Charles Tendell is often the guy you wished you had called sooner. He’s what’s known in the cybersecurity business as a “white hat hacker”—an expert in the ways malicious hackers try to breach computer systems, who also helps teach businesses how to keep them out. (Think of a Lone Ranger for the Internet era.) Writer Erin McDermott recently talked with Tendell, a Denver-based certified ethical hacker, about protecting small businesses, the challenge of social media, and outsmarting the bad guys.
EM: How did you get started? How do you become an “ethical hacker”?
CT: I got into computers at a pretty young age. My dad brought home our first computer and told me not to touch it—and that was, by far, the biggest mistake my father ever made. I learned my way around the keyboard very quickly, and this was back in the days before we had graphical user interfaces and you had to know the actual command line. As I grew up, I was pretty malicious in high school—I was into the school’s systems, the library’s. If I could get into it, I got into it. I joined the Army right out of high school.
I was self-taught about a lot of the security things I did and the Army gave me the opportunity to go to school, so I got a degree in information systems security. I was in the Army for about six years and did computer forensics, penetration testing, and security architecture for the military police, the military Criminal Investigative Division, the Air Force, and Marines. I helped design security implementations for the 82nd Airborne Division. After I got out, I continued my education, but I worked with companies like Lockheed Martin, Boeing, and a lot of small companies. Then I started a few investigations firms, like what I’m doing now. Along the way, I’ve teamed up with the EC Council to get their certified ethical hacker designation.
EM: The word “hacker” makes some people nervous, even though there are good hackers as well as bad ones. How are “ethical hackers” monitored to be sure they are on the level?
CT: They monitor my activity—I have to give them my continuing practical education points, that show I’m authoring a book or reading this or took this training course. Without those, they can take my certification from me. Beyond that, say you and I are talking and you ask me to do something unethical and I actually do it. Or if you catch me doing something unethical. You can report me to EC Council and they’ll do an investigation, but over the course of the investigation they’ll also suspend my certification. If they do find that I violated the code of ethics, they’ll rescind it and I’ll no longer be able to call myself a certified ethical hacker.
EM: Anyone who wanted to hire an ethical hacker would be able to verify that you and your colleagues are, in fact, genuine good guys? Is there a website?
CT: With EC Council, you actually have to submit a request in writing. As a security professional, we’re all, well, mildly paranoid [laughs] so privacy is a big deal. But if you submit your request in writing to verify my information, they will respond back and can say he or she is indeed a certified hacker, from this date, and in good standing.
CT: There are two types of clients. There’s the pre-hack client, who just feels they’re going to come under attack and maybe just need to tighten security or get started with a security program. And then there’s the post-hack client, who has been breached and has some information that has been posted online or they’ve had some proprietary information or some intellectual property stolen. They want to know how it happened and what their recourse is.
For the pre-hack clients, I’ll come in and meet with the leaders of the company and find out what security means to them as an organization, what their situation is and what they’re worried about protecting. From there we’ll work together to design a roadmap for security implementation. We’ll do a risk assessment, a gap analysis, and a vulnerability assessment to see what holes might potentially be in their infrastructure. We’ll do a penetration test to verify any vulnerabilities we can validate. Then I’ll show you how to patch those holes.
For the post-hack clients, all of the same processes applies except now I’m tracing back the source of your breach and guiding you down the path of where it went, and here are some of your potential legal avenues. I’m not an attorney, so I can’t give legal advice. In both cases, I get to what’s called a “black hat test,” where the client gives me as little information as possible: “Here’s my URL and here’s my phone number. See what you can get.” Those are a lot of fun because I get to do all of the research and pretend to be the bad guy. Then there’s the “gray hat” one, where they give me their entire network structure and say: “Just tell me what we’ve got.” That’s a little less fun because there’s not as much investigation involved. In both cases now, small business owners are worried about mobile devices.
EM: What are you seeing with mobile devices?
CT: A lot of companies are now using a BYOD—Bring Your Own Device—policy. They’re saving themselves money by allowing their employees to use their own mobile devices and letting them connect them to email and company WiFi. A lot of breaches are happening because you get the cats with the jail-broken phones or the rooted Androids who can circumvent certain security mechanisms on your network and potentially infect you with malicious software.
EM: If you’re using your laptop to do a lot of things besides financial transactions, there are reports that there are entry points to your computer through sites like Twitter, Facebook, a webcam, etc.
CT: Absolutely. A lot of small business owners, I’ve found, buy one computer and want to be able to do everything from it. But they mix business and personal. They get a business Twitter or Facebook account and they still use it like they would their own personal computer. They go to websites they might not want to go to where they can potentially pick up malicious content or malware. They download files without really thinking about everything. And they don’t really have the back-end protection to prevent some of the attacks there. A lot of people will say they’ve got antivirus software that’s up to date or all these other protections, but there are ways for hackers to make those what’s called “FUD,” or fully undetectable, by your antivirus system and they can honestly infect you.
One really big mistake that a lot of business owners use is making their Twitter password the same as their Facebook password, which is also the same as their email password, which is also the same password to their local machine. A lot of these online social media are designed to be as user-friendly as possible. But on the security end, there’s a triangle that goes Security, Functionality and Ease of Use. As you get closer to any of those pillars, naturally you move away from the others. A lot of social media sites are more geared toward functionality and ease of use, so security isn’t necessarily the top of their list. And it’s far easier to compromise a Twitter account than it is an enterprise email exchange that’s fully patched.
EM: So say I’ve got a bricks-and-mortar store along with an online shop. What are the biggest mistakes for me to avoid?
CT: Aside from not duplicating passwords, and keeping your antivirus and anti-malware software on your machine updated? Be very wary of public WiFi—if you’re going to be doing any transacting there. In social media, if you get an email or message that contains a link in it, even if it’s from your friend or appears to come from someone you know on Facebook—sometimes it may be a photo or a link to a survey there—contact the person who sent it, via another method, before you click on it. In recent months, I’ve seen a lot of people send out that “I Just Won This Great Vacation!” post. [Laughs] I will instantly call or text that person and tell them I think they’ve been compromised and this is what they need to do right away. I take those links into my “sandbox” and oftentimes, sure enough, it’s been what’s called a drive-by Java infection. You click the link and your browser will download a remote-access Trojan, giving an attacker full access to your machine. So, be wary of people sending you links.
Be very, very, very cautious of any type of link, even if you see a message from Facebook’s security center, that says click here to log in or click that link. If it’s telling you that you need to re-log in to that account or go somewhere to take any kind of action, type the URL in yourself or go to Facebook.com and log in normally. Facebook will get you to your message box and you can deal with any security issues there. As often as possible, don’t click the link, especially if it takes you to a log-in page—avoid logging in there. There are ways where hackers are able to do credential harvests, so basically you’ve just given them your log-in and password even though it looks legitimate to you. But somewhere, someone sitting at a terminal just got your Facebook password.
EM: Social media must be a nightmare for the people in your business. Although I suppose it has created a lot of work, too?
CT: [Laughs] It is both a blessing and a curse. It’s got its good things, but when you don’t use it appropriately it’s also got its negative things. A lot of small business owners get the advice that they need to be using social media and all these different avenues to promote their business. And that’s all a small business owner is thinking about—the bottom line. How can I promote my business? How can I increase my revenue? So they jump on these things and security is an afterthought. Their accounts get compromised and send out all these different links, people click on it, and until that happens they’re not really thinking about it.
EM: This has to be pretty exhilarating work for you at times.
CT: It’s good to see the ‘Aha!’ moment. It’s even better when clients ask me to do an assessment or an investigation and they implement the things that I recommend. Then someone tries to hack them again and fails. And then I can show them this is how it was foiled, this is where the attacker came from, this is what they were using—they love that. And I love being able to save the day like that.
Disclaimer: The opinions expressed are solely those of the author and interviewee. You should consult a qualified professional to assist you in developing and implementing sound security policies and practices.