underpin secure systems?
What practical skills can I immediately apply?
Where can I further deepen my understanding?

These questions will assist you in setting realistic goals and reducing frustration due to slow progress.
Here are some that are what I consider basics, you should be familiar with these concepts.

Mastering Fundamental Concepts:
Never underestimate the importance of foundational concepts. Even experts revisit them regularly.
Inquire:
What are the essential Cybersecurity concepts?
How do these concepts differentiate experts from beginners?
How quickly can I grasp these fundamental principles?

A strong grasp of the basics is key to expediting your learning.

  • Networking: A basic understanding of networking is essential for understanding how cyberattacks work and how to defend against them. This includes understanding concepts such as IP addresses, TCP/IP protocols, and network topologies.
  • Operating systems: A good understanding of operating systems is also important for cybersecurity professionals. This includes understanding how operating systems work, how to configure them securely, and how to troubleshoot them when problems arise.
  • Security concepts: There are a number of core security concepts that are essential for cybersecurity professionals to understand, such as confidentiality, integrity, availability, authentication, and authorization. These concepts are the foundation of all cybersecurity measures.
  • Security tools: There are a number of security tools that cybersecurity professionals use to protect computer systems and networks. These tools include firewalls, intrusion detection systems, and encryption tools.
  • Risk management: Cybersecurity professionals need to be able to identify, assess, and manage risks to computer systems and networks. This includes understanding the different types of cyber threats, how to assess their likelihood and impact, and how to implement appropriate controls to mitigate them.

Categorizing Your Learning: Organize your Cybersecurity knowledge into distinct categories
Categorize:
Security Fundamentals: The critical foundation
Practical Skills: Immediate and applicable
Administrative Details: Necessary but of lower priority
Less Relevant Topics: Not your primary focus.

Prioritize your learning based on these categories for maximum efficiency.

Flexible Learning Approach: Break free from rigid learning structures.
Keep it Interesting:
Focus on topics within the Cybersecurity domain that genuinely intrigue you.
Dont be afraid to jump domains, there is no particular order, the only order is what interests you.

This approach will maintain your motivation and prevent getting stuck in less engaging areas.

Let’s embark on this journey to unlock our Cybersecurity potential together! I extend my gratitude to Elizabeth for inspiring this approach to learning. #CybersecuritySkills #SpeedLearning #InfoSec

IoT Security Foundation Announces first USA Chapter in Houston, Texas

In today’s interconnected world, robust security measures across IoT domains are more critical than ever, with threats to connected devices and systems constantly emerging. To combat these challenges, international collaboration is essential, and the IoT Security Foundation (IoTSF) is fostering global and local networks of experts through its chapters. The newly launched IoTSF Houston Chapter is led by four visionary founders: Durgesh Kalya (Covestro), Sameer Koranne (IBM), Roya Gordon (Nozomi Networks), and David Lancaster (IBM). Their mission is to advance IoT security practices and promote secure, resilient operations in this era of “Connected Everything.” The chapter’s first event, a webinar titled “Introduction to IoTSF Houston, TX,” will take place on June 1st. IoTSF invites organizations and professionals worldwide to join the mission and consider starting their own chapters, helping build a safer IoT landscape through collaboration.

More: https://iotsecurityfoundation.org/iot-security-foundation-announces-first-usa-chapter-in-houston-texas/

CISSP RESOURCES

If you are looking for the write up of my CISSP Experience. Please click here (PDF)


Useful Resources

Books:
ISC2 OFFICIAL CISSP Study Guide
Boson and Official ISC2 Practice Tests.
English dictionary. What would I do without you.


Online:
ITPROTV Accelerated Course ( and some Long Versions)
Destination certification Mind Maps (YouTube).
Computerphile Videos on various topics (YouTube).
Kelly Handerhan’s cissp tips for exam (YouTube)

Last but not the least, join a study group.
There are plenty, there is one that I recommend. Certification Station. certificationstation.org
And if you are looking for free. Discussions and sessions, join me every Saturday exclusively on
Certification Station on Discord.
If you came here looking for old notes and videos, go to https://durgeshkalya.com/cissp-study/
Good luck. If you are looking for the write up of my CISSP Experience. Please click here (PDF)

Rainbow Secure: Mentoring and Cybersecurity by Tatia Zuloaga & Durgesh Kalya

Reflection on the Session: Mentoring and Cybersecurity by Tatia Zuloaga & Durgesh Kalya

In our recent session, Tatia Zuloaga and I explored the vital role of mentorship in cybersecurity. Tatia kicked off the discussion by highlighting her platform, Upnotch, and shared valuable insights on how and where to find a good mentor. She emphasized that a strong mentor can significantly impact one’s career trajectory, offering guidance, support, and networking opportunities.

I followed by discussing my own experiences with mentorship, both as a mentor and mentee. I underscored the importance of mentorship in cybersecurity, where staying ahead of evolving threats requires continuous learning and collaboration. We delved into how mentorship not only fosters professional growth but also strengthens the cybersecurity community as a whole.

The session was a great reminder of the power of mentorship, and how finding the right mentor—or becoming one—can open doors to new opportunities, knowledge, and career advancement in this ever-changing field.