No, not the “black hat” hacker who sits in a dark room with glowing computer monitors. Think of “white hat” hackers such as Jeremiah Baker, who hacks his clients as co-founder of Acton, Mass.-based cybersecurity firm Netragard.
Baker’s most famous hacking attempt was when he installed malware into a computer mouse and mailed it to a client from a fake address. Unaware the mouse contained malware, the client accepted the mouse and plugged it into a work computer. This gave Baker and his team full control of the client’s system.
Netragard’s business model sounds unpleasant for the client, but it’s actually a common practice known as penetration testing. Professional hackers are paid to do everything they can to hack their way into their clients’ systems. At the end of the testing period, they report on whether they successfully penetrated the system and what they found along the way.
The most common vulnerability Baker finds isn’t a computer mouse or virus protection program—it’s people. For example, one of his co-workers once used a client’s personal interests to test and penetrate his network. The co-worker created a fake Facebook profile of an attractive young woman who reached out to the client. The co-worker then looked up musical groups the client liked, did some research and found that one of the groups was performing near the client soon.
Finally, the plan was put into motion. Posing as the fake person, the co-worker sent the client a link inviting him to the concert. The link was malware. Netragard was inside the client’s network once he clicked the link.
The strategy Baker’s co-worker employed is known as “spear phishing”: targeting a specific person and sending them a message meant to dupe them into clicking a link that will allow the hacker to penetrate the system to which the employee has access. The reason spearfishing is often successful is not a lack of knowledge or oversight by employees—it’s a lack of training, Baker said when presenting at Gilbarco Veeder-Root's Retail Technology Conference in Winston-Salem, N.C.
“If you don’t test your staff, the bad guys will do it for you,” he said.
Baker suggested a three-step process—train, phish and analyze—to give employees the tools they need to defend against spear phishing. Train employees on what the attempts look like, try to fool them with fake attempts and regroup with employees on what they did right and wrong. Eventually, Baker said, employees will learn how to combat spear phishing on their own.
Hackers for Hire
Geoff Vaughan, senior security engineer for cybersecurity firm Security Innovation, Wilmington, Mass., also attempts to penetrate corporate systems. Like Baker, he does so not to do damage or hold the company hostage but to uncover cybersecurity flaws.
“Most hackers and security professionals are not malicious, and we go out of our way to be ethical and responsible in our process,” Vaughan said at the Conexxus Annual Conference in Nashville.
Vaughan admitted that his work can be a hard sell. “Sometimes I tell people what I do and they’re scared and never want to talk to me again,” he said.
He encourages everyone concerned about cybersecurity to undergo a process called threat modeling. “Threat modeling allows you to enumerate and prioritize your threats,” he said.
The first step is to define assets, or data that needs protecting. For most retailers, this includes credit-card, transaction and fuel usage data. The second step is to create a list of “threat actors” who could cause risk to said data. They could be anyone from customers and employees to support personnel and suppliers with access to data. Finally, those undergoing threat modeling should consider how the threat actors might attack those assets and simulate how those attacks might play out.
These experts make it clear that the real cybersecurity threat is not a mysterious figure staring at screens in an underground bunker but company employees’ lack of knowledge. A white-hat hacker is one effective way to test a system and uncover its weakest links.