Fighting Fire with Fire—Black Hills Information Security—Hackers for Hire
On any given morning, you might find Jordan Drysdale inside the coffee shop that sits adjacent to your corporate headquarters. You probably wouldn't notice him. He looks like an average patron, nonchalantly blending in. If you do happen to notice him, maybe you think he's texting a friend. One of your employees might walk in, groggy and in need of coffee. Without being noticed, Drysdale captures an image of the employee's name badge on his cell phone. Fifteen minutes later, Drysdale is back in his hotel room where he has his colleague, Kent Ickler, print a badge that is identical to your company's, but sporting Drysdale's image. Ickler stays in the hotel in communication while Drysdale goes back to the company headquarters and picks a lock on the side of the building.
“If you wear a suit and a tie and look normal, no one ever assumes you are picking a door lock,” he says.
By 9 a.m., Drysdale has gained full access to the building. No one notices or checks his fake name badge as he wanders the hallways and offices, and in minutes he is inside your server room. “By lunchtime I have compromised the entire network,” he says. “Ickler is back in the hotel room cracking passwords for me, so in a short period I have gained access as domain administrator and taken over all of their network systems and infrastructure. It's basically game over for this company in less than four hours.”
The life of Drysdale and Ickler might sound like a spy movie, and in some ways, it is. Companies all over the world hire Black Hills Information Security (BHIS) to help reduce vulnerabilities and increase security by finding and exploiting their weak spots and then offering employee training and security solutions that reduce vulnerability.
“Pick the industry and we have likely found ways to compromise them. We physically break into banks, medical facilities, manufacturers, universities, you name it - physical entry is rarely the problem,” says Drysdale.
Sometimes physical entry isn't necessary. Ickler is an expert at social engineering. He mines social media accounts, websites, and even court documents for personal information. He can also access nefarious sources that have released compromised data in past breaches. Social security and credit card numbers are not as private as they used to be. “Once you are an information security analyst, you realize how compromised you already are,” says Ickler. With all this information, Ickler can then put together a target profile to learn a great deal about a specific company employee. “So when we call a company's help desk to have that employee's password changed, and they ask a security question like, ‘What was the color of your first car?' We have that answer ready.” To gain further access or information, BHIS can also put together a “red team”, a group of hackers who use coding skills and other tactics to compromise the security of a client company.
Following their work, Black Hills Information Security provides an analysis for their customers that helps them understand and mitigate the risks. BHIS can then train their clients to protect personal and corporate information. Finally, they engage in threat hunting where they can actively seek out and identify cyber attackers. “Our main goal is not to prove that we can hack into a company, but to help the customer develop a series of on- point solutions and technologies that will improve the overall security of the company. Testing should never be adversarial, but collaborative,” says John Strand, CEO and company founder.
Strand takes a rising-tides-raises- all-ships approach to the industry. The team at BHIS develops popular open-source and free tools, publishes educational blogs, and gives informative webcasts for the information security community. BHIS personnel are now sought after to speak at conferences around the world.
“In this industry, there are a lot of huge players who are venture capital backed and their goal is to make money and nothing else,” says Ickler. “By offering affordable training and broad industry support, our CEO John Strand has taken a different path.”
This business model and philosophy are working for BHIS. “We went from one employee 12 years ago to 60 plus all over the world. We are among the top three or four global firms who do this kind of work. We interact daily with the upper echelon of information security professionals and we're centered in the Black Hills. It's a little hard to believe,” says Drysdale.
Strand has also fostered numerous employee-owned companies under the BHIS umbrella. He is one of the founders of a company called Active Countermeasures, alongside Mines students and alumni Logan Lembke (CSC 18), Brian Fehrman (CSC 10), Joe Lillo (CSC 15), Lisa Woody (CSC 15), and Samuel Carroll (CSC 15) who all contribute to the creation of unique algorithms that analyze network traffic and detect anomalies to indicate nefarious cyber attackers. Drysdale and Ickler founded another of the businesses associated with BHIS called Defensive Origins that delivers cybersecurity training around the world, including at BHIS-hosted events like the immensely popular Midwest Hacking Festival in Deadwood. Both these companies are moving into the new Ascent Innovation Campus this spring where they will have the resources needed to continue their growth.
Growth of these companies seems like a safe bet. After all, in an ever- increasing interconnected world, the need for cybersecurity is not likely to dwindle anytime soon.
Needless to say, if you should ever run into Jordan Drysdale seemingly texting on his cell phone in a restaurant near your corporate headquarters, you might want to check your server.