Cloud Security Planning With An Ethical Hacker Aseem Shrey
TLDR;
- When a hacker reports a finding. We sometimes ignore it. It’s not wise to do so. Instead, Acknowledge and work with the Hackers to improve your Security Posture.
- In order to prepare an organization for potential data breaches or attacks, use a Data Driven approach and define clear Objectives.
- When starting your career in Security, always start small and get your hands dirty in various areas of Security. This will help you in finding the right path for your career.
Transcript
Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Purusottam, Co-founder and CTO of Cloudanix. Scale to zero is a forum where we collect questions from curious security professionals and in invite security experts to learn about their journey and also to get these questions answered.
Our goal is simple. We want to build a community where we learn about security together and we leave no questions, security questions unanswered.
So with that, let’s get started.
For today’s episode, we have Aseem Shrey with us.
Aseem works at Rippling as a security engineer. Prior to that, he was a senior security engineer at Gojek. He also hosts a video podcast called Hacking Simplified, where he covers topics around hacking and cybersecurity in general.
Aseem, thank you so much for joining me in this show. We are super excited to have you here.
Aseem: Thank you Purusottam. Thank you, Cloudainix, for inviting me. It’s a great opportunity.
Host: Absolutely, we love that you are here.
So let’s get started into the questions. Right? So I want to start with your podcast. You host a video podcast on hacking and cyber security in general called Hacking Simplified. Right. So I have a couple of questions here.
What made you decide to start a video podcast of your own? How did you start your journey? Any words of wisdom for anyone who wants to start or would want to start their own podcast around security in future?
Aseem: So I started around two years back when Covid started. It was May 2020, I think 9th May was the first day I uploaded a video. So it had been something like I love to teach people about things and all. I used to do this in my college, I used to have live seminar, webinar kind of thing and I used to teach there was after college. So I graduated from college in 2019 and then in 2020 Covid hit and I got a lot of time on my hand basically. So I already like those things. And when I looked up tutorials and when I was in my struggling phase, I got a lot of tutorials which didn’t work.
And after a few years or months you would say I got to know this thing when I read this, I understand that this won’t work because of this, but that realization or that understanding took almost a year or two after reading thousands of tutorials that don’t work. So I thought if I could just have a place where I could just create videos and start things which actually work. Because a lot of people that you find that those don’t work, people just go through it and once they sign their go, this doesn’t work, they start losing interest into cybersecurity and hacking. They feel that these adjustments or these don’t work, I don’t know what works and whatnot. So unless you are very motivated, you won’t be able to go through it after three months because a lot of these things you try that actually doesn’t work in the real environment.
So I wanted something where I could have something that works originally and that would be that is the way I started learning. And so it was not a very, what do you say, entertainment kind of thing like hacking WhatsApp or hacking this and that, because those things look good on videos but they don’t actually work.
So I started the part that would work, that’s how it started. Code was the reason I got time, so I could create videos I guess.
Host: One big advantage of covid, I guess, and I agree with you, like, some of the tutorials, either they don’t work or they are outdated sometimes, right? So you don’t see a lot of value from them.
Makes sense.
So you have been an ethical hacker for a while, right? Using your experience, can you tell us, like,
How an organization should respond to a communication from an ethical hacker whenever they report a finding?
Like, this is on the other side of the hacking, right? Like, when somebody reports a finding, how should an organization react or respond to it?
Aseem: I’ve been on both the side. So I realized as a hacker what I would expect from the organization and as an organization what they expect from the hackers. So as a hacker, what I feel is that the work that I did should have some recognition, they should maybe at least acknowledge it and have some response because it’s just the hacker would send an email, they won’t come straight talking to you because it happens that they tend to live in anonymity because they don’t know how the company would respond. Maybe the company would start taking legal action or something. So usually the communication that happens is they send an anonymous email with some saying that responsible vulnerability disclosure or something like that, that okay, we are doing this and there is some bug they don’t reveal the bug in the very first communication.
So I’ve seen a lot of organization, they just discard that mail and they don’t take it up seriously, which I don’t think is the right way. At least you should start communication, you should start gaining trust of the person that you as a responsible organization, you as a company who is willing to take your customers security seriously.
You are trying to do something on that front because if the hacker and the person who is trying to get this all, if they feel that you’re not basically interested in securing your own customers, you don’t know where that would go. If they are into the grave, you know where it could go. So I would say you should start a polite regular update. The very first thing is you should acknowledge that email and you should ask for more information. You should try to build a trust relationship because this whole thing starts with anonymity and might end with that person working for you maybe as a contract, anonymously or whatever way. So the way you proceed with the communication is very important and it’s very time sensitive also. And moreover in general sensitive as to how you respond to their comments, how you respond to their emails and all.
Because I’ve seen places like when I was working in my previous organizations, there were people who were not very fluent with English, there were people who are German hackers or Russian Hackers. they might not understand what you’re trying to explain. So it’s better to over communicate in that this is what we are trying to do. Can you please give a POC because they might have some broken English or the way you are trying to communicate, they might understand. So it’s better that you over communicate and try to build a trust relationship first, which one should be very quick, I mean like let’s say you got it today, if not have an automated email or something that acknowledges it and then make a written like an actual human person who can write it and send the communication in a day or two. That would be very good if you see that okay, so now you have done a few further few communications. Now you understand that okay, this is a real book and some general effort. It’s not a scanner that has been run.
So you can start creating bond and start talking to them more and getting how they try to exploit the whole thing. Because once you understand the exploit change you might figure out similar details in your other parts of the application so that is okay, towards the end you should always have some appreciation. If you’re not able to, let’s say reward in money or something, you can always reward in kind, maybe swag. If that’s not possible, you can have at least a bug bounty appreciation page and you can post it through your social media handles because everyone I’ve seen they like appreciation. Anyone who does the good work they would like to have appreciated. So that is a very cool thing. That’s a very basic thing that a company could do.
Host: It makes a lot of sense. Right. At minimum, you should not ignore, when you receive any notifications, any findings from any hackers and try to over communicate wherever necessary. Yeah, makes a lot of sense.
So in similar lines, right, we hear about data breaches, and ransomware attacks a lot nowadays.
So for a first-time Security Leader, How should they prepare? How should they plan or budget or even get the executive buying, right? So that they’re ready for any potential data breaches or ransomware attacks?
Aseem: I’ve been lucky to work with some of a very good leaders and I’ve seen them like the way they talk, the way they respond, that’s very good. And you mentioned that first time security leader. So it’s usually the people who become security leader they are usually very techy person and for them to convince someone it feels a very hard thing that how would I convince someone to give me a bill? Like asking money for something is a bit hard thing for them usually but I would say the way I’ve seen these people work the leaders that they have established. A whole team. They had the single motor data doesn’t like so they used to have data for everything like how many kinds of attacks are happening. What is the impact for it like let’s say if we are talking about ransomware tax in the past five years. How many ransomware attacks hit which region geographically.
Which kind of let’s say health care industry or maybe automotive industry. What kind of industry and what was the impact? So based on that, because data doesn’t line everyone agrees that what data is there, data points are there, those are genuine, it cannot be fabricated. So people tend to get convinced by those data. You may not have very good speaking skills to convince someone but if you have the right data and you’re able to convince because this is a general problem. Ransomware is a general problem that would impact your company and that would definitely shift you back for a week or something because you would have to spend some time getting those things up and again and your customers won’t be waiting for you to get recovered from ransomware, they would still have work to do and they would be dependent on you. So once you instill the importance of it and you tell them that this is what happened and if we have a backup plan. If we have a security team which is monitoring this.
This and this and this is how much we would be spending on these people and these tools. These automation. Let’s say these cloud security automation and stuff and this would help us save this much amount of money and in the long run we would have this amount of ROI. So if you have data, if you have metrics and all those kinds of things you can easily talk to the leadership or management or anyone even way senior than you because they would also agree that okay, we can’t take a risk of getting hacked in some way just because we couldn’t shell out a few million rupees or a few thousand dollars or something like that. So I feel metrics having data, that’s the gold solution for it, you can easily convince anyone with those things. And these are real things that are happening. For example, if you say like let’s say if you take the ransomware tech example and you have the metrics for those things and let’s say you already have a security team.
Now you want to have a disaster recovery team and you are finding it hard to convince people. But disaster recovery is important when you want to have come out of situations like these, like what we’re talking about, transfer. And so that way you can have these metrics and data points and then convince people that okay, this is how we would go forward. This was just a short example.
Host: Yeah. Uh, hum that’s spot on, right? Like, you have to be data driven in these areas because you’re asking your team to sort of create new programs or have financial budgets in place, right? So, yeah, absolutely. Makes sense. So one of the things that security leaders do is they work with many teams in an organization, right? Infosec security. Red team. Purple team. Blue team. Many of them are there. So let’s say for a company which is around 50 people growing steadily and they’re about to raise their Series B and they’re working in Fintech or Healthcare. Any space where you handle a lot of PII data, right?
So how do you set up your security.org in that case? What according to you, comes first? How do you hire or who do you hire?
Like there are some of these questions right. That comes to mind for a first time security dealer, right?
Aseem: The very first thing you use, you don’t need SOC team from day one. So a lot of people, they just call me have a soft team and then get started. So you mentioned that it’s a small team, 50 people, raising series B, handling PII. So there are lot of things, I would try to tackle them one by one.
Security will always be a small team. Even if you, let’s say have a company of 1000 – 10,000 security will be like 2000 people. That’s the max maybe development team is like 1000 people. Security would be max 100 or 2030 people. So this team would always be small. And that is how it should be. I mean, you can’t have one secret engineer for every software developer.
That’s not like you’re not policing around. That can’t be possible. So that begs the question then how do we basically have everything? And how do we have eyes on everything? Automation is the key. There’s no other solution. You can’t manually manage everything. You need to have automation somewhere or either build your own automation, you get some tools to automate things, but you need to have that. And it’s better if you have your own engineers who can basically write some code or at least tweak some things.
Because you can’t have automation for very small things. You would have to make them in house. So those things need to be there. And the other thing that you need to have is you need to have alerting, you need to have data and dashboards on critical assets like what is the health of those.
Let’s say you have s three buckets so you need to have alerting whenever those I’m just giving an example. So let’s say I have three buckets. So whenever any of those get public automatically you need to have alerting. Maybe you need to have auto remediation. So these are some of the very first things that whenever I go to a company and if I see that it’s not there, I suggest them that we need to build it. I have been building those myself, so I already have written code. So we just push it and then that’s already set up there.
So that is one thing that I feel that alerting needs to be there on all these critical assets. So the very first thing is identifying critical assets, keeping a mark alerting on those. All this would require automation. So you need to have a team that is a bit hands on, not just consultants, but they are able to write something, they are able to write code. Because even if evaluating a tool, you need to at least know what your team is not capable of and what that third party tool that you are buying is basically augmenting or supplementing them. Let’s say if they are able to build a lot of commissions already, then they don’t need to buy a tool that does that. If they’re not able to do that, then you need to buy a tool that has simple automations and then you build onto that on top of that.
So all this automation alerting data, we used to have, just given an example, we used to have Elk Stack. We used to push all these metrics into it and used to have graphs as to how many assets, like public assets, where are those located, like how many of these, if any of these let’s say the common ask is usually IAM permissions. Whether you’re on GCP cloud or you are on AWS, it’s IAM permission is one of the things that people so we used to have graph where we could see that how many over-permissive roles are there. And then there used to be a grace period of 90days and auto remediating all this. So this was written by our own team. We didn’t have a vendor for doing all these because everyone was bit fluent in Python or Golang or something or the other. And they used to write their own, they used to love creating things.
That’s why so I believe you need to have, you don’t need to have like 10 – 20 people because it’s already 15 people raising series. It’s not a big thing. But the other main part you mentioned was that they are handing a lot of PII. So as I mentioned, to figure out the critical assets, let’s say you have three buckets where these PII data, let’s say medical records are stored, you have, let’s say rediscase where these are stored or you have MongoDB which is stored. So you need to identify these assets. And all this request, what people usually do is they tell their infrared team people to identify these tags and starter. But infrared people are already overworked with a lot of things.
Every company, especially small companies, they already overworked with a lot of things and they wouldn’t put the total bandwidth on this one. Initially, if you have a dedicated person, typically if you have someone in the team who can mentor them, then even you can have a junior person as well. Maybe a fresher or just passed out or maybe a year or two years. If you don’t have, I would say have a person who is hands on these things, who has greater than threat modeling on people, on organization. He has three or four years of experience, because that three or four years of experience usually means that they have taken some interviews for the people, for junior roles, they have done some set modeling, they know how things work in organization, how to talk to senior leaders, how to get in the buying and all those things.
So have a person who is dedicated to this because you definitely need it and you being a person who is handling Pi, it’s very critical to have someone dedicatedly working on this. If he has knowledge of building automation himself, that would be really good because when I started working with the people and the team who was working with everyone used to have some hands on Python or Golang or something or the other.
And that proved out to be very useful because we could quickly wrap up something and have some script running while we were still evaluating other tools and all. So the immediate ask was fulfilled. And once you show that confidence, the senior management also tries to okay, this team is doing good so we can help them out. So having a dedicated person with a hands on experience, that would be super awesome to get started with this.
Host: Right. I guess especially when you are like I like some of your points that if you are dealing with PII data, make sure you have visibility into your critical assets. And when you hire somebody who is hands on and has some experience right? Because you are getting into CDC and you have to be serious about security. So hiring somebody who has hands on experience adds a lot of value.
I want to sort of shift from hiring to getting hired. So this question came from a student who is getting started, who are getting started in their career, right? So nowadays there is increased awareness around security even at colleges. So
If a student is interested in pursuing their career in security, it can be like an ethical hacker or security professional. How should they go about it?
Aseem: That was a natural transition because we were talking about hiring and hired. So that makes sense. And this question is something that I’ve came a lot of times even on my channel, like Hacking Simplified, where I talked about this in a few live streams where people came with similar questions. And what I’ve always suggested a lot of people have seen they start, they want to get started in cybersecurity because seeing these bug bounty screenshots and money and all.
But while I started, I wasn’t on Twitter initially, so I never got to see all these. I didn’t even know that there’s a thing called bug bounty. I just know that Facebook and Google pay for the bugs that you find. I used to spend some time on that and I got a few duplicates, but that was all I was never into because I got into that luckily or unluckily, whatever you say. But that was I was always curious about security and that is what I’ve been telling people. I started with CTS and CTS basically drill you down into a particular domain, but they give you a very depth knowledge of that particular domain and that builds kind of what is it setting capacity. I would say rather perseverance because in CTF you slot for two days just to figure out one solution of one problem.
I remember while I was paying for Google CTF, I spent like 14 or 16 hours on just one problem and once it got sold, I was very excited because in the world there are only 41 or 42 teams that solved overall and we solved it 20 or 21st we were there. So that gives you a strong confidence. Yeah, that gives you a strong confidence that okay, if I can do this, I can do other things as well. Things are not very difficult. So this requires a lot of reading. So if you are a person like say you are a college student or just passed out, you started with the software development or whatever region you are, you need to have some idea of you can start reading with the news. I usually do like the hackernews.com and the other places.
But the first thing I would say is the hacker news.com, if you don’t have any idea, just go and read a few articles. Whatever team terms you don’t understand, just Google them, read about it, go to the rabbit hole. You would get to know. The first thing is you need to understand this jargon of terms. Let’s say ransomware, CVS, zero-day, all these kinds of things. So once you go down the rabbit hole, a lot of these terms would be known to you. Once you read the second article, you would already know a few terms and you would have to Google less.
So then that gets a repeat cycle. And once you are aware of these things, like, let’s say the terms, the 1000 terms that I use in security, then if you go to Twitter, if you read some stuff, you don’t say okay, I read this, this means this. So you would be able to make connections quickly, then you would be able to consume more content fastly. Initially it would be very slow. You might be able to just read one or two articles in the day and maybe grasp even half of that. But once you start with that, you get aware of these terms, like the way you start learning any language. Let’s start learning English.
So first you learn the alphabet, then you make some words, a for apple, B for these kinds of things. And then you get the common words, then you make sentences and lot. So that’s what we are trying to build. We are trying to build a security vocabulary. First, once you’re aware of these terms, these things that people talk, and you’re able to make comprehend what they are talking about, then you can start reading articles. Maybe there’s this website called Portsugar, the team that is behind birds, they have this web academy. They can read the articles, go through the tutorial, and then also practice them on their own site.
So that is a protected environment you can easily practice. And if you don’t understand, you can also see the solutions and try to go through that. And then again try to solve this. If you’re not able to solve it, again try to solve. They have topics on everything, SQL, CSS, blind, SQL, CSRF, out of boundaries, they have everything. Whatever you feel on web application, they have everything.
If you want to go into reverse engineering and stuff. You have live flow videos, there’s exploit exercises. There are a lot of challenges on hack this site and this thing called Hack the Box. So all these things, there are YouTube channels like create videos, but they are good YouTube channels for liver flow. There’s IPsec and like these two have been following quite persistently and they make quite quality content. There are a lot of people in the cybersecurity domain itself. I remember there’s this guy from Google, Dreadseck, I think the team name is Dreadseck.
He’s a very senior person. I talked to him very back while we were doing Google. But it was good. A lot of community content is coming up. Like Farah is doing this, Ben is doing this.
What was the guy named? Stroke is making a lot of weekly content. So you can check some of the tools and things that you talk about. You can get a basic updated info of the whole thing that’s coming up. But PECO CTF is something where I suggest people to start because it’s a CTF high school student in the US. And even that is a bit difficult for people who are practicing it. So I would say start with that. That’s a very good one.
And you would learn a lot of these things. Then there’s this thing called war games where Overtheway.com overthewire.org is the website where you can play some war games.
Basically you would get used to Linux environment and how to do shell scripting and terminal things. These are something that you would have to do. Like you being an hacker, you can’t be using mouse and all, so you need to have some terminal. I think that’s how I would suggest someone to start. There’s a lot of things but I think I kind of miss summarized it in a way their hands on experience
Right? Wow, that’s impressive.
Uh hum, right.
Host: I think you covered many areas, but the gist that I can think of is start small, but start reading, learning the vocabulary and get your feet wet. You cannot just continue to read. You should try things out and that’s how you learn.
That makes a lot of sense. Thank you so much for answering these questions. Right. I personally learned about the hacking world and also how do you work? If there are any findings reported, how do you work with the hackers as well? Right on those. So thank you so much for that.
So now I want to sort of shift gears and move to the rapid fire section.
Rapid Fire
So the first question is, Assuming you’re hiring (in one sentence), What stands out in a candidate’s resume for you?
Aseem: Hands on experience, like if they have any CTF or bug bounty, anything, if they have something that they did themselves which is not in their academic curriculum and all that stands out pretty much
Host: Makes sense.
What is the biggest lie you have heard in cybersecurity?
Aseem: Being on a public WiFi can get you hacked. I’ve been on public WiFi all the time. There’s a basic security idea.
I don’t think that happens.
Host: Okay, good to know.
What advice would you give your 25-year-old self starting in security and why?
Aseem: I would say try to do things manually, rather going for tools and automation before those abstractions come in. Like I remember when I was learning SQL injection, so there was a workshop that happened in our college and that guy called that manually. That was a very big thing to me and I didn’t know much about it was I think the first semester or something and then I got to read this. There’s an article on Exploit DB where you can basically summit papers. So there’s this SQL article, there’s a big article and that’s explained step by step. And that article also works on a few websites. So while that guy showed us working on live website, that was pretty much very dope to me.
Okay, this could happen, this can happen in real life that doesn’t work on a lot of websites but at least I got to know and then when I started using a SQL map I was pretty much confident what options to use, what things to use, what are these options, what is concatenating, what are these things? And all other it would be just a black magic or like a black box and I’m just using it. So I feel that you should start small, you should start slow, manually build things and manually try things, gain an insight knowledge as to how things work and then you can use automation to basically do it fast.
Host: That makes a lot of sense, right? Because automation, the tools are designed to abstract some of these things and you lose the opportunity to learn. So, yeah, makes a lot of sense. Next is a one liner quote that keeps you going, that is very accurate.
Aseem: I have this wallpaper for like six, seven years now on my personal laptop so it’s a quote from Dr. Epilkle he said to shine like a sun, first burn like a sun and that is something that has kept me motivating.
Host: And the last question is you have already shared many learning like blogs or videos, right?
What are the top five blogs or videos which you follow to stay up to date on current events or new threats that are popping up every day in the security world?
Aseem: So my currently go to places Twitter and ISS feeds so I have a feedley free account where I have a lot of these access feeds like Bleeping computers, the hackermen.com, all these access feeds so I basically check out and there is a CV database and also I usually check out those and that’s all Twitter is. I get it very fast and as a speed is something I check every morning and evening and like that.
Host: That’s lovely. Thank you so much for sharing all of this. So thank you Aseem, it was a very good learning experience for me and I hope that our viewers will also, when they watch, they will learn something as well.
Looking forward to learn more from you in the future as well. So, for our viewers, thank you so much for watching. Hope you have learned something new. If you have any questions around security security, share those scaletozero.com.
We’ll get those questions answered by an expert at the security space. See you in the next video. Thank you.
Aeem: Yes thank you, bye.
Host: Thank you Aseem.