“LastPass is a good choice”, With Jason Remilard and Shitesh Sachan

Use VPNs. Most of us have lots of devices that are connected to the internet. And those devices are considerably more powerful than many older computers. However, despite the democratization of access, very little has changed in terms of security. Remember that HTTPS has only been popular for the past few years. This suggests that, […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

Use VPNs. Most of us have lots of devices that are connected to the internet. And those devices are considerably more powerful than many older computers. However, despite the democratization of access, very little has changed in terms of security. Remember that HTTPS has only been popular for the past few years. This suggests that, sadly, it is up to people to defend themselves.

Antivirus apps and password managers go a long way, but a VPN is a uniquely powerful tool that you should have in your personal security toolkit. Particularly in the connected world of today.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Shitesh Sachan, founder and CEO of Detox. Shitesh is an ethical hacker and a Certified Information Security Auditor (CISA), with over 20 years’ experience. Before founding Detox, Shitesh lead security at hCentive, a US healthtech company, who protected national healthcare projects in the USA, amongst other global projects. In his wider remit as an ethical hacker, Shitesh has identified security vulnerabilities within some of the world’s largest platforms, including: Amazon, LinkedIn, WhatsApp, Shutterstock, Medlife, Dominos and Pizzahut. Shitesh is a published author and has recently been awarded ‘Hall of fame’ status by the World Security Council for identifying security flaws in their system.

From antivirus to privacy and identity protection (and more), Detox has got you covered through one smart, easy-to-use mobile app. Detox automates cyber security, providing an affordable and accessible alternative to hiring an expert. Powered by AI, Detox is always aware of the latest security threats, allowing you to go about your online activities with complete peace of mind. A simple and intuitive interface handles any potential threats, as and when they arise.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Kanpur, a small city in India, (which was called Cawnpore before Independence) and attended school there. After school, I moved to Agra to study for a degree in computer science. After the degree, I completed my bachelors at the Faculty of Engineering and Technology, a Government college in Agra.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was a huge fan of Kevin Mitnick as a youngster. I was always very curious to know how he got into the systems he targeted. So, I started reading about cyber security, and it really fascinated me. I started to hunt bugs back in 2004 and reported couple of security flaws to an IT company. That is how my whole cyber security journey started.

Can you share the most interesting story that happened to you since you began this fascinating career?

During one early project, I was asked to follow a business’s initial round of vulnerability assessment and penetration testing and was tasked with seeing if I could identify anything they had missed. To everybody’s surprise, I was able to find seven critical security loopholes. Obviously, the management team was delighted and decided to keep me on.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are ups and downs in everybody’s careers. In 2012 the company I was working for was about to shut down, so I joined hCentive Inc. as a software tester. In a very short time, I won the trust of the management team by reporting functional bugs, as well as security bugs.

A new VP, Ritesh Dugar, spotted my potential and moved me from software testing to cyber security. It was a major turning point for me, but the trust Mr. Dugar demonstrated in me was incredibly motivating.

With his support, I was able to prove and improve my cyber security skills. I ended up setting benchmarks for application security in hCentive and led the entire cyber security team for a major US national healthcare project. I managed a big team over in the US and trained multiple software testers to become security testers.

Are you working on any exciting new projects now? How do you think that will help people?

I am laser focused on bringing security awareness to the masses. Not just educating individuals, but helping everyone, whether they are a business or an individual, to become more aware of the risks, and empowering them to secure themselves and their data.

Smartphones are ubiquitous and the risk of getting hacked has skyrocketed. So, I decided to create an app which secures an individual’s smart phone. My team and I have been working on the app for quite some time and by early next year (2021), we hope to launch.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Health is, of course, vitally important, so I like taking a brisk walk in the morning or doing some meditation to help me to relax and feel rejuvenated. I love reading too. I also love to compose songs and music in my free time, which I rarely get these days. But it really helps me, and I would recommend it to my colleagues, whether they are musical or not.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

I am still excited by the three pillars of cyber security — confidentiality, integrity, and availability. However, while all three remain critical, hackers are also building new exploits and threats to take advantage of vulnerabilities that result from them.

Confidentiality: for example, shifting massive infrastructures rapidly to the cloud can compromise the most sacred asset in health care, patient data. Ensuring data privacy and confidentiality is at the core of all health systems, and migration online presents the opportunity for lurking hackers and bad actors. Security professionals need to plug this gap by taking a “security and privacy by design” approach to risk management, which embeds security and privacy into the design and operation of all systems, infrastructures, and practices.

Integrity: equally as important to the confidentiality of any data is its integrity. Integrity includes PII, PHI, sensitive data, maintaining the accuracy of a patient’s personal details, health summary, clinical notes, test results and family information. The more of this data that is digitized, the higher the risk. In a data breach that compromises integrity, a hacker could seize the data and modify it before sending it on to the intended recipient. Some security controls designed to maintain the integrity of information include:

  • Encryption
  • User access controls
  • Version control
  • Backup and recovery procedures
  • Error detection software

Availability: Hackers are using different ways to take down servers via Dos and DDOS attacks. Your information is more vulnerable to data availability threats than the other two components in the CIA model. Making regular off-site backups can limit the damage caused to hard drives by attacks or server failures. Information only has value if the right people can access it at the right time. Information security measures for mitigating threats to data availability include:

  • Off-site backups
  • Disaster recovery
  • Redundancy
  • Failover
  • Proper monitoring
  • Environmental controls
  • Virtualization
  • Server clustering
  • Continuity of operations planning

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Ransomware. The growth rate of ransomware attacks is unbelievably high. It is a curse on data and web security, and the respective professionals responsible for securing our digital lives. There is no doubt that it is number one among the major IT security challenges, and I believe it is going to be an endless challenge. Tomorrow’s hackers will not only hack your data, but they will blackmail you based on that data and threaten to encrypt your data so you cannot access or retrieve it. Criminals can have both your data and the money, and you will not be able to do anything about it.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Detox’s breakthrough moment came when one of our first’s customers suffered a ransomware attack. A hacker had compromised some of their business data and was demanding a ransom to settle things. We knew we had to help, but we only had one clue, the hacker’s email ID.

So, we did our best to track him down using the location of the other IP addresses he had used. Eventually we were able to identify the location of the office where he had triggered the ransomware. Then on further investigation, we found where the hacker was working and was located.

We decided to contact many people associated with the same company, and, with further checks, we were able to track down his name. Before we got in contact, we wanted to understand his motives and mindset. So, we contacted his team members. We built a complete picture of the hacker and found out that he had been accused at various levels and was doing strange things with his PC.

Having all this information, meant we could reach out to the hacker directly and attempt to get a resolution. The hacker immediately recognized he had nowhere to run and sent an apology email and released the decryption key for the ransom.

The whole mystery was solved, and we had tracked him down in less than a week.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

  • For Static Application security testing we prefer to use CheckMarx/Fortify (license tools) and VCG (OpenSource)
  • For Dynamic Application Security testing we prefer to use HCL Appscan/WebInspect/Acunetix(License tools) and Metasploit/ZAP(OpenSource)
  • We use BurpSuite Pro for analysing request/response of client server.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

If you do not have a large team and have a smaller security budget, you should consider using open source software and try to automate the things, as much as you can.

Using automated scanners, like VCG and ZAP, can help with automating SAST and DAST phases. If possible, you should convert your devops function into a DevSecOps function, and you should use Open Source security plugins like ZAP or FindSecBug.

If your project does not hold sensitive or financial data, then its fine to use the above model; but if you are handling sensitive data, then I would obviously recommend hiring in support from external vendors or increasing your team’s size and capacity.

If you chose to work with external vendors, I recommend not going with just one vendor. Keep shuffling. Each vendor’s reports should be evaluated, so that additional coverage or gaps can be identified.

A second opinion is always helpful, and you can achieve that by auditing the same application or product with a different vendor. This process is not required every time, but it may be helpful at initial levels to identify the coverage and threat levels.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

I think it is a bit ‘old school’ to say that even the ‘best prepared’ can suffer breaches. If you are ‘best prepared’, surely it means the ‘preparation’ is done? So, if the preparation has been done properly, to the required level, there should not be an entry point for the hacker, so there should be no breach.

My team and I Work on a ‘zero leakage, zero trust’ model, where we assure our customers that once we certify the application release or build, then there is absolutely no chance of any loophole.

As a minimum a business should have the following systems in place:

  • DDOS Protection/IPS Implementation
  • MSB (Minimum Security Baseline) Audit
  • SSDLC Implementation
  • Experienced and well-trained security researchers

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Investigate the breach. Fix the loopholes. Revise your policies. Change them if it is needed. Then train your employees, so a situation like this will not happen again.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

I can honestly say that recent privacy regulations have been hugely positive for Detox. Modern businesses, who are built to follow these regulations, are more focused on quality cyber security services. They cannot afford any leaks, breaches, or vulnerabilities.

Perhaps some businesses were apprehensive about going through application security testing, or felt overwhelmed by the need to secure their entire network/IT Infrastructure, in the past, but now most business’s understand the repercussions of not doing so, and are focused on getting it right.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Hiring less skilled security researchers and relying more on automated security scanners.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

As people have started to work remotely, businesses are, quite rightly, concerned about their data privacy. Social engineering attacks and ransomware attacks have risen by more than 4 times during lockdown. Most of those attached are a result of a lack of cybersecurity awareness and in-competent and incomplete policies.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Data Access

When you limit access to data, you narrow the pool of employees who might accidentally leak that data or click on a harmful link. Hackers will always look for the weakest link. It is easy for a social engineer to steal the credentials of one employee and gain access to all your sensitive data if everyone has access to that data. Governance is key. By restricting access to your data, you make the work of the social engineer harder, and they will be less likely to target your team.

When businesses wake up, I expect to see all data partitioned. So that only those who need access directly, can have it. For me this is common-sense and a measure that businesses should have taken a long time ago.

Use VPNs

Most of us have lots of devices that are connected to the internet. And those devices are considerably more powerful than many older computers. However, despite the democratization of access, very little has changed in terms of security. Remember that HTTPS has only been popular for the past few years. This suggests that, sadly, it is up to people to defend themselves.

Antivirus apps and password managers go a long way, but a VPN is a uniquely powerful tool that you should have in your personal security toolkit. Particularly in the connected world of today.

Use Antivirus

It is critical to have all your work-related devices downloaded with antivirus software to protect you against malware, trojans, rootkits and viruses. Antivirus software acts as a prophylactic to not only kill a virus, but also keep the device from being compromised by any new virus in the future. I get multiple spam emails, attachments, calls every day, but antivirus software helps me to quickly filter out what is genuine and what is infected.

Use Password Managers

Most of us use very poor passwords and tend to reuse them on various websites. It is tricky to use solid, unique passwords for all the websites that you use daily? A password manager is the solution. For all the websites that you use, password managers store your login information and help you log into them automatically. With a master password, they encrypt your password database, and the master password is the only one you must remember.

For example, if you want your passwords to synchronize across devices, LastPass is a good choice. 1Password is frequently used and interacts with the Pwned Passwords database of Troy Hunt, so you can say if (and avoid!) a password that has been leaked or revealed in a data breach before.

Employees Training

Security awareness training is so important in our always-connected work environments, where cyber threats abound, and the risks are evolving constantly. For hackers, employees are still the weakest link, and present an easy target.

The aim of awareness training is to provide people with the security skills they need to combat threats, like social engineering, phishing, vishing. It is not realistic to expect your employees to know what risks exist, or how to protect themselves from them. They need to be taught what is dangerous or appropriate to them, what signs to look for, and how to react when they see them.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

It may not be a movement per se, but security wise, I would advise everyone to make sure they are as safe online, as they are walking down the street. Look after your data, like you look after your money. Think before you open any attachment. Always scan any files, using a tool like, to identify if a file or attachment has a hidden malware in it. Sometimes antivirus scanners might miss the virus, but a scanner, like Virustotal, is good.

How can our readers further follow your work online?

I am active on Linkedin. People can connect and follow me there. Or you can check out Detox’s website and blog here —

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    “Lack of a plan”, With Jason Remilard and Paul Lipman

    by Jason Remillard

    How Is It Possible to Control the Devices of an Employee Working Remotely?

    by Sandra Manson
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.