1
00:00:01,920 --> 00:00:04,320
Speaker 1: Welcome to brain Stuff, a production of I Heart Radio.

2
00:00:06,440 --> 00:00:09,879
Speaker 1: Hey brain Stuff Lauren Buble bom Here. Let's begin this

3
00:00:09,880 --> 00:00:13,360
Speaker 1: episode with a true story. Asher Demots walked through the

4
00:00:13,360 --> 00:00:16,760
Speaker 1: front doors of a supermarket. Hanging it aside in place

5
00:00:16,800 --> 00:00:20,079
Speaker 1: of a reusable shopping tote, was a discreet laptop bag.

6
00:00:20,880 --> 00:00:23,840
Speaker 1: Demots wasn't shopping for groceries. This was a break in,

7
00:00:24,560 --> 00:00:28,040
Speaker 1: but neither the avocado inspecting shoppers nor the credit card

8
00:00:28,080 --> 00:00:32,239
Speaker 1: swiping cashiers realized they were under attack. Demons walked through

9
00:00:32,240 --> 00:00:34,920
Speaker 1: the store and found a back room lined with people

10
00:00:34,960 --> 00:00:38,240
Speaker 1: at computers. It was a training session, a perfect place

11
00:00:38,240 --> 00:00:41,159
Speaker 1: to blend in, so he sat down and hijacked a

12
00:00:41,200 --> 00:00:44,279
Speaker 1: machine for the article. This episode is based on how

13
00:00:44,320 --> 00:00:47,480
Speaker 1: Stuff Works. Spoke with Demots. He said, I just went

14
00:00:47,479 --> 00:00:49,360
Speaker 1: in and unplugged the cable from the back of one

15
00:00:49,360 --> 00:00:51,760
Speaker 1: of the machines and plugged it into my laptop. I

16
00:00:51,840 --> 00:00:54,480
Speaker 1: was hacking away for a while and gained access to

17
00:00:54,520 --> 00:00:58,680
Speaker 1: systems and databases pretty quickly from that room. Soon after,

18
00:00:58,800 --> 00:01:03,200
Speaker 1: the trainer approached him. She was polite but unsure about him.

19
00:01:03,240 --> 00:01:05,280
Speaker 1: He told her he was from the head office there

20
00:01:05,319 --> 00:01:08,679
Speaker 1: to install some updates. This appeased her for a few minutes,

21
00:01:08,720 --> 00:01:12,000
Speaker 1: but she decided to loop in her supervisor. That's when

22
00:01:12,040 --> 00:01:14,560
Speaker 1: Demots figured it was time to head out. He said,

23
00:01:14,720 --> 00:01:17,240
Speaker 1: I closed everything and started to leave. I took the

24
00:01:17,280 --> 00:01:20,640
Speaker 1: stairway and unfortunately, as I pushed the door open, the

25
00:01:20,680 --> 00:01:24,080
Speaker 1: alarm went off. The trainer already hot on his tail.

26
00:01:24,440 --> 00:01:28,000
Speaker 1: The chase continued to the soundtrack of blaring security alarms

27
00:01:28,040 --> 00:01:31,800
Speaker 1: and a final screeching crescendo as the trainer shouted across

28
00:01:31,840 --> 00:01:36,360
Speaker 1: the store, that's him, that's the guy. Another supermarket employee

29
00:01:36,360 --> 00:01:39,160
Speaker 1: approached the Moots, but the Mots was prepared. He had

30
00:01:39,200 --> 00:01:42,640
Speaker 1: a Manilla folder with a fabricated work order. He told

31
00:01:42,680 --> 00:01:44,560
Speaker 1: them that he was from corporate and that there had

32
00:01:44,600 --> 00:01:47,680
Speaker 1: been a serious hack in the story system. He said,

33
00:01:47,840 --> 00:01:49,600
Speaker 1: did you know there was a breach on your network

34
00:01:49,680 --> 00:01:52,960
Speaker 1: last night? Millions were stolen and the supervisor said no,

35
00:01:53,120 --> 00:01:55,920
Speaker 1: I had no idea. The pair agreed to get on

36
00:01:55,960 --> 00:01:59,120
Speaker 1: a call later that afternoon to avoid any heads rolling

37
00:01:59,240 --> 00:02:02,960
Speaker 1: due to the sea US cybersecurity in Fraction. Part of

38
00:02:03,000 --> 00:02:06,440
Speaker 1: Demotz's tail to the supermarket manager was true. He was

39
00:02:06,520 --> 00:02:10,800
Speaker 1: hired to be at the supermarket and by the supermarket's leadership. However,

40
00:02:11,120 --> 00:02:13,480
Speaker 1: the only hack that had happened was the one Demots

41
00:02:13,560 --> 00:02:16,679
Speaker 1: did himself, and he didn't steal a dime. He was

42
00:02:16,760 --> 00:02:18,880
Speaker 1: hired to see how far he could hack into the

43
00:02:18,919 --> 00:02:23,680
Speaker 1: supermarket systems, and in this case he got far. Now

44
00:02:23,720 --> 00:02:26,520
Speaker 1: he had helpful information to share with the leadership team

45
00:02:26,639 --> 00:02:29,200
Speaker 1: on how to make their security more effective and safer

46
00:02:29,240 --> 00:02:33,520
Speaker 1: for employees and customers alike. Demotz has more than twenty

47
00:02:33,600 --> 00:02:37,120
Speaker 1: years of experience in this sort of gig called penetration testing.

48
00:02:37,760 --> 00:02:41,320
Speaker 1: He explained, the reason companies have penetration testing is because

49
00:02:41,400 --> 00:02:43,840
Speaker 1: they don't know what they don't know. You could have

50
00:02:43,880 --> 00:02:46,560
Speaker 1: a great internal I T or security team that are

51
00:02:46,639 --> 00:02:50,000
Speaker 1: installing packages and trying to secure systems, but until you

52
00:02:50,040 --> 00:02:52,160
Speaker 1: get a hacker in there who's digging in and doing

53
00:02:52,160 --> 00:02:54,480
Speaker 1: things they shouldn't be able to do. To find those

54
00:02:54,600 --> 00:02:58,240
Speaker 1: risks people have missed, companies don't know what their risks are.

55
00:02:59,320 --> 00:03:02,720
Speaker 1: Demotzsal is to find vulnerabilities before bad guys have a

56
00:03:02,800 --> 00:03:06,119
Speaker 1: chance to an increasing threat for businesses of all sizes.

57
00:03:06,720 --> 00:03:11,040
Speaker 1: According to the cost of data breach studies sponsored by IBM,

58
00:03:11,080 --> 00:03:15,480
Speaker 1: security of small and medium businesses are attacked each year.

59
00:03:16,120 --> 00:03:20,080
Speaker 1: So what's worse is that of those businesses closed their

60
00:03:20,120 --> 00:03:23,520
Speaker 1: doors within six months of the attack. The average global

61
00:03:23,560 --> 00:03:25,960
Speaker 1: cost of a single breach is three point six two

62
00:03:26,080 --> 00:03:30,400
Speaker 1: million dollars, and in the first six months, the number

63
00:03:30,440 --> 00:03:34,400
Speaker 1: of businesses affected by ransomware attacks, those where malicious software

64
00:03:34,400 --> 00:03:37,240
Speaker 1: is installed that block access to networks until a ransom

65
00:03:37,320 --> 00:03:42,200
Speaker 1: is paid more than doubled compared with That's why more

66
00:03:42,240 --> 00:03:45,920
Speaker 1: and more organizations are hiring penetration testers to break into

67
00:03:45,960 --> 00:03:49,360
Speaker 1: their systems on purpose. These experts are also known as

68
00:03:49,360 --> 00:03:52,280
Speaker 1: white hat hackers in a literal hat tip to mid

69
00:03:52,320 --> 00:03:57,280
Speaker 1: twentieth century Western film symbolism. The Mats explained, it's like

70
00:03:57,360 --> 00:04:01,160
Speaker 1: an insurance policy. If companies spend them any now on security,

71
00:04:01,400 --> 00:04:03,880
Speaker 1: it saves them from the ten or a hundred million

72
00:04:03,920 --> 00:04:06,000
Speaker 1: it will cost them if they're breached. If they get

73
00:04:06,040 --> 00:04:09,360
Speaker 1: their ransomware assessed and they inoculate themselves, for example, it

74
00:04:09,400 --> 00:04:12,400
Speaker 1: saves companies months of headaches and lost revenue from not

75
00:04:12,480 --> 00:04:16,240
Speaker 1: being able to do business. The other reason organizations pay

76
00:04:16,279 --> 00:04:18,920
Speaker 1: to get hacked is to make sure they meet stronger

77
00:04:18,960 --> 00:04:24,680
Speaker 1: regulatory standards. Healthcare, financial organizations, and government institutions, among others,

78
00:04:25,080 --> 00:04:29,280
Speaker 1: must meet federal, state, and industry cybersecurity regulations as hacking

79
00:04:29,320 --> 00:04:33,080
Speaker 1: becomes more common and more costly. You may think of

80
00:04:33,120 --> 00:04:37,200
Speaker 1: hacking as a remote activity accessing the network or sensitive data,

81
00:04:37,520 --> 00:04:41,200
Speaker 1: but penetration testers look at both physical and technical aspects

82
00:04:41,279 --> 00:04:45,440
Speaker 1: of an organization security program. DeMott said, we test the

83
00:04:45,440 --> 00:04:48,520
Speaker 1: physical controls. Can we gain access to a building, get

84
00:04:48,560 --> 00:04:51,440
Speaker 1: past security, go through a back door? Can we gain

85
00:04:51,520 --> 00:04:54,400
Speaker 1: access to physical files? Can we get into areas where

86
00:04:54,400 --> 00:04:58,920
Speaker 1: companies print credit cards or gift cards? He offers advice

87
00:04:58,960 --> 00:05:01,920
Speaker 1: to like recommend a SS for employee training programs so

88
00:05:02,000 --> 00:05:04,600
Speaker 1: people like the supervisor he met, know how to verify

89
00:05:04,640 --> 00:05:06,960
Speaker 1: people who are supposed to be in the building or not,

90
00:05:07,960 --> 00:05:10,200
Speaker 1: or what to do if they don't recognize someone, instead

91
00:05:10,200 --> 00:05:12,520
Speaker 1: of initiating a store wide pursuit, even if it does

92
00:05:12,600 --> 00:05:15,479
Speaker 1: make for a good story, He said, we have a

93
00:05:15,480 --> 00:05:17,840
Speaker 1: lot of fun doing this, but we also provide a

94
00:05:17,839 --> 00:05:21,400
Speaker 1: lot of value to the client. Penetration testers must have

95
00:05:21,520 --> 00:05:24,800
Speaker 1: a detailed knowledge of technology, and that comes with experience,

96
00:05:25,040 --> 00:05:28,760
Speaker 1: not just fancy tools. The Mutts said. Penetration testing is

97
00:05:28,880 --> 00:05:32,560
Speaker 1: understanding and interacting with technology, knowing the way that technology

98
00:05:32,640 --> 00:05:36,200
Speaker 1: is supposed to work. It's a methodology and maybe aligning

99
00:05:36,200 --> 00:05:38,799
Speaker 1: a tool toward it, but it's not simply about scripts

100
00:05:38,880 --> 00:05:42,400
Speaker 1: or tools. But once the MutS is inside a system,

101
00:05:42,480 --> 00:05:44,840
Speaker 1: he looks for three things where he can log in,

102
00:05:45,080 --> 00:05:48,039
Speaker 1: what software versions are in use, and whether systems are

103
00:05:48,040 --> 00:05:52,200
Speaker 1: configured correctly. He explained, Can we guess a password, can

104
00:05:52,240 --> 00:05:54,440
Speaker 1: we find some other way to access a log in?

105
00:05:54,880 --> 00:05:56,719
Speaker 1: And maybe the software is out of date and there's

106
00:05:56,720 --> 00:06:00,200
Speaker 1: an exploit, so we try and exploit some randomware coote

107
00:06:00,240 --> 00:06:02,520
Speaker 1: against it to try and gain access to the systems.

108
00:06:03,000 --> 00:06:05,200
Speaker 1: And some things can be found in an audit, but

109
00:06:05,279 --> 00:06:09,720
Speaker 1: we're also finding things the organization hasn't thought of. There's

110
00:06:09,760 --> 00:06:13,360
Speaker 1: an important distinction there and audit asks is the security

111
00:06:13,360 --> 00:06:17,760
Speaker 1: program being followed. Penetration testing asks is the program working.

112
00:06:18,360 --> 00:06:20,520
Speaker 1: The problem may not be as simple as out of

113
00:06:20,600 --> 00:06:24,599
Speaker 1: date software, but an entire security strategy that needs improving.

114
00:06:24,640 --> 00:06:27,800
Speaker 1: From a bird's eye level. White hat hacking is becoming

115
00:06:27,839 --> 00:06:31,720
Speaker 1: more popular with organizations responsible for personal data, like Facebook,

116
00:06:31,880 --> 00:06:34,640
Speaker 1: which is known for incentivizing white hat hackers via their

117
00:06:34,680 --> 00:06:38,560
Speaker 1: bug bounty program to find vulnerabilities in their system. You

118
00:06:38,640 --> 00:06:41,480
Speaker 1: may never see them, never know they're there, but penetration

119
00:06:41,520 --> 00:06:45,680
Speaker 1: testers help keep businesses secure and customers like you safer

120
00:06:45,720 --> 00:06:57,279
Speaker 1: to Today's episode is based on the article Companies pay

121
00:06:57,320 --> 00:06:59,440
Speaker 1: this guide to break into their networks and offices on

122
00:06:59,480 --> 00:07:02,680
Speaker 1: how to Work dot Com, written by Alison Troutner. Green

123
00:07:02,720 --> 00:07:04,840
Speaker 1: Stuff is production by Heart Radio in partnership with how

124
00:07:04,839 --> 00:07:07,720
Speaker 1: Stuffworks dot Com, and it's produced by Tyler. Playing four

125
00:07:07,800 --> 00:07:10,560
Speaker 1: more podcasts my heart Radio, visit the heart Radio app,

126
00:07:10,680 --> 00:07:13,480
Speaker 1: Apple Podcasts, or wherever you listening to your favorite shows.