To combat online attacks, businesses intentionally hire hackers to get into their company computers.
These are not the crooks you might expect, but rather reputable cybersecurity firms given the green light to hack into company computers to detect criminal activity and data breaches, to find weaknesses in the network and to secure and monitor company data and employee information. “We can get into a company’s computer system within minutes, and no one knows we are there,” said Gideon Lenkey, president and co-founder of Ra Security Systems Inc. in Milford, N.J. “We can get in through an email, maybe HR [human resources] opens a resume, and we can put out cameras and microphones.”
Lenkey said one the most interesting jobs his team was hired to do was for an insurance company in Pennsylvania.
When Lenkey and his team began hacking into the company’s computers, they discovered it already had been hacked by two hacker organizations – and that the cybercriminals were fighting for two years to gain control of the data they had stolen. This activity was going on at night while the office was closed.
Ra Security resolved the problem by taking all computers offline at the insurance office and shutting down the hackers’ efforts.
“When we disconnected the office computers from online, all the phones in the office started to ring. …The hackers were trying to find a modem,” Lenkey said.
This scenario is one example why businesses are hiring firms such as Lenkey’s to hack into their own systems, determine their weaknesses and build a better line of defense against cyberattacks.
Lenkey said he also has been hired by companies to visit on-site, physically steal hard drives and even walk away with computers and photocopied documents.
Businesses from throughout eastern Pennsylvania hire Domain Technology Group Inc. of Wyomissing to do vulnerability testing and what the information technology world refers to as penetration testing. Both tests involve gaining access to company computers to find things such as viruses and to detect suspicious activity, said Larry Goncea, a senior IT consultant at Doman Technology.
That first step, the vulnerability test, uses software to find flaws in the system, decide what is missing and to determine if data were breached or the system was configured incorrectly. All weaknesses found are classified from high to low priority.
The next step, the penetration test, is when Domain Technology takes on the role of hacker. “Essentially, if I am running a penetration test, it means that I found holes in the system during the vulnerability testing,” Goncea said, adding that a vulnerability test will target any strange activity, and the intentional hack attempt that follows will determine if there is a big problem. Goncea said some of Domain’s best clients are financial institutions and health care organizations.
Antonio Haddad, managing partner at Infradapt LLC in Upper Macungie Township, said he handles IT security and works with businesses to find flaws in computer networks. He sees it is as necessary for companies to have a security company break into their systems.
His company provides IT security, provides remote and on-site monitoring and manages firewalls, but when it comes to hacking into computers, the client has to use a third party. “We make sure the shields are up and we validate our services, but we cannot certify our work,” Haddad said, and that is where a third party is hired to hack into the system to verify Infradapt’s work.
“The subject of hacking and cybersecurity protection is an endless topic, and a lot of monitoring is done to mitigate this to the highest possible extent,” he said.
Don Welch, chief information security officer for all Penn State University campuses, said companies hire security firms to do penetration testing as a final step in a broader process. According to Welch, large firms already have their IT team doing the security. But companies, especially those that deal with many merchants, for example, must do penetration testing as an annual compliance requirement.
“When you think you have everything set, you may decide to bring in someone to do a [penetration] test,” said Welch, based in University Park.
“You want to make sure you catch all the vulnerabilities. So, it is good to have an outside party to do that testing.” •