Recently, the website of Ankit Fadia, a well-known ethical hacker, was hacked by another group that goes by the name Team Grey Hat (TGH). The “hactivist” group entered Ankit Fadia’s official site and exposed his credentials, including sensitive data, student details, database credentials (like name, user name & password). In a blog message, TGH also rubbished Fadia as a hacker and his courses.
Industry watchers, however, claim that the small (but growing community) of ethical hackers in India usually do not parade their skills against each other. “This incident of hacking into Fadia’s website is more out of the need to rubbish someone’s claims and not to show off skills against one another,” points a security expert, who do not wish to be identified.
Ethical hackers are fast becoming a valued tribe in India. According to data from Indian Computer Emergency Response Team (Cert-In), in November last year more than 800 “.in” websites and nearly 700 “.com” websites in India were defaced by miscreants. A good number of Indian sites, including a few government ones, are hacked by cyber criminals every year. This has spurred the demand for security professionals and white-hat hackers.
Global market intelligence firm IDC predicts the requirement of 188,000 security professionals by 2012. At present, the number of certified security professionals in India is estimated at 22,000 by Cyber Security and Anti Hacking Organisation, while another report by Nasscom says that India needs about 77,000 ethical hackers every year.
As corporations and government organisations turn to ethical professionals who think and act like their black-market counterparts, there’s a steady rise in professionals like Mumbai-based Yash Kadakia, who started his experiments with ethical hacking in junior college. The 24-year-old though has not done any college or degree course on ethical hacking went on to launch Security Brigade, an IT security solutions company, in 2006.
Professionals like Kadakia are called blue-hat hackers, typically from outside the company like a computer security consulting firm that bug test a system or software looking for exploits so they can be closed.
The industries most vulnerable to cyber-attacks, according to security experts, include BFSI, telecom, IT services and e-commerce which have started hiring ethical hackers. “Many organisations are being forced by their clients to take security more seriously. Security is a very dynamic industry and the solutions need to be constantly tweaked. There is nothing known as a 100 per cent secure system. You may be very secure right now, but that does not mean you are always going to be secure,” says Fadia, who came into limelight when a classified intelligence agency sought his help to break an encrypted message sent by one of Osama Bin Laden’s men in 2001.
K K Mookhey’s Institute of Information Security, for example, has clients from banking and financial institutions, insurance and investment, software, telecom and even petroleum. Some of them include Axis Bank, Bank of India, Bharti Airtel, Wipro, BPCL, ICICI Prudential and Tata AIG and Standard Chartered.
“Though BFSI sector hires more ethical hackers than others, because of the nature of transactions other sectors have also started having small teams. The teams usually consist of four to five people or even more, depending on the size of the company. This is because cyber attacks have become more prominent now,” said another security expert.
Becoming an ethical hacker is a multi-step process. Interested candidates need to have a network background, either a vendor certification or experience working in a networking environment.
Shomiron Das Gupta, founder member of Netmonastery, a company that provides solutions for monitoring and networking network attacks, acknowledges that the domestic market for ethical hacking has evolved over the years. “Yes, while only a few names like Ankit Fadia have come out in the public domain because of some good work accomplished at a very young age but the importance of this industry can be gauged by the fact that even the Indian government now recognises this field,” he says.
Security experts like Vijay Mukhi emphasise the lack of awareness around corporate data espionage that is hurting ethical hacker as a profession. “Most Indian corporations do not even register cyber crime cases. As a country, data gets lost at several points in India, but cases are not registered against the offenders. I believe that most individuals interested in ethical hacking are moving out, as there is neither a market nor any money in this profession in India,” he reasons.
The Institute of Information Security run by K K Mookhey and Cyber Security and Anti-Hacking Organisation offer short term courses in ethical hacking for both corporations and students. Besides, Ankit Fadia also runs certified ethical hacker programmes and PG Diploma courses in cyber security.
Quality is what is lacking in the industry, according to industry experts. Dominic K, director, Technitics Consulting, a Delhi- based information security training and consulting firm says, “There is tremendous scope for information security professionals, penetration testers and other computer security specialists in India. But for that we need to produce a much better quality of certified professionals across various domains of information security.”
Gupta of Netmonastery also adds that information security is one of the hardest industries for a long-term career, because of the need to be always on the front edge of whatever technology curve there is.