This is the conclusion of our two-part “Interview with a Hacker” story featuring security researcher and helpful hacker Pete Herzog. Read “Part I, Hacking Human Resources is a Thing” and Herzog’s LinkedIn post about a company accidentally hiring a hacker, which inspired this article.
In this installment, Herzog speaks more specifically about corporate security.
Eve Lampenfeld: What are some common things organizations “give away” to their competitors, and what’s the best way to prevent this?
Pete Herzog: There are so many! But the most common leak I see is how much they have to spend on technology. A skilled hacker can glean information on a number of systems, age of the systems, type and version of the operating systems and versions, security applications, vendors and devices. From that, there are some standard ways to extrapolate costs of number of support technicians needed, regional salaries for those types of jobs, costs of technology in bulk, license fees and so on. This can give you a range of what the competitor is spending on technology at the moment so you detect changes or shifts in their response to the market or even to yourself.
The best way to prevent this is to have comprehensive security that protects such leaks, since there’s no way to tell people to not post anywhere or send e-mails, both of which may leak information about the systems used to do that. So the next thing to do is to include deception and camouflage into your security tactics something which corporations rarely consider.
So give me a few ways people can protect their company secrets online.
The easy answer is don’t put them there. But no company can control everything that their employees do and how. So the best you can do is actively audit how much information about your company is out there in public areas. What you need is a comprehensive information security program with ongoing audits of how well your security systems are working and not just how patched your servers are. But this is the stuff books are written on.
Our methodology for testing security, including competitive information and privacy leaks is over 250 pages long and required 10 years of research.
Are these leaks a widespread threat for companies? I found it fascinating that the woman in your LinkedIn story knew that her company was likely to be at risk. What are the odds your company is losing its edge by having this info online?
I don’t think it’s easy to calculate the risks of this happening, but I do see more and more big companies include competitive intelligence to be more agile in the market. Of course, there’s the problem of economic espionage where foreign competitors use similar techniques to compete for large bids, so I can’t even begin to imagine how prevalent it is for the average company. When you consider the cost of having a skilled hacker for competitive intelligence (CI) might run you about $150,000–$250,000 a year, that takes it out of the league of smaller companies. However, a larger company can easily leverage million-dollar bids against that kind of intelligence. And you can be sure those larger companies are keeping an eye on the up-and-comers.
What’s a legal way to find information on your competitors?
Short of criminal hacking, stalking, reading their mail or trespassing, it’s pretty much all legal.
Of course, there’s a moral line you may want to consider not crossing first, if only because you don’t want that line crossed on you in retaliation. Most online competitive intelligence surveying will have a high moral tolerance level compared to the same physical one. For example, you can watch a competitor’s online store 24/7 for traffic changes, products pushed and which ones are sold out to match them in inventory. However, if you put a person on the street in front of a competitor’s store 24/7 to count the traffic going in and out and peeking in bags to see how many products or which ones their customers buy, you can expect trouble. Both are legal, but in my opinion, the second instance crosses a moral line and is heading toward harassment.
How did you get into your profession?
I first came out as a hacker while working as a field consultant for the CDC and [the Agency for Toxic Substances and Disease Registry]. I got sent out to hotspots in the U.S. where there was environmental damage, and I managed the collection of lab data that got sent back by modem to the home office. So like many of us who started while the Internet was young and simple, we fell into it. We had the right collection of skills, the right attitude and the overwhelming curiosity that served as the motivation to be resourceful both in how we learn and the tools we needed to keep learning.
With time on my hands and equipment to play with, I searched and learned and tried things until I could afford to build my first computer from parts. So I knew how they all worked. It takes passion because anything skills-based will have a huge level of frustration associated with it. From there, I just kept learning until I got my first hacking job as a test engineer for Intel to test network cards and then recruited away three months later for IBM Germany to be on the starting team of their Ethical Hacking department for Europe. It’s been hacking ever since.
How can we get more information on your cause?
Just visit www.isecom.org, www.hackerhighschool.org or www.badpeopleproject.org. Or just have me come by to talk. I have very limited time, but I try to speak at least at three conferences or seminars a year. If I can’t do it, we have many qualified trainers and speakers who can help you out.
Eve Lampenfeld is a contributing journalist for TheBlot Magazine.