Ethical Hackers: The Good Guys Protecting You before the Bad Guys Strike

Digital Transformation is a phenomenon that nearly every IT organisation that exists is onboard with it. When it comes to digital, one of the most intriguing aspects, which is now gaining prominence is cyber security. Unlike earlier, IT companies understand the importance of data privacy and having a strong cyber security fabric in an organization. Despite that, breaches and hacking incidents are often in the news. This makes one wonder as to why companies get breached despite having a strong cyber security system in place? The answers to this is that the hackers, widely referred to as the black hats or bad guys, are highly motivated because there is a lot of money involved in hacking. Nevertheless, the ethical hackers at Deloitte Cyber Intelligence Centre are putting themselves in the shoes of the hackers to show an organization where their weaknesses lie.

“Ethical hackers are the ones who take on the role of hacking into the environment as a good individual; as the person who can demonstrate where the weaknesses lie in an organisation which can be compromised,” says Mr Gautam Kapoor, Partner, Deloitte India. “Why are they called the good guys? Because they report back to the organisation on their vulnerabilities so that they can patch it up at the earliest,” he adds.

This kind of a proactive ethical hacking should be encouraged as changes in an organisation take place on a periodic basis. “Ethical hacking is more of a health check. We check for the vulnerabilities, patch them up and check again if it’s fixed. We could compare this exercise to that of a leaking pipe wherein you fix the leak, run water in it again to see if the leak has been fixed,” says Mr Shree Parthasarathy, Partner, Deloitte India.

Deloitte India has basically three threat hunting teams who proactively detect threats from both inside the organisation and outside by keeping a tab on patterns, anomalies and new exploits. The three teams are as follows:

Red Team: This team is basically of the ethical hackers who attack an organisation to see where their vulnerabilities lie. The team takes into account three core elements of a company namely the physical infrastructure, the humans involved with the company and the cyber/ digital/ IT aspect of the organization, which involves the internet, intranet and computer networks.

Blue Team: This team detects and responds to the Red Team activity, thus collecting a lot of cyber intelligence data, which is then analysed by Deloitte.

Purple Team: This team, which is a combination of red and blue, then assesses the vulnerabilities exposed by the Red Team and the remedial efforts of the Blue Team.

“This sort of ethical hacking is otherwise known as vulnerability assessment and penetration testing. This activity helps us stay ahead of the curve, and helps us recognize  zero-day or pre-day zero vulnerabilities,” says Mr Shree Parthasarathy.

The ethical hacking bit is just a small part of the activities conducted by the Deloitte Cyber Intelligence Centre. Several other undertakings at the centre include: Security threat monitoring, cyber threat intelligence, breach notification, incident response and management, cyber analytics, reverse malware engineering, forensics and infrastructure management.

Challenges Associated With Cyber Security in India

Considering the seriousness of the impacts a data breach can have on a company, every industry that exists must have a strong cyber security system in place. However, in India, there exists a few challenges as far as cyber security is concerned.

“There are some organisations that take cyber security seriously and there are few that don’t’. If you ask for my opinion, I would say the private sector is ahead of the game while the governmental organisations are still catching up. Nonetheless UIADI, and the defense sector are doing a good job at implementing cyber security,” says Mr Parthasarathy, while outlining on four challenges that exist in the space.

1. Cyber security is still playing the catch-up game in certain sectors.
2. The bad guys have a lot of money and are very organized.
3. There is no active collaboration between white hats or good guys. There needs to be a cohesive framework between the government, regulator private enterprise, and consultants. “Today if you take an Ebola virus breakout, everybody becomes aware and all pharmaceutical companies come together to retrospect on how to thwart it. Same needs to be done for cyber security. Some of the best practices in other sectors need to be applied here,” adds Mr Parthasarathy.
4. There is also a need to think out of the box, which is why consultants like Deloitte are in demand, he says.

Along the same lines, Mr Gautam Kapoor says that ‘Cyber by Design’ needs to gain prominence in the industry. “Anything that has a digital code is hackable, therefore cyber security needs to be built in right from the start. And as Shree said, we need to be ahead of the curve. To do this, intelligence sharing is absolutely imperative. The more we share the more we will be able to evolve,” he says.

Although the Government of India has made it mandatory to report every breach, the situation becomes tricky for consultants, says Mr Parthasarathy. “On the one hand we have a non-disclosure agreement with the client, and on the other hand there is this fiduciary responsibility. So the situation is tricky,” he adds.

As the fourth industrial revolution drives change and digitization at an exciting pace, it brings new technologies that are disrupting traditional ways of doing business, and new markets are being created. With every innovation the world becomes more and more digitally connected.

The realization is that the world is now becoming smaller and cyber is getting bigger, and it’s moving in multiple dimensions across multiple disciplines—beyond an organization’s walls and IT environments and into the products it creates, the factories where it makes them, the spaces where its employees conceive them, and where its customers use them. It is at the center of digital transformation.

The world is as transformative as cyber itself—and to be successful in this new era, organizations should embrace a “cyber everywhere” reality, according to Deloitte.

A recent survey known as The Deloitte 2019 Future of Cyber Survey, in conjunction with Wakefield Research, polled 500 C-level executives who oversee cybersecurity at companies with at least $500 million in annual revenue including 100 CISOs, 100 CSOs, 100 CTOs, 100 CIOs, and 100 CROs between January 9, 2019, and January 25, 2019, using an online survey.

From the results of this survey, Enterprise leadership is being called to align their priorities and work in concert to drive core business objectives. Cyber is everyone’s responsibility, says Deloitte.

Going Forward, Trends in the Cyber Security Space

Automation, artificial intelligence and data analytics will be intricately built into the cyber security processes. “OT and IoT space is very vulnerable, hence a lot of trend around this is going to play out. User behavioural analytics will also evolve as a trend. For example, a hacker wants to log into your system. All of us have a habit of pressing a unique key e.g. some may press the space or a mouse. This is your unique behavior. So for instance a hacker does something differently than what you do then it would be detected as an anomaly,” says Mr. Gautam.