Every time we use our credit card online or make a payment for a purchase on Amazon we make ourselves vulnerable to a plethora of unknown threats.
But thanks to an army of professionals who think like criminals to defend us online, we are able to enjoy the numerous benefits of online transactions.
Today we talk to one such pathbreaker Tapan Jha, an Ethical Hacker who has to use his creative, analytical and problem solving skills to stay one step ahead of hackers and safeguard online systems from malicious hacking.
Tapan talks to Shyam Krishnamurthy from The Interview Portal about his roller coaster ride as an Ethical hacker, working wth Rajasthan Police’s Cybercrime cell, identifying vulnerabilities in the Pentagon’s website and solving Bug Bounties . Read on to get inspired …
Tapan, tell us about your background?
Till 10th class I was not knowing anything about computers. I was having a keen interest in dancing and I wanted to become a professional dancer as my elder sisters were good dancers and used to take part in school competitions and win many District level competitions. They trained me in dancing. Till 5th class everything was fine with me. I did not know even what a computer was until I got admitted into a new CBSE school where every next child had a computer at home. We used to do computer practicals at school and thats how I started taking interest in computers. Since i did not have a computer at home I used to go to a cybercafe and play lots of games for at least 4-5 hours daily. I scored 85% in 10th and so my father told me to prepare for IIT & AIEEE. Initially I was interested in AIEEE but with the time I felt that i wasn’t suited for that career. So I used to bunk my classes and spend time in cyber cafes.
I participated in a dance competition but the Director Rakesh pal (India’s Got Talent Session 1 Director) told me that since i was tall i should go for modeling or acting. Nobody in my family knew that I went for that competition and suddenly after 15 days I got a message that I was selected for a short film and the final competition will be held in Jaipur for which i needed Rs 5000. I requested my father to allow me to go for the competition but he refused. Since my uncle was living in Jaipur i went there for 1 month training. In Jaipur I received an award for Rajasthan’s Best Model. My mother came for that event. It was really one of the biggest achievements in my life.
Then my father told me to come back for to my 12th board exam .My childhood friend Sudesh Mathur helped me pass my 12th board exam.
How did you end up in such an offbeat, unconventional and fascinating career?
My father was a Supervisor in a Thermal Power Plant. He always wanted me to become a Mechanical Engineer. So I selected Mechanical Engineering. At college i met Miss. Riddhi Soral and we both wanted to do something different. At that time we received a notice that a workshop on Ethical Hacking is going to be conducted in Jaipur. My father was very keen that i attend that workshop because he used to read news about cyber security and internet related crimes. That workshop was the turning point in my career, because i was so motivated after attending and wanted to learn more. So I told my father that I wanted to do a complete course on Ethical Hacking. My father told me to do the course from Delhi because none of the institutes in Kota were providing the course. At our college in Delhi though many students were interested in Hacking we didnt learn much. Hence I started doing self studies in Cyber Security and completed my three certifications in cyber security (CEH, CHFI, ECSA/LPT). After completing the course me and my friend Riddhi came back to Kota to start our own institute. We used to travel to multiple schools and colleges in summer to promote our workshops.
Slowly we started getting workshop proposals from St. Mary College, NIT Kurukshetra, NIT Warangal, NIT Suratkal etc. We used to go there for workshops. At the same time I received a job offer from Mercury Solution Limited for Rs. 30,000/- per month when I was in 1st Year but I declined it because i wasnt suited for that kind of job. At the same time i worked on expanding my skills by doing different courses like CCNA, RHCE, PHP, MySQL, HTML, CSS, Python, Bash Scripting, etc.
I used to read good penetration testing and cyber security books. I used to study books all the time, while travelling in bus, car, train and flight.
What did you study?
I did my B.Tech in Mechanical Engineering from Rajasthan Technical University, Kota, Certification Courses (CEH, CHFI, ECSA/LPT, CCNA, RHCE, OSCP, ISO 27001 Lead Auditor, International EC-Commerce Law) and Diploma in Cyber Law.
What were the influences that made you choose this career?
My father guided me to become an Ethical Hacker and I found good mentors and colleagues in this field like Riddhi Soral, Anuj Ray Sir, Sir Prashant K. , Atul Sir, Mathew Sir, Arvind Sir, Gaurang Kumar Sir and Dilip Singh Rajput Sir. They all treated me as their younger brother instead of employee and I have huge respect for them in my heart. My mother always supported me in this field, she always told me everything will be fine after sometime because it’s take time to achieve stability in Cyber Security field.
How did you plan the steps to get into the career you wanted? Or how did you make a transition to a new career? Tell us about your career path
Basically i graduated from Kota Gurukul Institute of Engineering & Technology (Rajasthan Technical University) and i started my career when i was in 1st Year of engineering college. I used to deliver workshops and training. As a freelance trainer i trained industry professionals for 5 Days. My Job responsibility at Mercury Solutions Limited was to deliver Corporate training for Certified Ethical Hacker, EC-Council Certified Security Analyst, Computer Hacking and Forensic Investigation programs to working professionals. At the same time i started delivering workshops and seminars in colleges with Sparklab Noida, Training Bulls Noida and many other companies which were associated with IIT. As a freelancer in cyber security, since i didnt have a fixed job, i used to find bugs in websites and kept trying to improve my knowledge which would help me out in any manner, for example, development skills, Digital Marketing Skills, Communication Skills, Documentation writing skills, Presentation skills because these skills are some of the most important aspects of the job. Only hard work is not important but you have to present your work as well in a good way so people can understand the importance of your work. I found many bugs in government websites like Gujarat Government, Green Gas, etc. and responsibly patched those vulnerabilities with the help of their developers.
In 2015 Pentagon released an open challenge for hackers who can hack their system. It could be a web application, a server or anything related to pentagon. Those who were successful in hacking would be awarded Rs. 1 Crore. So i passionately started working on it continuous for 4 Days without sleep in my room and finally found 4 serious vulnerabilities and reported them. But later on they told me that this challenge is only for US candidates. Since it was not possible to earn just by going after bug bounties i switched to various freelancer portals as well as started connecting with people through linkedin and started showing my work.
People used to test me to gauge if i was capable of doing their work. I used to tell them to give me a task to hack any system and i will show them my skills. This is how i started getting work. In the beginning it was very difficult for me to get opportunities because most companies were looking for people with atleast 2-3 years experience. But some companies put faith in me and started giving me work.
In this way i started getting connected with some Security Auditors and started working them in their team for Vulnerability Assessment and Penetration Testing.
I have done corporate training for CRISS, who manage railways IT services. They have training every year in which all the senior professionals need to improve their skills and certifications as well. At Mercury solutions i was involved in giving them CEH Training.
One of my client belongs to Nigeria. He came to India for Cyber Security training, so i gave him training at Mercury Solutions, Gurgaon. He was really impressed by my way of teaching and wanted to setup some security solution in Nigeria and so we helped him setup a security consultanting firm in Nigeria which he is running very well. Whenever he needs any support we provide it to him remotely.
I do training in Computer Hacking and Forensic Investigation. Since i have completed my cyber law from Mumbai Law College i used to solve pending, new and complex cases of Kota police in Cyber Crime. As we do mobile and laptop forensic investigation, investigating agencies want these kind of services for their cases. So we help them in such investigations. Myself with my partner run a Cyber Crime Emergency Response Team around the Globe and we received 2nd Position in India. This was released in the Silicon India Magazine, because we promise to solve any cases within a short period of time.
I also used to give lectures to Kota Police and help them to understand complex investigation methods of Cyber Crime, for example, how to investigate cases, how to track hackers on Internet and how to preserve Digital Evidences.
Orange Business Services is managing a Bihar Government DataCenter project. As the auditor my responsibility is to check their router & switch configuration, Protocol implementation, Security, Data Transmission etc. We need to understand the whole scenario and need to do the network security audit. We need to see if there is any possibility of any hacker entering into their network. We need to find vulnerabilities in their running system as well as show them how hackers can exploit them.
When you are planning to take up a career in cyber security you need to know each and every technology. You personally need to experience different things and also understand how things work. Then only can you find bugs in the designated system. So to become a network security auditor i needed to do a Cisco course and then I started taking projects related to network configuration. This helped me practice on projects related to new switches and routers. I used to take up few bank projects for network configuration because it’s a continuously growing field. So you have to be consistently be updated with the technology to give your best services.
I also worked as a senior networking engineer at Flair. As a Network Engineer my work was to configure the bank’s network, implementation of New switches, Routers, Firewall, Server and also resolving any issues that arose during implementation, basically troubleshooting.
We have reported Bugs in Twitter, Flipkart, Snapdeal, Swiggy, Pentagon Security System, etc.
Recently we got a project of OPPO for their New Real Me Paysa Mobile Application. In December 2019 only OPPO launched this. So me and Riddhi have completed it’s security testing. we both are a team leader of blue team hired by Oppo under our Seniors. Our work is to find bugs in their under developed Mobile Application and to makes security better as per the Hacker point of view.
But “First Impression is the best impression” and i found this true in my life. Whatever work anyone gave me, i never thought of it as small work, big work, small budget, free, or big budget. I only focused on my quality of delivery, money doesn’t matter to me if the work is challenging. I am always ready to go that extra mile even if a company is paying nothing, because i have a strong belief that if they see my efforts they will definitely give me something.
Quality plays an important role in all my audits, workshops and seminars. I always make a commitment to companies not to pay me anything if they get less than 90% good feedback. I always go through the feedback not just to check if they will pay me but also to review the negative comments and try not to repeat those mistakes again.
I never have a competition with anyone whether it may be Ankit Fadia, Sunny Vagela or Mohit Tyagi because i know my potential. I always have a competition with myself, to improve myself, my skills and quality. I even do not go in any Hackers meets. I just focus on my work, that’s it.
Tell us about your training and workshops
My way of teaching is not about writing on a blackboard but to explain everything with real examples. Back benchers are always my favourite because in college/school i was also a back bencher and every teacher ignored me. I think back benchers have the power to do things out of the box, they have a power to take risks. They need someone to give them guidance and that’s why when i give workshops and seminars in college, i teach back benchers at the play ground, on the road and in the canteen, after the college will over.
I want to share one incident which took place in the College of Agriculture & Business Management at Narayangaon, near Pune. I had started my class at 10 am but some students were shouting unnecessarily and so i stopped my class and went to the principal saying i did not want to teach those students who did not want to study. So the principal came to the class and shouted at the students. He asked me to name those students who were making noise. I told the students who were doing disturbance in the class that i wanted them to be in canteen at 8 pm after my class was over. So i went to the canteen and waited for them but no one came till 8:30 pm. So i thought no one would come but gradually they came to the canteen and i took their classes in canteen till 11 pm. The next day they were the ones who were answering my questions in class. That is when i realised that they had the potential but needed guidance in the right direction.
My thumb rule is Quality whenever I deliver any workshop, training, or I do projects till I am not satisfied I never release my work. I am very much strict about the timings and timeline for project report submission because I always want to do my work with 100% accuracy. I do not want to make any mistake in my work.
Because of this quality my clients stay with me because I never give them a chance to complain.
What are the skills needed for a career in Ethical Hacking?
This profession needs patience, passion and continuous knowledge updates. I used to challenge company information security and take a challenge to hack their system. In this way I started getting work. I mainly focus on client satisfaction and quality of work. Firstly I started with network security, then web app security, then server security, then mobile app testing, then API Testing, SAP Security Testing, ISMS Audits, Cloud Testing, IoT Testing and I also used to work with Rajasthan Police. Me with my friend Riddhi Soral both used to conduct Cyber Crime Related seminars in Police Stations. We are also working for OPPO, Samsung, RealMe, BMC, Bihar Government, etc. Not only that, we have developed a team of 50 Ethical Hackers and Secure Coder. We both have done Cyber Law Diploma from Mumbai Law College and Indian Law Institute.
What were the challenges? how did u address them?
- Challenge 1: When you are working in this field, as per your experience your expectation starts increasing. But you have to be flexible in your services and charges. Many times when quality matters experience plays an important role.
- Challenge 2: You have to update yourself on a daily basis because technology keeps on changing in a rapid manner. So you have to update yourself with the same speed. Otherwise you will be out of the market if you are working on old technologies, tools and techniques.
- Challenge 3: Companies need to complete their task within a short duration, they will not give you sufficient time to test anything properly and comparison will be made between your work and other’s work. It could be that you are working with quality and others are working just for formality, so their time to complete is less than yours. When a client compares both and says that their work take less time than your work they never consider the efforts and quality. But you have to stick with your quality.
Where do you work now?
I am working with Second Quadrant Consulting, Mumbai as a Sr. Penetration Tester & Ethical Hacker. My work is to do a Website Security Audit, Mobile App Security Audit, IoT Security Audit, Cloud Security Audit, SAP Security Audit and Server Security Audit. We have been given a list of websites, Source Code, server IP addresses, or a physical Network and our work is to understand the application logic, network diagram, map out the services running, how data gets processed and figure out the vulnerability that any hacker can exploit by exploiting it, from the hacker point of view. It’s like a you have a limited time period and you have to find bugs. So it’s a challenging job as well as the most interesting job because you will face new problems daily.
Penetration Testing means you will be givens a list of IP Addresses or Websites and you need to find a way through which you can penetrate into the security of that application and get into it, compromising their data and security.
Vulnerability assessments do not make any impact because in VA we need to do some configuration in an automated software and according to the environment we need to select the best one that depends upon your experience. After running it, it will show you the vulnerability of the system.
Companies do Vulnerability Assessment in order to know if any weaknesses exist in their system. It is done through automated software which have predefined databases of vulnerability through which it will check by entering some random data and analyzing the system response. In penetration testing, companies allows us to hack into the system and try to get some useful information and demonstrate to them how this weakness which was found in the vulnerability assessment phase can be exploited. We need to give them a proof in terms of POC (Proof of Concept)
What problems do you solve?
I am working as a Senior Penetration Testing and Security Analyst for OPPO, and running a Partnership firm ( ASD Cyber Security & Consultant, ASDN Cybernetics Inc. company ) with Miss. Riddhi Soral .
For Jobs you needs an hands On skills in Cyber Security. You can do CEH, and OSCP for practical Skills but you need to do Networking as well as Programming courses to become an Ethical Hacker.
I have done lots of self study and also took training in cyber security, Computer Forensic, Networking, Linux, Programming.
What is it you love about this job?
Challenges in our Jobs. You will be allocated a specific time period and no information is given about the target. Now it’s your challenge to hack that system which makes it more interesting. I can spend 24 hours hacking a system without break.
How does your work benefit the society?
Cyber Crime is increasing day by day so our skills are very special in the society. We need to help those people who really need our help. We like to help them and it gives us satisfaction in our job. Basically it’s not a job, it’s our life that we enjoy daily.
Tell us an example of a specific memorable work you did that is very close to you!
I solved a very Famous Murder Mystery of “Model Mansi Dixit Murder Case” Malad Mumbai.
That was not cyber crime. But you have seen that in any crime if mobiles and laptops are involved, police needs cyber experts to find important evidence in it. Police was not be able to get into the account of Mansi and her murderer. They wanted to find out how they both came into contact and this was possible only if they had access to their social accounts which was locked by a password. So I cracked those social accounts which involved 10 Gmail Accounts, 6-7 Instagram accounts, 2-3 Facebook accounts to get the chats between both of them. In this way i was involved in the Case with Malad Police, Mumbai
Your advice to students based on your experience?
If you are planning to enter the field of cyber security then you should cover each and every area like programming, networking, linux and security, then only you will you be able achieve lots of success. Try to join an academy where you can work on programming, networking, linux, software, android, cyber security and computer forensics, all together. Then you will get a good job in cyber security.
I have a private academy, “Super 30”, specially for Hackers & coders which is ASD Hacker & Coder Academy, where we train students according to market demand. We train students in Secure Coding, Secure Networking, Cyber Security, Computer Forensic Investigation, Web Security, App Testing, etc. We are collecting 30 passionate students from all over India and giving them 100% practical knowledge in Cyber Security, Programming, Networking etc. with 20+ Live projects of MNC’s. Every 6 months (Jan & July) we take 30 Students for our “Super30” batch. It doesn’t matter how you score in school exam or college exam. It also doesn’t matter you are 10th fail or 12th fail. What matters is, can a given target be hacked by you or not. Practicals is important than theory. Skills are important than Degree.