About the Author

Athul Jayaram is CEO & Founder of SecurityInfinity, a cybersecurity

company. He is a Cybersecurity Expert, Entrepreneur, Security Researcher,
Ethical Hacker, Software Engineer and Ex- Deloitte Consultant. He is
currently a full-time bug bounty hunter ranked top 100 in Bugcrowd and
Hackerone. He has experience in securing critical assets of corporate clients
across sectors like banking, finance, automobiles and technology. His area
of expertise involves vulnerability assessment and penetration testing of
web applications, thick client applications, thin client applications, android
applications, iOS applications, networks, incident response & recovery and
digital forensics. He also holds a vast understanding of the IT Industry.

CVE-2019-2706 was issued by Oracle for his critical vulnerability

discovery in the Middleware used by Corporate Applications.

Featured in Hall of Fames and Acknowledged by Google, Microsoft, Sony,

Intel, Nokia, Lenovo, Oracle, SAP, DarkMatter, Upwork, Ford, Genymotion,
Trend Micro, DJI, United Nations, UN Women, Indian Angel Network, Zomato,
De Nederlandsche Bank, Cambridge University, Visma, Auditwolf,
1Password, Indian Angel Network, Chalk, Inflectra, Wellthy and many others.

His key interests are web application penetration testing, mobile

application penetration testing, server penetration testing and network
security assessment.
www.SecurityInfinity.com
www.Athul.co

Table of Contents
Introduction……………………………………………………………..……….Page 04
The Password-protected Myth……………………………………….……….Page 06
Getting started with a cybersecurity upgrade.....................................Page 12
How to Educate Your Employees About Cybersecurity........................Page 17
How to choose the right cybersecurity company…………………………Page 22

Introduction.
As long as businesses have occupied a
physical space, one thing has remained true:
they have all had locks. At least for as long as
locks have existed. However, when businesses
moved to the cyberspace, their focus on
security took a backseat. Security is often
assumed with email, cloud computing, and
digital processing of work data. Even with
businesses that have some form of
cybersecurity in place, there is not enough
stress-testing.

That is the equivalent of not checking

whether the door is locked when you're
leaving your house. When I lock the door by
physically turning the key around, I still check
whether the door is locked or not. It is always
better to be safe than to be sorry. Yet many
business owners are not nearly as concerned
about their cybersecurity.

This is not because entrepreneurs do not care

about security, but is because they don't know
about the threats that their businesses are
vulnerable to.

My mission with this book is to highlight how

important cybersecurity by showcasing what
kinds of attacks exist today, how they have
impacted companies, and tips on how you
can make sure that this does not happen to
your business. Because I understand that
businessmen have hundreds of things to do, I
have kept this a short read backed by value
and no fluff. I hope you enjoy the read.

 Chapter 1 - The Password-

protected Myth
You secure your email with a password, and
your computer requires a multi-digit code to
access. Why do you ever need to worry about
cybersecurity, right? In this chapter, we look at
different ways hackers have managed to gain
access to password-protected assets.

Your brand's Instagram can be taken

over.
If you have an assistant, a social media
manager, or an employee with access to your
Instagram or Facebook page, chances are your
account is vulnerable to a takeover. According
to Trend Micro's analysis, Turkish hackers have
managed to send emails that appear to be from
the Instagram Support desk but can trick the
recipients into providing their login credentials
to the hackers.

How it works is that you receive a message

asking you to log in to your account for security
purposes using the link in the email. The link
does not take you to Instagram but instead
takes you to a website designed to look like
Instagram. When you enter your username and
password there, it gets sent to the hackers, who
can now log in and reset the password.

If it's not on the internet, it still

isn't safe.
In the age of internet hacking, one's instincts
are to keep confidential documents, research,
and employee files offline. However, remote-
access software can let hackers access
everything on your computer, mobile, or laptop.
That includes any saved passwords and credit
card information.

You may be wondering how the hackers can

get the remote-access software onto their
victims laptop.

They usually mask the software as something

else and send it in email attachments. The
most recent instance of such an attempt was
by an unidentified hacker group posing as
recruiters and targeting military staff with faux
job offers. According to ESET, the email
contained RAR attachment with 'Job.Offer.exe'
file. It would, open a decoy PDF while secretly
running software that gave remote access to
hackers. In one instance of this operation, a
hacker was able to take over the target's work
email.

The apps can be exploited.

Some people are concerned with how
much data we share with the big tech
giants like Facebook and Google.
However, the majority of users are not too
concerned with the kind of access these
companies have to their personal
information.

That is, mainly, because legal checks and

balances keep Facebook and Google from
misusing your personal information. In other
words, Mark Zuckerberg cannot peek into your
messenger inbox and use the information to
blackmail you. But if a hacker exploits
Facebook's vulnerabilities, he can potentially
see everything that the app can access. That
includes (but is not limited) to camera,
contacts, gallery, and payment methods.

You may be thinking, "that's just a

hypothetical scenario, right?' Unfortunately,
over 90 million users of Facebook were
remotely logged out by the company
because it believed they had been hacked
using an access-token vulnerability.

The hackers could use the access tokens to

login into not just the victims' Facebook
accounts but also other applications that use
Facebook login. Facebook has since fixed
the vulnerability.

Facebook has since fixed the vulnerability. But

the problem is that Facebook, Youtube, and
Instagram are always updating their features.
With each update, there can be potential
vulnerabilities that are open for hackers to
exploit.

 Chapter 2 - Getting started with a

cybersecurity upgrade
To get started with your cybersecurity
upgrades, you must audit the current security
structure in place. Whether it is through
passwords or via surveillance that you are
safeguarding your current assets, you can
always do more. In this chapter, you will learn
about how to conduct a general cybersecurity
audit.

What are you protecting?

This question helps you set an area of focus
around your security audit. To illustrate this,
consider that your mobile phone has a wealth
of information, including your private photos,
private videos and private chats. However, it is
neither confidential nor private. It would be
unwise to spend any money, time, or energy to
safeguard this information. On the other hand,
your contacts may be worth a million dollars
and may require extra security. At this stage of
the audit, you separate what is worth
protecting from that which is not.

How much are your assets worth?

If you have a safe with one hundred thousand
dollars, and the only way to access its contents
is through a four-digit code. Let's assume in
this hypothetical that there is no other way to
break, crack, or open this safe. How much is
the four-digit code worth? A hundred thousand
dollars.But what if you have a hundred
thousand dollar payment due tomorrow? If you
do not make the payment, you will be charged
a ten thousand dollars in interest. How much is
the four-digit code worth now? It is worth a
hundred and ten thousand dollars.

At this stage of the audit, you ask yourself

what you stand to lose if a file, item of
information, software, or document is either
stolen or copied. This could be the value of the
files (contents of the safe) or the legal
penalties that you may be open to in case
there is a leak of the files (the interest). The
total value of all the files and the potential
losses upon compromise, determine the
overall worth of your digital assets.

How often can this happen?

At this stage, you make sense of the
probability of a breach in dollar amounts. For
instance, if the last stage proved that the value
of your digital assets was ten thousand dollars
and the likelihood of a successful attack was
once every ten years, you divide the loss by
ten to determine the annual loss. That would
bring your annual loss to one thousand dollars.
In other words, a cybersecurity assessment
that costs less than one thousand dollars
annually would be a reasonable investment.

That seems like a lot of work.

Yes, a cybersecurity audit can be time-
consuming. Moreover, the actual value of the
audit comes from the accuracy of execution
at each stage. For that, it is highly
recommended to contact a cybersecurity
professional for the best possible results. At
the time of the writing of this book, I have
conducted over two hundred cybersecurity
audits.

During these audits, I have over 5000

vulnerabilities out of which 1000 were of critical
nature.

If you need to enlist my services, feel free

to contact my team at athul@athul.co and
we will be in touch with you. His area of
expertise involves vulnerability assessment
and penetration testing of web applications,
thick client applications, thin client
applications, android applications, iOS
applications, servers IP’s.

Chapter 3 - How to Educate Your

Employees About Cybersecurity.
As is evident from the majority of the cases
cited in the first chapter, businesses are often
vulnerable to hacking because of the people
they employ. 'Human error' is how information
technology experts label the problems that
result from a task being handled by humans
as opposed to computers. And when the
'human error' is in regards to being careful
about your cybersecurity, businesses can lose
millions of dollars.

One way to prevent hackers from exploiting

your employees is to educate your team on
the various ways the hackers might approach
them. 'Social engineering' is the hackers' term
for using people skills to gain knowledge of
passwords, or unauthorized access to data.
In this chapter, I go over the three rules that
you can implement in your office(s) to avoid
getting affected by social engineering attacks.

Rule #1: Do not download files

you don't expect.
The most common method that hackers
employ to access a device remotely is through
software. By managing to download and run
software on your computer or phone, hackers
can view your data, encrypt your files so you
can no longer access them, or edit files
remotely. Therefore, your employees must not
download files they do not expect to receive.

For example, an email with an attachment titled

'Invoice 445.exe' might seem reasonable to
open and look at even if you do not expect to
be invoiced. But if you open that file, you will
be hacked. Therefore, the rule to adhere to is
that if you do not expect an invoice, do not
open invoice attachments. This extends to all
files and emails because hackers use a variety
of methods to disguise such software. That
varies from industry to industry.

Rule #2: No one talks to 'tech support'

except your IT manager.
Whether you have an IT manager or not, only
the most computer savvy on your team must
be responsible for talking to any person
identifying as tech support. This rule is crucial
in companies that outsource their IT work.
Because the staff is used to receiving calls
related to information technology, they may not
suspect an attack if a hacker calls posing as
an IT representative.

Rule #3: Use the security protocols

and software.
Cybersecurity structures for office
environments may include firewalls and
antivirus protection. They are only useful if
followed properly. That's why I recommend
you not only verbally educate your
employees on using these but that you also
put together an educational manual
customized to your office.

By teaching your employees how to use two-

factor authentication, secure backups, and
avoid security pitfalls, you will have the peace
of mind that your business is not vulnerable.

The clients for whom I have provided

vulnerability assessment and penetration
testing services include websites, thick client
applications, thin client applications, android
applications, iOS applications, and servers.
If you are interested in my services for
securing your business against the next cyber-
attack and have peace of mind, feel free to
drop a line to my team at athul@athul.co

Chapter 4 - How to choose the

right cybersecurity company.
There is perhaps little that is as important in
securing your business data as the
cybersecurity partner you choose. In the first
chapter, you learned about different types of
cybersecurity breaches. There is another type
of hack that involves ransomware. It encrypts
one's data and locks them out of accessing
their own files or device. The point of
mentioning this in the last chapter of this book
is to make you understand that what you
learned in the first chapter is not enough. In
fact, what you are learning in the last chapter
is not enough either. Because hackers are
always coming up with new ways to exploit
vulnerabilities and attack businesses. You
need a professional cybersecurity expert,
whitehat ethical hacker and security
researcher. who spends as much time
researching how to secure your business.

This chapter will leave you with a

checklist to qualify for quality when
hiring a cybersecurity expert.

Have they worked with a company

of your size or within your industry?
It is important to hire not just any cybersecurity
company but to hire a cybersecurity firm that
can deliver security services for a business of
your size and within your budget. In addition to
the cybersecurity company's abilities, you have
to consider their cost and fee requirements as
well. For instance, multimillion-dollar
corporations hire cybersecurity firms that
charge hundreds of thousands of dollars. And,
as you learned in chapter two, this has to do
with the value of the files, the data, and the
devices that they are protecting. You, on the
other hand, might be an entrepreneur and may
have a few businesses that own less than 100
websites, android applications and servers.

It would then not make sense to hire a

cybersecurity company that deals with
multimillion-dollar corporations.

How little will you have to intervene? When

you hire a cybersecurity firm, you are
purchasing peace of mind. It is essential to
know how much peace of mind they will be
able to deliver. Will they constantly stress-test
your current cybersecurity structure? Will they
offer upgrades? Will they conduct penetration
tests to see whether hackers can get in at any
point? Or will they install some software and
leave?

So, it is important to ask the cybersecurity

expert or representative or a cybersecurity
consulting company how frequently would
their work with you be? You may also ask how
hands-off and automated would the
arrangement be.

 Another handy question to ask your

consultant is whether they will be providing
educational material for your employees, or
you will have to pay a third party to get those
services. These are all important questions
that can be summed up under the umbrella
of 'how little you will have to intervene.'

What is their experience?

When bulletproof vests are created, the make
and the model of the vest are physically tested
against a variety of guns and rifles. Imagine a
bulletproof vest that has a tag saying 'never
been tested.' Would you trust that brand? Let's
take this further. Imagine a bulletproof vest with
a tag saying 'some bullets have gone through
this.' Would you trust that brand of vests? Of
course not.

Unfortunately, cybersecurity experts do not

come with the tag saying, 'some attacks have
gone through this.' Therefore, you should
research whether the firm's clients have
previously have experienced any attacks. You
may even directly ask them if any hacks
happened on their watch? By asking these
questions, you can separate the good
cybersecurity firms from ones similar to
bulletproof vests with bullet holes.