WEBVTT - How Can You Get Paid to Break Into Stuff?

0:00:01.920 --> 0:00:04.320
<v Speaker 1>Welcome to brain Stuff, a production of I Heart Radio.

0:00:06.440 --> 0:00:09.879
<v Speaker 1>Hey brain Stuff Lauren Buble bom Here. Let's begin this

0:00:09.880 --> 0:00:13.360
<v Speaker 1>episode with a true story. Asher Demots walked through the

0:00:13.360 --> 0:00:16.760
<v Speaker 1>front doors of a supermarket. Hanging it aside in place

0:00:16.800 --> 0:00:20.079
<v Speaker 1>of a reusable shopping tote, was a discreet laptop bag.

0:00:20.880 --> 0:00:23.840
<v Speaker 1>Demots wasn't shopping for groceries. This was a break in,

0:00:24.560 --> 0:00:28.040
<v Speaker 1>but neither the avocado inspecting shoppers nor the credit card

0:00:28.080 --> 0:00:32.239
<v Speaker 1>swiping cashiers realized they were under attack. Demons walked through

0:00:32.240 --> 0:00:34.920
<v Speaker 1>the store and found a back room lined with people

0:00:34.960 --> 0:00:38.240
<v Speaker 1>at computers. It was a training session, a perfect place

0:00:38.240 --> 0:00:41.159
<v Speaker 1>to blend in, so he sat down and hijacked a

0:00:41.200 --> 0:00:44.279
<v Speaker 1>machine for the article. This episode is based on how

0:00:44.320 --> 0:00:47.480
<v Speaker 1>Stuff Works. Spoke with Demots. He said, I just went

0:00:47.479 --> 0:00:49.360
<v Speaker 1>in and unplugged the cable from the back of one

0:00:49.360 --> 0:00:51.760
<v Speaker 1>of the machines and plugged it into my laptop. I

0:00:51.840 --> 0:00:54.480
<v Speaker 1>was hacking away for a while and gained access to

0:00:54.520 --> 0:00:58.680
<v Speaker 1>systems and databases pretty quickly from that room. Soon after,

0:00:58.800 --> 0:01:03.200
<v Speaker 1>the trainer approached him. She was polite but unsure about him.

0:01:03.240 --> 0:01:05.280
<v Speaker 1>He told her he was from the head office there

0:01:05.319 --> 0:01:08.679
<v Speaker 1>to install some updates. This appeased her for a few minutes,

0:01:08.720 --> 0:01:12.000
<v Speaker 1>but she decided to loop in her supervisor. That's when

0:01:12.040 --> 0:01:14.560
<v Speaker 1>Demots figured it was time to head out. He said,

0:01:14.720 --> 0:01:17.240
<v Speaker 1>I closed everything and started to leave. I took the

0:01:17.280 --> 0:01:20.640
<v Speaker 1>stairway and unfortunately, as I pushed the door open, the

0:01:20.680 --> 0:01:24.080
<v Speaker 1>alarm went off. The trainer already hot on his tail.

0:01:24.440 --> 0:01:28.000
<v Speaker 1>The chase continued to the soundtrack of blaring security alarms

0:01:28.040 --> 0:01:31.800
<v Speaker 1>and a final screeching crescendo as the trainer shouted across

0:01:31.840 --> 0:01:36.360
<v Speaker 1>the store, that's him, that's the guy. Another supermarket employee

0:01:36.360 --> 0:01:39.160
<v Speaker 1>approached the Moots, but the Mots was prepared. He had

0:01:39.200 --> 0:01:42.640
<v Speaker 1>a Manilla folder with a fabricated work order. He told

0:01:42.680 --> 0:01:44.560
<v Speaker 1>them that he was from corporate and that there had

0:01:44.600 --> 0:01:47.680
<v Speaker 1>been a serious hack in the story system. He said,

0:01:47.840 --> 0:01:49.600
<v Speaker 1>did you know there was a breach on your network

0:01:49.680 --> 0:01:52.960
<v Speaker 1>last night? Millions were stolen and the supervisor said no,

0:01:53.120 --> 0:01:55.920
<v Speaker 1>I had no idea. The pair agreed to get on

0:01:55.960 --> 0:01:59.120
<v Speaker 1>a call later that afternoon to avoid any heads rolling

0:01:59.240 --> 0:02:02.960
<v Speaker 1>due to the sea US cybersecurity in Fraction. Part of

0:02:03.000 --> 0:02:06.440
<v Speaker 1>Demotz's tail to the supermarket manager was true. He was

0:02:06.520 --> 0:02:10.800
<v Speaker 1>hired to be at the supermarket and by the supermarket's leadership. However,

0:02:11.120 --> 0:02:13.480
<v Speaker 1>the only hack that had happened was the one Demots

0:02:13.560 --> 0:02:16.679
<v Speaker 1>did himself, and he didn't steal a dime. He was

0:02:16.760 --> 0:02:18.880
<v Speaker 1>hired to see how far he could hack into the

0:02:18.919 --> 0:02:23.680
<v Speaker 1>supermarket systems, and in this case he got far. Now

0:02:23.720 --> 0:02:26.520
<v Speaker 1>he had helpful information to share with the leadership team

0:02:26.639 --> 0:02:29.200
<v Speaker 1>on how to make their security more effective and safer

0:02:29.240 --> 0:02:33.520
<v Speaker 1>for employees and customers alike. Demotz has more than twenty

0:02:33.600 --> 0:02:37.120
<v Speaker 1>years of experience in this sort of gig called penetration testing.

0:02:37.760 --> 0:02:41.320
<v Speaker 1>He explained, the reason companies have penetration testing is because

0:02:41.400 --> 0:02:43.840
<v Speaker 1>they don't know what they don't know. You could have

0:02:43.880 --> 0:02:46.560
<v Speaker 1>a great internal I T or security team that are

0:02:46.639 --> 0:02:50.000
<v Speaker 1>installing packages and trying to secure systems, but until you

0:02:50.040 --> 0:02:52.160
<v Speaker 1>get a hacker in there who's digging in and doing

0:02:52.160 --> 0:02:54.480
<v Speaker 1>things they shouldn't be able to do. To find those

0:02:54.600 --> 0:02:58.240
<v Speaker 1>risks people have missed, companies don't know what their risks are.

0:02:59.320 --> 0:03:02.720
<v Speaker 1>Demotzsal is to find vulnerabilities before bad guys have a

0:03:02.800 --> 0:03:06.119
<v Speaker 1>chance to an increasing threat for businesses of all sizes.

0:03:06.720 --> 0:03:11.040
<v Speaker 1>According to the cost of data breach studies sponsored by IBM,

0:03:11.080 --> 0:03:15.480
<v Speaker 1>security of small and medium businesses are attacked each year.

0:03:16.120 --> 0:03:20.080
<v Speaker 1>So what's worse is that of those businesses closed their

0:03:20.120 --> 0:03:23.520
<v Speaker 1>doors within six months of the attack. The average global

0:03:23.560 --> 0:03:25.960
<v Speaker 1>cost of a single breach is three point six two

0:03:26.080 --> 0:03:30.400
<v Speaker 1>million dollars, and in the first six months, the number

0:03:30.440 --> 0:03:34.400
<v Speaker 1>of businesses affected by ransomware attacks, those where malicious software

0:03:34.400 --> 0:03:37.240
<v Speaker 1>is installed that block access to networks until a ransom

0:03:37.320 --> 0:03:42.200
<v Speaker 1>is paid more than doubled compared with That's why more

0:03:42.240 --> 0:03:45.920
<v Speaker 1>and more organizations are hiring penetration testers to break into

0:03:45.960 --> 0:03:49.360
<v Speaker 1>their systems on purpose. These experts are also known as

0:03:49.360 --> 0:03:52.280
<v Speaker 1>white hat hackers in a literal hat tip to mid

0:03:52.320 --> 0:03:57.280
<v Speaker 1>twentieth century Western film symbolism. The Mats explained, it's like

0:03:57.360 --> 0:04:01.160
<v Speaker 1>an insurance policy. If companies spend them any now on security,

0:04:01.400 --> 0:04:03.880
<v Speaker 1>it saves them from the ten or a hundred million

0:04:03.920 --> 0:04:06.000
<v Speaker 1>it will cost them if they're breached. If they get

0:04:06.040 --> 0:04:09.360
<v Speaker 1>their ransomware assessed and they inoculate themselves, for example, it

0:04:09.400 --> 0:04:12.400
<v Speaker 1>saves companies months of headaches and lost revenue from not

0:04:12.480 --> 0:04:16.240
<v Speaker 1>being able to do business. The other reason organizations pay

0:04:16.279 --> 0:04:18.920
<v Speaker 1>to get hacked is to make sure they meet stronger

0:04:18.960 --> 0:04:24.680
<v Speaker 1>regulatory standards. Healthcare, financial organizations, and government institutions, among others,

0:04:25.080 --> 0:04:29.280
<v Speaker 1>must meet federal, state, and industry cybersecurity regulations as hacking

0:04:29.320 --> 0:04:33.080
<v Speaker 1>becomes more common and more costly. You may think of

0:04:33.120 --> 0:04:37.200
<v Speaker 1>hacking as a remote activity accessing the network or sensitive data,

0:04:37.520 --> 0:04:41.200
<v Speaker 1>but penetration testers look at both physical and technical aspects

0:04:41.279 --> 0:04:45.440
<v Speaker 1>of an organization security program. DeMott said, we test the

0:04:45.440 --> 0:04:48.520
<v Speaker 1>physical controls. Can we gain access to a building, get

0:04:48.560 --> 0:04:51.440
<v Speaker 1>past security, go through a back door? Can we gain

0:04:51.520 --> 0:04:54.400
<v Speaker 1>access to physical files? Can we get into areas where

0:04:54.400 --> 0:04:58.920
<v Speaker 1>companies print credit cards or gift cards? He offers advice

0:04:58.960 --> 0:05:01.920
<v Speaker 1>to like recommend a SS for employee training programs so

0:05:02.000 --> 0:05:04.600
<v Speaker 1>people like the supervisor he met, know how to verify

0:05:04.640 --> 0:05:06.960
<v Speaker 1>people who are supposed to be in the building or not,

0:05:07.960 --> 0:05:10.200
<v Speaker 1>or what to do if they don't recognize someone, instead

0:05:10.200 --> 0:05:12.520
<v Speaker 1>of initiating a store wide pursuit, even if it does

0:05:12.600 --> 0:05:15.479
<v Speaker 1>make for a good story, He said, we have a

0:05:15.480 --> 0:05:17.840
<v Speaker 1>lot of fun doing this, but we also provide a

0:05:17.839 --> 0:05:21.400
<v Speaker 1>lot of value to the client. Penetration testers must have

0:05:21.520 --> 0:05:24.800
<v Speaker 1>a detailed knowledge of technology, and that comes with experience,

0:05:25.040 --> 0:05:28.760
<v Speaker 1>not just fancy tools. The Mutts said. Penetration testing is

0:05:28.880 --> 0:05:32.560
<v Speaker 1>understanding and interacting with technology, knowing the way that technology

0:05:32.640 --> 0:05:36.200
<v Speaker 1>is supposed to work. It's a methodology and maybe aligning

0:05:36.200 --> 0:05:38.799
<v Speaker 1>a tool toward it, but it's not simply about scripts

0:05:38.880 --> 0:05:42.400
<v Speaker 1>or tools. But once the MutS is inside a system,

0:05:42.480 --> 0:05:44.840
<v Speaker 1>he looks for three things where he can log in,

0:05:45.080 --> 0:05:48.039
<v Speaker 1>what software versions are in use, and whether systems are

0:05:48.040 --> 0:05:52.200
<v Speaker 1>configured correctly. He explained, Can we guess a password, can

0:05:52.240 --> 0:05:54.440
<v Speaker 1>we find some other way to access a log in?

0:05:54.880 --> 0:05:56.719
<v Speaker 1>And maybe the software is out of date and there's

0:05:56.720 --> 0:06:00.200
<v Speaker 1>an exploit, so we try and exploit some randomware coote

0:06:00.240 --> 0:06:02.520
<v Speaker 1>against it to try and gain access to the systems.

0:06:03.000 --> 0:06:05.200
<v Speaker 1>And some things can be found in an audit, but

0:06:05.279 --> 0:06:09.720
<v Speaker 1>we're also finding things the organization hasn't thought of. There's

0:06:09.760 --> 0:06:13.360
<v Speaker 1>an important distinction there and audit asks is the security

0:06:13.360 --> 0:06:17.760
<v Speaker 1>program being followed. Penetration testing asks is the program working.

0:06:18.360 --> 0:06:20.520
<v Speaker 1>The problem may not be as simple as out of

0:06:20.600 --> 0:06:24.599
<v Speaker 1>date software, but an entire security strategy that needs improving.

0:06:24.640 --> 0:06:27.800
<v Speaker 1>From a bird's eye level. White hat hacking is becoming

0:06:27.839 --> 0:06:31.720
<v Speaker 1>more popular with organizations responsible for personal data, like Facebook,

0:06:31.880 --> 0:06:34.640
<v Speaker 1>which is known for incentivizing white hat hackers via their

0:06:34.680 --> 0:06:38.560
<v Speaker 1>bug bounty program to find vulnerabilities in their system. You

0:06:38.640 --> 0:06:41.480
<v Speaker 1>may never see them, never know they're there, but penetration

0:06:41.520 --> 0:06:45.680
<v Speaker 1>testers help keep businesses secure and customers like you safer

0:06:45.720 --> 0:06:57.279
<v Speaker 1>to Today's episode is based on the article Companies pay

0:06:57.320 --> 0:06:59.440
<v Speaker 1>this guide to break into their networks and offices on

0:06:59.480 --> 0:07:02.680
<v Speaker 1>how to Work dot Com, written by Alison Troutner. Green

0:07:02.720 --> 0:07:04.840
<v Speaker 1>Stuff is production by Heart Radio in partnership with how

0:07:04.839 --> 0:07:07.720
<v Speaker 1>Stuffworks dot Com, and it's produced by Tyler. Playing four

0:07:07.800 --> 0:07:10.560
<v Speaker 1>more podcasts my heart Radio, visit the heart Radio app,

0:07:10.680 --> 0:07:13.480
<v Speaker 1>Apple Podcasts, or wherever you listening to your favorite shows.