Cyber-security professionals defend our data in different ways: They monitor the online world using specialized cryptography techniques to keep data secure, patrol computer network traffic for malware and Trojan viruses, even hack systems to scan them for vulnerabilities that could be exploited by cyber criminals.
According to the “Second Quarter Threat Report” for 2016, released on 1 September by security solutions provider Quick Heal Technologies, malware attacks on social networking sites are likely to increase in the near future. “By 2018, it is estimated that there will be about 2.55 billion users on social networks. With such a sheer volume of user interaction, such sites are only easy targets for online scammers and cyber criminals,” says the report, adding that banking malware is going to be a concern as well in the coming days for users of mobile Internet banking. “With almost all banks developing dedicated apps for banking, hackers are going to leverage this as a lucrative opportunity to trick users and generate illegitimate cash to further fuel their nefarious intentions,” the report states.
We spoke to two cyber-security experts, who tell us what drew them to the cyber world and why thinking like hackers helps them stay ahead of the criminals and pranksters.
Shashank Kumar, 20, Vellore
Part-time bug bounty hunter, and security consultant and developer at Binary.com
When I was in class IX in Sainik School in Rajgir, Bihar, I joined a hackers’ group called Indishell. We called ourselves the India Cyber Army (unofficial, of course), and would spend all day online. After the 26/11 Mumbai terrorist attacks, we hacked Pakistani websites, changing the front page of the government websites to display the message, ‘What you did was wrong’, so when anyone logged on, all they would get were these words,” says Shashank Kumar.
“Now I realize that was actually stupid. We were not contributing anything to our country. Instead, we didn’t have a life; we were very bad in school studies and our careers were ruined,” he adds.
How he got here: Kumar moved to Delhi to pursue his studies in classes XI and XII, and prepare for the Indian Institute of Technology Joint Entrance Examination (IIT-JEE). “But I found the IIT-JEE tutorial classes really boring. It didn’t matter if anyone really understood the concepts or if there were any practical applications to them,” says Kumar.
Then he went down with jaundice and had to miss two months’ classes. “I realized there was no way I would qualify for IIT. So I decided to switch back to hacking instead of preparing for engineering exams. I was living in Delhi those days as a paying guest. I stopped attending classes and used to sit at the computer all day,” says Kumar. It was around this time that he first heard of “bug bounty” programmes, in which technology companies like Google and Facebook pay hackers to discover vulnerabilities in their systems.
By 2013, around the time of his class XII exams, he had become an expert “ethical” hacker, but since he had fallen behind in his studies (he scored 69% in his class XII exam), he had to surrender his laptop and broadband connection to his parents. He failed to get admission in college that year and had to spend the next year preparing again for his IIT-JEE—this time in Kota, Rajasthan, minus his laptop.
In 2015, he gained admission to the bachelor of engineering programme at the Vellore Institute of Technology (VIT). He got back his laptop and was able to restart his hacking career, working during the night and on holidays, and studying at the institute during the day.
A day at work: Kumar spends most of his day in class—attendance is compulsory. “Since I work late, often till 4am, I take the afternoon slots for class whenever I can,” says Kumar. He returns to his sixth-floor hostel room by 6pm, after tea and snacks, and opens his Mac laptop, which he bought recently with his earnings as a bug bounty hunter.
“I spend the first few hours before dinner on Binary.com (an online platform for foreign exchange trading) work,” he says. The work involves making security assessments of the trading platform. Kumar also runs the firm’s bug bounty programme, which challenges outsiders to “hack” the company’s systems. If they manage to penetrate the computer systems owing to weaknesses and vulnerabilities, they are paid for exposing those flaws, which are then rectified or “patched”.
Kumar believes he is good at this kind of work. “I have worked as a bug bounty hunter for so long that it feels good to be on the other side, receiving reports of computer bugs from hackers,” he says. He is responsible for checking the authenticity and seriousness of each vulnerability that is reported.
After dinner at the hostel mess, Kumar resumes his Binary work. In between, he checks his Twitter feed or reads articles related to hacking.
Skills needed: “The ability to research, to keep up with technology by reading for 2-3 hours every day, and to have patience,” says Kumar.
What he loves about his job: “That my hobby is my job.”
What he would change: “Nothing.”
One decision he would make differently: “I gave up my laptop in 2013-14 and moved to Kota to concentrate on my studies. I used to get invites on my phone to participate in bug bounty programmes. I could do nothing about them. That was a great opportunity I missed—2014 had a lot of bug bounty programmes, and I could have earned about Rs.1.5 crore if I had worked that year,” says Kumar.
Compensation: Kumar earns around Rs.6 lakh a year at Binary.com. In addition, he earned around Rs.10 lakh last year from different bug bounty programmes. This amount varies from year to year.
Arshad Sayyad, 45, Bengaluru
Managing director, cyber ecurity (global delivery network), Accenture
There are only two types of enterprises—those that have been breached, and those who don’t know they have been breached. There is no third—everybody has been breached by some attacker, by some malware, by some Trojan software,” says Arshad Sayyad, who has immersed himself in all matters related to cyber security, reading books, blogs, even logging into the deep Web (the part not indexed by traditional search engines). Here, he uses the handle “ncc1701”, which sci-fi geeks will recognize as the registration number of the starship Enterprise in the iconic Star Trek series.
How he got here: Sayyad completed his engineering in computer science from the University of Mumbai (1993) and has a master’s in business administration from Carnegie Mellon University, US (1998-2000). He has worked with Cognizant Technology Solutions (2001-04) in New Jersey, the management consulting company Capgemini (2004-06) in Chicago, and Wipro (2006-12) in Chicago and Dallas. He joined Accenture in Bengaluru in 2012.
A day at work: Calls with customers in the Asia-Pacific region may start as early as 8am, and Sayyad takes them at home after his morning game of badminton.
Customers, mostly the chief information or chief security officers of Fortune 2000 companies across the globe, often visit him in Bengaluru. Sayyad plays host and they spend most of their day reviewing security strategies. Later in the day, he may work with operational teams on different Accenture programmes, like “penetration testing” for companies, looking for vulnerabilities in systems. His day rarely ends before 8.30pm.
Hi wife, a paediatrician at Bengaluru’s Jivika Hospital, reaches home before him, and spends time with their children, 11-year-old Armaan (who is learning to code in Python, a programming language) and nine-year-old Ayaan.
Skills needed: “Everybody thinks software is the solution to security. The average US enterprise has 23 different kinds of protective software. What is important, however, is the skills to interpret the data, with a specialized knowledge of different cyber-security systems, like the Palo Alto Networks,” says Sayyad. “Companies will have to change from the defence mindset to a ‘hunting’ mindset, so a knowledge of predictive analytics, which helps predict cyber threats, is important,” he adds.
What he loves about his job: “That you are constantly learning, and that every client teaches you something new,” says Sayyad.
What he would change: “I wish knowledge-sharing could be faster. At Accenture, we have acquired the Israeli cyber-security firm Maglan and the Australian identity and access management firm Redcore, and our experts do collaborate over virtual technologies, but I wish all this process could be much faster,” says Sayyad.
One decision he would make differently: “I would have come back to India three-four years before I did (in 2012),” he says, for he believes it would have helped speed up career growth.
Compensation: At senior levels, the salary could vary from Rs.1-2.5 crore a year.
Every month, we explore a profession through the lives of professionals at different stages in their careers.
Tell us which profession you want to know more about at firstname.lastname@example.org