On any given morning, you might find Jordan Drysdale inside
the coffee shop that sits adjacent to your corporate headquarters. You probably
wouldn’t notice him. He looks like an average patron, nonchalantly blending in.
If you do happen to notice him, maybe you think he’s texting a friend. One of
your employees might walk in, groggy and in need of coffee. Without being
noticed, Drysdale captures an image of the employee’s name badge on his cell
phone. Fifteen minutes later, Drysdale is back in his hotel room where he has
his colleague, Kent Ickler, print a badge that is identical to your company’s,
but sporting Drysdale’s image. Ickler stays in the hotel in communication while
Drysdale goes back to the company headquarters and picks a lock on the side of
the building.
“If you wear a suit and a tie and look normal, no one ever
assumes you are picking a door lock,” he says.
By 9 a.m., Drysdale has gained full access to the building.
No one notices or checks his fake name badge as he wanders the hallways and
offices, and in minutes he is inside your server room. “By lunchtime I have
compromised the entire network,” he says. “Ickler is back in the hotel room
cracking passwords for me, so in a short period I have gained access as domain
administrator and taken over all of their network systems and infrastructure.
It’s basically game over for this company in less than four hours.”
The life of Drysdale and Ickler might sound like a spy
movie, and in some ways, it is. Companies all over the world hire Black Hills
Information Security (BHIS) to help reduce vulnerabilities and increase
security by finding and exploiting their
weak spots and then offering employee training and security solutions that
reduce vulnerability.
“Pick the industry and we have likely found ways to
compromise them. We physically break into banks, medical facilities,
manufacturers, universities, you name it – physical entry is rarely the problem,”
says Drysdale.
Sometimes physical entry isn’t necessary. Ickler is an
expert at social engineering. He mines social media accounts, websites, and
even court documents for personal information. He can also access nefarious
sources that have released compromised data in past breaches. Social security
and credit card numbers are not as private as they used to be. “Once you are an
information security analyst, you realize how compromised you already are,”
says Ickler. With all this information, Ickler can then put together a target profile to learn a
great deal about a specific company employee. “So when we call a company’s help
desk to have that employee’s password changed, and they ask a security question
like, ‘What was the color of your first car?’ We have that answer ready.” To gain further access or information, BHIS can
also put together a “red team”, a group of hackers who use coding skills and
other tactics to compromise the security of a client company.
Following their work, Black Hills Information Security
provides an analysis for their customers that helps them understand and
mitigate the risks. BHIS can then train their clients to protect personal and
corporate information. Finally, they engage in threat hunting where they can
actively seek out and identify cyber attackers. “Our main goal is not to prove
that we can hack into a company, but to help the customer develop a series of
on- point solutions and technologies that will improve the overall security of
the company. Testing should never be adversarial, but collaborative,” says John
Strand, CEO and company founder.
Strand takes a rising-tides-raises- all-ships approach to
the industry. The team at BHIS develops popular open-source and free tools,
publishes educational blogs, and gives informative webcasts for the information
security community. BHIS personnel are now sought after to speak at conferences
around the world.
“In this industry, there are a lot of huge players who are
venture capital backed and their goal is to make money and nothing else,” says
Ickler. “By offering affordable training and broad industry support, our CEO
John Strand has taken a different path.”
This business model and philosophy are working for BHIS.
“We went from one employee 12 years ago to 60 plus all over the world. We are
among the top three or four global firms who do this kind of work. We interact
daily with the upper echelon of information security professionals and we’re centered
in the Black Hills. It’s a little hard to believe,” says Drysdale.
Strand has also fostered numerous employee-owned companies
under the BHIS umbrella. He is one of the founders of a company called Active
Countermeasures, alongside Mines students and alumni Logan Lembke (CSC 18),
Brian Fehrman (CSC 10), Joe Lillo (CSC 15), Lisa Woody (CSC 15), and Samuel Carroll
(CSC 15) who all contribute to the creation of unique algorithms that analyze
network traffic and detect anomalies to indicate nefarious cyber attackers.
Drysdale and Ickler founded another of the businesses associated with BHIS
called Defensive Origins that delivers cybersecurity training around the world,
including at BHIS-hosted events like the immensely popular Midwest Hacking
Festival in Deadwood. Both these companies are moving into the new Ascent
Innovation Campus this spring where they will have the resources needed to
continue their growth.
Growth of these companies seems like a safe bet. After all,
in an ever- increasing interconnected world, the need for cybersecurity is not
likely to dwindle anytime soon.
Needless to say, if you should ever run into Jordan
Drysdale seemingly texting on his cell phone in a restaurant near your
corporate headquarters, you might want to check your server.