To catch a hacker, one has to think like a hacker. That is the mission of Jacksonville-based Secure Ideas.
Owner Kevin Johnson develops hacking software to show the vulnerability of a client’s computer system.
It begins with Johnson or an employee sneaking into the client’s office. He may be disguised as a delivery person or he will devise another ruse.
When there, he takes note of the software being used and then works on the hack.
“Professionally evil testing as a service” is the Secure Ideas tagline.
“Our job sounds like a movie plot. I’ll give you a secret. Our job is a movie plot. There aren’t many jobs I know of that you can go from 10 at night breaking into a bank building, to the next day stealing credit card numbers from an airline to the next day, breaking into a nuclear power plant, all of which are real stories,” Johnson said.
Secure Ideas has a staff of 20. It is not a group of reformed ex-cons plying their hacking skills for good rather than evil. An arrest record immediately disqualifies an applicant, he said.
Johnson teaches his employees how to hack and think like a hacker.
“What we do is we hire people who understand the systems we are attacking. And then we teach them how to do the attacks because bluntly, that part is easier than learning the systems themselves,” he said.
“We then use that knowledge and skill to evaluate what the risk is to an organization.”
The testing occurs regularly throughout the year.
Every system is hackable. Once a fix is found for one hack, the criminal is off working on the next way to infiltrate a computer system, Johnson said.
And don’t blame an employee for opening an evil attachment. It can happen to anybody.
“Yes, the vast majority of breaches are caused by a person making a mistake. But the blame for that attack is on the scum that is launching the attack and taking advantage of the person who made the mistake,” Johnson said.
“I am probably one of the most security aware people that you will deal with. And I have clicked those links.”
To avoid any conflict of interest, once a problem is found Secure Ideas doesn’t fix the problem.
Johnson will recommend a list of companies that he trusts to remove malware and clean the computer system.
“It always reminds me of those backwoods car mechanics that will tell you your blinker fluid is low. And don’t worry, for 20 bucks, they’ll fix it, right?”
The company serves from startups to mom-and-pop operations all the way to Fortune 500 companies. Services can cost from $2,500 to more than $50,000 annually.
If a company takes payment via credit card, by law it is required to have regular vulnerability assessments, Johnson said.
Also, Johnson warns that most likely some bad guy has your credit information.
People don’t realize it because their card hasn’t yet been used fraudulently.
Credit card scams are easily thwarted. Credit card companies don’t make cardholders pay for items they didn’t purchase. The credit card is canceled and a new one is issued.
Medical records are another matter.
A person’s medical records can be used to access prescription drugs. A hacker can add someone’s medical information to another person’s file. The two become one.
This means the victim’s medical information is corrupted. Wrong information about dangerous drug allergies or other medical information could lead to a wrong diagnosis or worse consequences, Johnson said.
“Everybody is hackable. If I take enough time I’m gonna get into or do whatever I want,” Johnson said.
“Businesses aren’t in business to be secure. Businesses are in business to do whatever it is they do. Being secure helps them do that. And so what we want to do is help them understand where to focus their limited resources.”