Welcome to brain Stuff, a production of I Heart Radio. Hey brain Stuff Lauren Buble bom Here. Let's begin this episode with a true story. Asher Demots walked through the front doors of a supermarket. Hanging it aside in place of a reusable shopping tote, was a discreet laptop bag. Demots wasn't shopping for groceries. This was a break in, but neither the avocado inspecting shoppers nor the credit card
swiping cashiers realized they were under attack. Demons walked through the store and found a back room lined with people at computers. It was a training session, a perfect place to blend in, so he sat down and hijacked a machine for the article. This episode is based on how Stuff Works. Spoke with Demots. He said, I just went in and unplugged the cable from the back of one of the machines and plugged it into my laptop. I was hacking away for a while and gained access to
systems and databases pretty quickly from that room. Soon after, the trainer approached him. She was polite but unsure about him. He told her he was from the head office there to install some updates. This appeased her for a few minutes, but she decided to loop in her supervisor. That's when Demots figured it was time to head out. He said, I closed everything and started to leave. I took the stairway and unfortunately, as I pushed the door open, the
alarm went off. The trainer already hot on his tail. The chase continued to the soundtrack of blaring security alarms and a final screeching crescendo as the trainer shouted across the store, that's him, that's the guy. Another supermarket employee approached the Moots, but the Mots was prepared. He had a Manilla folder with a fabricated work order. He told them that he was from corporate and that there had
been a serious hack in the story system. He said, did you know there was a breach on your network last night? Millions were stolen and the supervisor said no, I had no idea. The pair agreed to get on a call later that afternoon to avoid any heads rolling due to the sea US cybersecurity in Fraction. Part of Demotz's tail to the supermarket manager was true. He was hired to be at the supermarket and by the supermarket's leadership. However, the only hack that had happened was the one Demots
did himself, and he didn't steal a dime. He was hired to see how far he could hack into the supermarket systems, and in this case he got far. Now he had helpful information to share with the leadership team on how to make their security more effective and safer for employees and customers alike. Demotz has more than twenty years of experience in this sort of gig called penetration testing. He explained, the reason companies have penetration testing is because
they don't know what they don't know. You could have a great internal I T or security team that are installing packages and trying to secure systems, but until you get a hacker in there who's digging in and doing things they shouldn't be able to do. To find those risks people have missed, companies don't know what their risks are. Demotzsal is to find vulnerabilities before bad guys have a chance to an increasing threat for businesses of all sizes.
According to the cost of data breach studies sponsored by IBM, security of small and medium businesses are attacked each year. So what's worse is that of those businesses closed their
doors within six months of the attack. The average global cost of a single breach is three point six two million dollars, and in the first six months, the number of businesses affected by ransomware attacks, those where malicious software is installed that block access to networks until a ransom is paid more than doubled compared with That's why more and more organizations are hiring penetration testers to break into
their systems on purpose. These experts are also known as white hat hackers in a literal hat tip to mid twentieth century Western film symbolism. The Mats explained, it's like an insurance policy. If companies spend them any now on security, it saves them from the ten or a hundred million it will cost them if they're breached. If they get their ransomware assessed and they inoculate themselves, for example, it saves companies months of headaches and lost revenue from not
being able to do business. The other reason organizations pay to get hacked is to make sure they meet stronger regulatory standards. Healthcare, financial organizations, and government institutions, among others, must meet federal, state, and industry cybersecurity regulations as hacking becomes more common and more costly. You may think of hacking as a remote activity accessing the network or sensitive data, but penetration testers look at both physical and technical aspects
of an organization security program. DeMott said, we test the physical controls. Can we gain access to a building, get past security, go through a back door? Can we gain access to physical files? Can we get into areas where
companies print credit cards or gift cards? He offers advice to like recommend a SS for employee training programs so people like the supervisor he met, know how to verify people who are supposed to be in the building or not, or what to do if they don't recognize someone, instead of initiating a store wide pursuit, even if it does make for a good story, He said, we have a lot of fun doing this, but we also provide a
lot of value to the client. Penetration testers must have a detailed knowledge of technology, and that comes with experience, not just fancy tools. The Mutts said. Penetration testing is understanding and interacting with technology, knowing the way that technology is supposed to work. It's a methodology and maybe aligning a tool toward it, but it's not simply about scripts
or tools. But once the MutS is inside a system, he looks for three things where he can log in, what software versions are in use, and whether systems are configured correctly. He explained, Can we guess a password, can we find some other way to access a log in? And maybe the software is out of date and there's an exploit, so we try and exploit some randomware coote against it to try and gain access to the systems. And some things can be found in an audit, but
we're also finding things the organization hasn't thought of. There's an important distinction there and audit asks is the security program being followed. Penetration testing asks is the program working. The problem may not be as simple as out of date software, but an entire security strategy that needs improving.
From a bird's eye level. White hat hacking is becoming more popular with organizations responsible for personal data, like Facebook, which is known for incentivizing white hat hackers via their bug bounty program to find vulnerabilities in their system. You may never see them, never know they're there, but penetration testers help keep businesses secure and customers like you safer to Today's episode is based on the article Companies pay this guide to break into their networks and offices on
how to Work dot Com, written by Alison Troutner. Green Stuff is production by Heart Radio in partnership with how Stuffworks dot Com, and it's produced by Tyler. Playing four more podcasts my heart Radio, visit the heart Radio app, Apple Podcasts, or wherever you listening to your favorite shows.