Ethical hacking: Meet the James Bond of cyberspace!
ETHICAL HACKING presents plenty of challengesbas new technologies evolve and updating onself is a must to survive
A little help from 24-year-old Sunny Vaghela goes a long way in helping the Ahmedabad police during investigations. It all began with an MMS case at his university where he was a third-year engineering student. “The university and police approached me to find the student who uploaded the video on a social media website where he had created a fake ID,” recalls Sunny, now Founder and Chief Technical Officer of TechDefence Consulting, which routinely assists in investigations involving cybercrime, a growing menace .
The recent password thefts at Yahoo and LinkedIn are examples of cybercrime on a global scale. Closer home, our own government’s website was disfigured as well as that of several politicians. Computer Emergency Response Team – India (CERT-IN), a government nodal agency, acknowledges that even popular consumer programmes and browsers are vulnerable to hacker attacks. With more people and organisations becoming digitally savvy, information and data security is slowly but surely emerging as a lucrative career option. However, there is a shortage of trained professionals in this field.
Ethical hacking is legal
It is not a surprise that this breed is viewed with suspicion as the media has sufficiently highlighted the exploits of malevolent hackers. However, ethical hackers take prior permission from companies, organisations or individuals, and use their skills and knowledge of technology to expose loopholes and vulnerabilities in digital data and systems. They recommend solutions and submit reports, explains Sunny, who points out that ethical hacking is legally recognised. Further more, hacking is often referred to as “penetration testing”.
INTERNATIONAL HACKATHON The BIOS team from Amrita Vishwa Vidyapeetham recently attended an event by forum Positive Hack Days or PHD in Moscow
What ethical hackers do
The role of ethical hackers or Information Security Experts (as they are called in India) is to protect data and track unauthorised or malicious hackers, especially in sectors like IT, police services, defence, insurance and banking. “An ethical hacker usually focuses on one IT domain such as networking, operating system or cloud computing, and becomes an expert,” says Sangeet Chopra, Chief Technical Head at Cybercure Technologies. If a system is hacked into, ethical hackers resort to tests such as vulnerability assessment testing, application penetration testing, network penetration testing, security analysis, reverse engineering, malware analysis, security auditing, and also security management.
Good guys versus bad guys
“The hacker is the cyber James Bond, saving the system from malicious hackers who are trying to use their superior knowledge for illegitimate gains,” analogises Yogesh L, member of Random Hacks of Kindness (RHoK), an international community of professionals, which refers to its members as innovators and uses technology to create usable technology solutions for real-world problems. Besides security, ethical hackers can also help in creating new applications from the existing technology that could find its way to end users.
A knack to hack
Chopra, Sunny and Bangalore-based IT-professional Dolly Koshy got interested in the field during their school days. “My parents locked the computer with a password because exams were near. Since I wanted to check a social media site I had to crack into the system. Eventually, I hacked into it and got access to my computer,” recalls Chopra.
All ethical hackers are not engineers. Chopra did a BSc before taking up ethical hacking as a profession. But how important is a certification in this field? Chopra shares that many professional information security consultants believe that certification is not necessary to take up ethical hacking as a profession, though technical knowledge is imperative. On the other hand, a certification adds weight to your rÃ©sumÃ©, feels Vaghela. EC-Council, an international body is authorised to provide certified ethical hacker (ECH) certification.
Founder & CTO of TechDefence Consulting
“In this field every day is a new challenge”
Q. Hackers get into the profession young. What about you?
A. I got curious in Class 9 when my e-mail account got hacked into. I began to explore but did not know there was potential for a career. So, I did Electronics Engineering but continue to myself by doing new courses.
Q. So. How do you do ethical hacking for a client?
A. There are essentially two types of penetration testing (alternative name for hacking). One, white box testing, where the clients gives me privileges that the company’s system administrator would get. I receive all passwords of firewall and other security softwares, and need to check if these are safeguarded enough. Two, black box testing where the company does not give me access or reveal passwords.
I only have the IP address through which I hack into the company’s system. Then I identify vulnerabilities in the security system and exploit them, then give a detailed report on how I managed to hack in and what steps needs to be taken to resolve the security lapses. Black box testing is more in demand because companies need not divulge any info to us, that is, third party vendors. So, ask for black box testing first, then conduct white box testing to detect any coding errors. Companies often ask ethical hackers to train their employees so that they can handle and analyse any attacks in-house when updating their technology in future.
Q. What do you like about this profession?
A. I enjoy solving new challenges, and in spite of being a certified ethical hacker, I am constantly learning new things.
Expanding your skills
The Hyderabad-based Entersoft Information Systems is one of EC-Council’s accredited centres in the country. Nithyanand, co-founder of Entersoft, believes that having programming knowledge in C/C++ would prove to be advantageous in getting a better grasp of the course. IIIT- Allahabad provides a two-year MS degree in cyber law and information security. “The course teaches students about information security and the legal implications in it,” says Sunny, who conducts Certified Cyber Security Expert (CCSE) course.
In this field, practical knowledge is a must and certified courses have virtual labs. Here students are allowed to perform all kinds of experiments on fake websites. Dolly, nearly at the end of her 40-hour Certified Information Security Expert (CISE) course (Level 1), is learning how to prevent possible hack-attacks in her computer system but also to protect her system once it is hacked. “I have come to realise how vulnerable you are on the Internet,” she says.
An upcoming vertical, the main purpose here is to crack into computer hardware, e-mails and other digital databases to retrieve data and establish evidence and digital signatures in criminal investigations. The government has made it mandatory to have cyber forensic reports submitted in any investigation.
Cell phone penetration
Smartphones have enabled several new uses through the concept of mobile apps, which are connected to the Internet. Many don’t realise the need to protect their cellphones with anti-viruses as they do for their laptop or PC. “These applications may have loopholes that can be compromised when installed,” says Nithyanand. Hacking techniques like SIM cloning or caller ID spoofing are used to hack into a known number from anywhere in the world and call you. “To overcome this problem, penetration testing must be done when the application is developed. Besides this, we can analyse a log on, how and when the phone was hacked based on forensics,” he adds.
technologies is our passion and hacking is a nice way to learn new ones. It felt great to demonstrate our applications to the judges. They were very impressed looking at the demo and their feedback made us feel really delighted”
A collaborative profession
RHoK, an international community of hackers that pool in their resources to collaborate on world-scale projects, has been organising weekend hackathons since 2010 in India where expert ethical hackers are invited. An eBlood bank was an outcome of one of them.
Corporates like AT&T, Google, Microsoft, Yahoo! and SlideShare, online hacker communities and universities routinely host ‘hackathons’, events where students and professionals can showcase their prowess and skills, network, win prizes and even find potential employers! Usually teams are asked to hack into the company’s software and create innovative technology.
Amrita University, Coimbatore, has been holding hackathons for students since the last two years, and will be hosting CTF (Capture the Flag style of ethical hacking) in the future. Teams will be given vulnerable machines, where they have to identify loopholes, fix them and capture the flags in other vulnerable machines. Teams who do this successfully, are awarded points. Sheshagiri Prabhu, organiser and member of Team BIOS, feels that more universities should host hackathons, as hands-on experience is the best way to learn computer security and for students to enter the software industry. “Security and secure coding is a must in today’s world,” he says. Team BIOS has been actively participating in international hackathon contests, like the one by international forum Positive Hack Days in Moscow.
Recently, SlideShare (acquired by LinkedIn a few months ago), held its first hackathon exclusively for women hackers and programmers in the US and Delhi simultaneously. The organisers were pleasantly surprised to find eight teams of two each participating and all made innovative presentations at the end of the event. Adobe employees Bhavana Sardana, a computer scientist with the print technologies department and Reena Agrawal who works the InDesign, won the event in Delhi for developing Fixcity, a hack on live traffic conditions using Google Maps to improve the world during the daily drive to work. “We used Dreamweaver, Phonegap and Eclipse to develop the app,” says Bhavana.
LADY HACKERS India's first all-women event Developher Hackday Linkedln inDelhi
Networking with recruiters
“There are many women developers in Bangalore and Hyderabad but we haven’t noticed many in Delhi. We thought this might encourage more women in technology,” explains Priyanka Rowthu, Asst Manager-Recruitment, SlideShare. In turn, it helps the organisers in recruiting skilled participants. “Apart from a strong academic record, having a technical blog or showcasing interest in technology gives the candidate an edge, during recruitment,” shares Priyanka.
Unlike other industries, the pay scale in this field entirely depends on your knowledge, skills and initiative. According to Nityanand, Rs. 2-3 lakhs per annum is the pay package for freshers. However, Rajat Garg of Cybercure Technologies says depending on the projects, an ethical hacker can earn about Rs. 5-10 lakhs.
Stay ahead of the bad guys
“Constantly your knowledge as soon as the technology updates itself. If you stop learning, your knowledge will be obsolete in no time,” Sunny advises.
Institutes and courses
Department of Criminology, University of Madras MSc in Cyber Forensics and Information Security (Eligibility: Graduates in Comp Applications, Computer Science or IT, forensic, criminology or law); Diploma in Cyber Crime and Information Security
Gujarat Forensic Science University – MS Digital Forensics and Information Assurance (Computer Science or BE (computer/IT) or B.Tech); Certified Cyber Crime Investigator, Certified Cellphone Forensic professional, Certified Computer Forensic expert, Certified Cyber Security expert; PG Certificate Diploma in Cyber law
KJ Somaiya Institute of Management Studies and Research, Mumbai - PG Programme in Information Security Management
IGNOU – PG Diploma in Information Security;PG Certification in Information Security
IIIT Allahabad – MS Cyber Law and Information Security
Entersoft Information Systems, Hyderabad – Certified Ethical Hacker (CEH) certification and training course; Fee: Rs 35,000 (students get 10-15 percent discount); No Distance learning.
TechDefence Consulting, Ahmedabad - Certified Cyber Security Expert (CCSE); Fee: Rs 12,000; No distance learning Cybercure Technologies, Delhi – Workshop on ethical hacking for corporate companies and engineering colleges in Certified Information Security Specialist
Cisco Networking Academy in 22 states offer a course in Security & Wireless LAN
CDAC, Mohali - workshops on Computer Inter networking, Network Security (practicing and aspiring networking professionals with a degree/diploma/graduates with one-year work experience in IT)
CDAC Hyderabad - Certificate in Network and Systems Security
CISAT (Centre for Information Security & Assurance Technologies) – In-house security awareness courses along with network security through collaboration with Network Associates’ Sniffer University
Manipal University - Certificate in Ethical Hacking and Information Security
INNOBUZZ Knowledge Solutions, Delhi - CISE: Diploma in Ethical Hacking