An Interview With Miss Shifa Cyclewala| WICS Community
1. Hello, Miss Shifa please introduce yourself to our readers?
Hello, I am Shifa Cyclewala the Founder of Hacktify Cyber Security. My Company works towards teaching students about Cyber Security and Ethical Hacking. Also, I am an online instructor on Udemy we have taught 20,000+ Students from 149 Countries both online and offline.
I have experience as a web and mobile application developer and in web and mobile application security. I have an experience of more than 5 years in software development and security training with a special interest in Penetrating Testing, Artificial Intelligence, Logical Programming, and Virtual Reality.
2. We are really curious to know the journey of ‘Hacktify’. Can you share your inspiring experience of building up this institution?
I was excited about Cyber Security since my early days of Alma mater and loved to experiment and learn about hacking tools. I still remember the first hack which I performed, that was to steal a Wi-Fi password with aircrack to download and read more hacking books as we had limited access to the internet in those days.
In the second year of my college, I got to work with a cybersecurity company as an intern and that was the time, I decided to pursue cybersecurity as my career.
Due to the lack of opportunities in my home town in Gujarat in cybersecurity, I migrated to Mumbai being a girl, my family was always concerned about my safety and security but I managed to join an IT Company.
Even with a decent salary and a comfortable working environment, there was something that was always missing.
It was guidance. When I started my journey, no one in my family belonged to any Engineering background. This inspired me to provide free weekend guidance classes, awareness sessions, and workshops on cybersecurity from my own salary so that others wouldn’t face the same which I did.
As soon as I started, a lot of different individuals joined the sessions which gave a platform for everyone to share and learn.
Later I realized, the work we were doing was helping to a lot of individuals and was making some impact in their lives, but this impact was on a very small scale.
Weekends discussions always used to excite me and I finally decided to make this as full time, which made me quit my job. I invested all my savings in setting up Hacktify Cyber Security as a Limited Liability Partnership company.
Leaving a secured job and starting a whole new company was a very difficult situation for me along with the continuous responsibilities of taking care of my family. There were a lot of ups and downs while competing with the top institutes of Mumbai. It wasn't an easy task. But with the quality of our training, Hacktify is now the Highest Rated Institute.
With a lot of hard work and dedication, we got a kickstart when our idea of Hacktify Cyber Security got selected in Startup India as Most Emerging Startup and received a recognition certificate.
3. While working with Bugcrowd, do you think the bug bounty approach is more effective than a traditional security audit?
There is a difference between Penetration Testing & Bug Bounties. In a penetrating testing project, you are testing for all the vulnerabilities which will include a checklist containing even the small vulnerabilities. You are the only one who is performing a test on the application and finding out vulnerabilities. Whereas in Bug Bounty, there are thousands of other security researchers who are constantly hunting for vulnerabilities on the same application. Organizations or Programs already perform a security test on the applications before they come on crowdsourced bug bounty platforms like Bugcrowd which eliminate the low-level risks.
Bug Bounties teach you to try more and more and find new ways that others have already tested and missed.
Thinking from a Bug Bounty Program owner’s perspective, it is always better to let your application get tested by thousands of brains instead of 1 or 2. Chances are high that even those vulnerabilities which are hidden or fixed, which have been applied, are bypassed. This will eventually make the application much safer in the longer run.
4. What all are the tricks that you have discovered to keep you focused and productive in your day-to-day busy schedule?
This is something that I always wanted to do. My work makes me happy & satisfied. I never feel pressured or losing focus. I love being busy and productive. We always try to make the best use of time by doing research, interacting with the community constantly.
Yes, one trick always helped is time management, whenever I'm testing on applications chances are I end up finding nothing after days or weeks. Do not get disappointed, burnout is common. Take breaks, go for walks, and do some leisure.
5. Web applications are running on different platforms such as java, PHP, .net and also CMS based (WordPress Drupal, Joomla like) applications are available. So, if a security analyst or pen tester approaches a web application security how much they have to know about back end coding. What is the importance of Back end coding knowledge when it comes to a web application security career?
Knowledge about the backend gives a clear understanding of the application structure. It is equally important as front end functionality.
If one knows how the application's backend code works, he will be able to find more vulnerability from the source code by understanding how the application is working.
6. Do you have a mentor or someone in the community who has inspired you?
No, I don't have any mentors. But there are lots of famous & experienced individuals to whom I look up to. There are a lot of awesome people in the community who are always contributing that inspires me a lot.
7. What do you think about the latest cyber-attack on twitter? Can you please explain the technical side?
The unprecedented Twitter hack targeted a number of high-profile individuals and well-known corporations. The accounts of politicians, businessmen, and celebrities such as Joe Biden, Jeff Bezos, Bill Gates, and Elon Musk were hacked to spread a cryptocurrency scam. Apple, Uber, and Wendy's were among the companies that saw their accounts compromised. As Twitter said in its series of tweets this was due to a targeted social engineering attack that gave access to the internal tools of twitter.
Twitter confirmed that the attack could not have been conducted without access to the company’s own tools and employee privileges which may explain why even accounts that claimed to have two-factor authentication were still attempting to fool followers with the bitcoin scam.
Social Engineering is an art of deception attack in which the attacker tricks the victim into believing the source and makes the victim interact with the attack vector which gives privileges or credentials to the attacker. Twitter employees have been victims of a similar kind of social engineering attack.
8. If somebody comes across a bug bounty program and he/she finds that a critical flaw exists in their system but they don’t pay any bounty amount. At the same time, He/she gets a private invitation to another program which provides a bounty amount for the vulnerabilities that he/she finds out. If he/she is not in a situation where he/she can attend both the cases, in your opinion which case should be considered? The former or latter?
According to me, critical vulnerability should be reported first because being a security researcher along with rewards and receiving bounties you have a responsibility to make the internet safer so the vulnerability is not exploited by other hackers and misused.
Although I highly recommend finding vulnerabilities on the programs which have a bug bounty or at least RVDP.
9. What will you suggest to our newbies who are interested to start their career in cybersecurity?
I believe any person who wants to start a career in cybersecurity should first be very curious about what he/she is going to learn. Next, He/She should learn the technical aspects of How Linux, Servers, Networks, Mobile, and Webworks. There are different domains in cybersecurity which a student may like to jump in for eg - Cyber forensics, Pentesting, Threat Hunting, Security Operations and Control, etc.
If anyone is interested in Pentesting, he/she should learn about OWASP, practice all the vulnerabilities on labs, there are plenty of open-source labs. Then gradually jump on programs that have RVDP (Responsible Vulnerability Disclosure Program) and then jump to bug bounties. The appreciation, Hall of Fame, and certificates will also help in securing a job in cybersecurity as it will make you fall apart from the crowd and will show your experience on the live applications which is exactly what the company wants from you.
10. What upcoming challenges do you see as per the current security posture of companies? Please share your thoughts on the impact of COVID-19 on cybersecurity.
As cyber threats and hackers continue to advance, in numbers and sophistication, it’s now more important than ever to have a clear vision of your organization’s cybersecurity posture. In addition to strict compliance standards, the pressure put on companies by the public to protect their sensitive data is growing stronger every day, but the traditional methods of online security are no longer considered sufficient. As hackers continue to get smarter and companies increasingly move to cloud-based apps, organizations are encouraged to take a holistic approach to cybersecurity posture that takes all of the pieces into consideration.
The proactive cybersecurity approach and cyber resilience towards the attacks will help in growth and protecting critical infrastructure. The pandemic has created a huge challenge for organizations worldwide to work despite massive shutdowns of offices and other facilities. Organizations have started to work remotely which has made the hidden risks uncovered, more and more networks, internal web applications are now exposed to the public network.
The world became far more digitally connected and vulnerable than ever. Hackers developed new attack vectors like COVID 19 map phishing scams, phishing emails from WHO, various government and medical facilities, etc. Organizations must ensure that their digital platforms are resilient against cyberattacks and spread as much as awareness to employees to be aware not to fall in phishing or social engineering traps.