Asher de Metz walked through the front doors of a supermarket. Hanging at his side, in place of a reusable shopping tote, was a discrete laptop bag. De Metz wasn't shopping for groceries — this was a break-in. But neither avocado-inspecting shoppers nor credit-card swiping cashiers realized they were under attack.
De Metz walked through the store and found a room lined with people at computers. It was a training session. Perfect place to blend in. So, he sat down and hijacked a machine.
"I just went in and unplugged the cable from the back of one of the machines and plugged it into my laptop," de Metz says. "I was hacking away for a while and gained access to systems and databases pretty quickly from that room."
In Hot Pursuit of a 'Hacker'
Soon after, the trainer approached de Metz. She was polite but unsure about him. "I'm from head office," de Metz explained, to install some updates, he told her. The story appeased her for a few minutes, but she decided to loop in her supervisor.
That's when de Metz figured it was time to head out. "I closed everything and started to leave," de Metz recalls, but the trainer was hot on his tail. "I took the stairway and unfortunately, as I pushed the door open, the alarm went off."
The chase continued to the soundtrack of blaring security alarms and a final screeching crescendo as the trainer wailed across the store, "That's him! That's the guy!" Another supermarket employee approached de Metz, but de Metz was prepared. He had a manila folder with a fabricated work order.
He told them that he was from corporate and that there had been a serious hack in the store's system. "Did you know there was a breach on your network last night? Millions were stolen." "No," the supervisor said. "I had no idea." The pair agreed to get on a call later that afternoon, to avoid any heads rolling due to the serious cybersecurity infraction.
Part of de Metz's story to the supermarket manager was true; he was hired to be at the supermarket — by the supermarket's leadership. However, the only hack that had happened was the one de Metz did himself, and he didn't steal a dime. He was hired to see how far he could hack into the supermarket's systems. And in this case, he got far. Now he had some helpful information to share with leadership team on how to make their security more effective and safer for employees and customers alike.
Why Businesses Pay to Get Hacked
De Metz is the security consulting senior manager at Sungard Availability Services, a global IT service management company. He has more than 20 years of experience as a penetration tester — that's what they're called — and has provided invaluable advice to some of the world's largest companies throughout the U.K., Europe, Middle East and North America.
"The reason companies have penetration testing," de Metz says, "is because they don't know what they don't know. You could have a great internal IT or security team that are installing packages and trying to secure systems, but until you get a hacker in there who's digging in and doing things they shouldn't be able to do, to find those risks people have missed, companies don't know what their risks are."
De Metz's goal is to find vulnerabilities before the bad guys — an increasing threat for businesses of all sizes. According to the 2017 Cost of Data Breach Study sponsored by IBM security, 60 percent of small and medium businesses are attacked each year. What's worse is that of those businesses, 60 percent close their doors within six months of the attack. The average global cost of a single breach is $3.62 million.
But the news gets worse. In the first six months of 2021, the number of businesses affected by ransomware attacks — those where malicious software is installed that block access to networks until "ransom" is paid — more than doubled compared with 2020, according to research by Check Point Software Technologies. And FireEye's Mandiant M-Trends 2021 report found 800 extortion attempts where company data had been stolen between Oct. 1, 2019, and Sept. 30, 2020.
The Stakes Are Very High
That's why more and more organizations are hiring penetration testers, also known as white-hat hackers (a literal hat tip to mid-20th century Western film symbolism), like de Metz to break into their systems on purpose.
"It's like an insurance policy. If companies spend the money now on security, it saves them from the $10 or $100 million it will cost them if they are breached," de Metz explains. "If they get their ransomware assessed and they inoculate themselves, for example, it saves companies months of headaches and lost revenue from not being able to do business."
The other reason organizations pay to get hacked is to make sure they meet stronger regulatory standards. Health care, financial organizations and government institutions, among others, must meet federal, state and industry cybersecurity regulations, as hacking becomes more common and more costly.
Cybersecurity Is Physical and Technical
When people think of hacking, they typically think of a lone ranger attacking a company's private data from the safety of their mom's dark basement. However, penetration testers look at both physical and technical aspects of an organization's security program, so they hack from inside the organization itself.
"Companies don't want to leave anything on the table, which could be part of a weakness of posture," de Metz says. "We test the physical controls; can we gain access to a building, get past security, go through a back door? Can we gain access to physical files? Can we get into areas where companies print credit cards or gift cards?" These are the critical, physical things de Metz points out, in addition to the technical side, like accessing the network or sensitive data.
He offers advice, too, like recommendations for employee training programs so people like the supervisor he met know how to verify people who are supposed to be in the building. Or, what to do if they don't recognize someone (instead of initiating a storewide pursuit even if it does make for a good story). "We have a lot of fun doing this, but we also provide a lot of value to the client."
How Penetration Testing Works
Penetration testers must have a detailed knowledge of technology, and that comes with experience, not just fancy tools. "Penetration testing is understanding and interacting with technology — knowing the way that technology is supposed to work. It's a methodology and maybe aligning a tool toward it, but it's not simply about scripts or tools."
Once de Metz is inside a system, he looks for three things: where can he log in, what software versions are in use and whether systems are configured correctly. "Can we guess a password? Can we find some other way to access a login? Maybe the software is out of date and there's an exploit, so we try and exploit some ransomware code against it to try and gain access to the system," he says. "Some things can be found in an audit, but we're also finding things [the organization] hasn't thought of."
Penetrating goes deeper than a network audit, and that's an important distinction. An audit asks, is the security program being followed? Penetration testing asks, is the program working?
Penetration testers look at it from a birds-eye view of security strategy. The problem may not be as simple as out-of-date software, but an entire security strategy that needs improving. That's what de Metz finds out.
Many small and medium-sized businesses struggle to fund well-founded security infrastructures. Still, white-hat hacking is becoming more popular with organizations responsible for personal data, like Facebook, which is known for incentivizing white-hat hackers via their Bug Bounty Program, to find vulnerabilities in their system.
De Metz has also spoken on podcasts with some of his most dramatic stories of penetration testing. His goal is twofold: to entertain listeners with wild stories, but more importantly, to highlight the value of penetration testing — and what's at stake if companies don't. You may never see them, never know they are there, but penetration testers help keep businesses secure, and customers, like you, safer too.