Denny Deaton hacks into companies’ computer systems for a living, but it’s all on the up-and-up.
The Huntersville resident is what’s known as an ethical hacker – a specialist who helps companies find holes in their cyber defenses before a criminal does.
Ethical hackers have been around for decades, but experts say it’s a hot job right now in Charlotte and elsewhere as companies seek to protect a swelling amount of online data from growing security threats.
This year, the company Deaton works for, New York-based Gotham Digital Science, beefed up its five-year-old Charlotte team from three members to six.
“We’re still actively hiring here in Charlotte,” said Deaton, who manages the team. “We’re growing very quickly.”
In Charlotte, ethical hackers see rising demand from companies across a variety of industries. This month, Bank of America, health insurer Aetna and home-improvement retailer Lowe’s were among businesses posting online advertisements for jobs in the metro area.
“Internal positions such as those that try to ‘hack’ into a company’s systems are one way that we can test our defenses and keep on the forefront of these issues,” said Gina Proia, spokeswoman for Detroit-based Ally Financial, which has a large concentration of its information technology staff in Charlotte.
Across the country, employment of information security analysts, whose roles include ethical hacking, is forecast to increase 37 percent from 2012 to 2022 – more than triple the average for all occupations, according to the U.S. Department of Labor. In March, Fortune magazine included ethical hackers on a list of seven most “in-demand” jobs.
Experts say ethical hackers can earn anywhere from about $85,000 to more than $200,000. Demand comes at a time when some of the largest companies in America are reporting massive criminal data breaches.
“It is probably the highest demand I’ve ever seen in any industry that I’ve worked in,” said Redvers Davies, who works in Charlotte as an ethical hacker for a retailer he declined to name. Ethical hackers typically do not disclose the identities of their clients.
Experts say filling such jobs is not easy. They say ethical hackers need to have not only strong computer skills, but also qualities that aren’t teachable, like patience and curiosity.
It also doesn’t hurt if you can think like a criminal. In some cases, criminal hackers have gone on to become cybercrime informants for the U.S. government.
There is a big shortage in this kind of skill. For sure, Charlotte needs more.
Mohamed Shehab, associate professor in the College of Computing and Informatics at UNC Charlotte
“Some of the ethical hackers have advanced degrees in mathematics and physics. But they’re just smart people who tend to be more analytical,” said Larry Ponemon, founder of Ponemon Institute, a Michigan-based think tank whose focuses include data protection.
Charlotte has people with information security skills of all types, but like the rest of the U.S. it has too few to meet the growing need in the public and private sectors, said Mohamed Shehab, an associate professor in the College of Computing and Informatics at UNC Charlotte.
“It’s not only a problem in Charlotte,” he said. “There is a big shortage in this kind of skill. For sure, Charlotte needs more.”
Vulnerabilities high and low
Ethical hackers spot vulnerabilities in a variety of places, from companies’ computer networks down to employees’ behavior.
Deaton, the Huntersville hacker, said one area his company examines is the form that consumers can fill out on a company’s website. Think of the online forms you sometimes see that ask for your name, address and so on.
Deaton said hackers know how to write malicious code they can enter into those fields. The code can exploit flaws in a website to allow a hacker to steal a user’s data. The hacker can then use that data to log onto a website as another person.
It’s a common website vulnerability, even for some large companies, Deaton said. Such a flaw might allow a hacker to gain access to, say, your bank account.
His company, Gotham, looks not just for holes in the technology, but for human weaknesses, too. Can employees be tricked into doing things that compromise the safety of company data?
To find out, Gotham sometimes drops a USB drive in a company’s employee parking lot. The point is to see if an employee will be tempted to pick it up and shove it into a work computer.
“In a real-world scenario, the USB drive would contain a malicious program placed by an attacker,” Deaton said. “In almost every case where we do this type of test, someone plugs it in.”
Deaton said employees should turn over a suspicious USB drive to their information security department and never insert it into their computer.
In another employee test, Gotham will call a company and pose as an employee from the IT department.
This year, Gotham used the technique to dupe employees for one Charlotte client into sharing their online log-in credentials. In an exercise for a separate client, testers from Gotham were able to talk their way into a company facility that required authorized access.
Deaton’s advice: If someone purporting to be from your company calls and asks for sensitive information, you should always confirm their identity.
Consultants in demand
The demand for ethical hackers has helped power the growth of consulting firms like Gotham and Fortalice Solutions, a Charlotte-based provider of outsourced ethical hacking.
Fortalice CEO Theresa Payton, who was chief information officer under former President George W. Bush, launched her company in 2008. Payton said some businesses use outsourcing instead of having their own internal staff of ethical hackers, who can be expensive and hard to find.
She said her company looks for vulnerabilities at multiple levels – from a company’s processes and technologies, to its staff, contractors and vendors.
Vendors became a focal point in Target’s massive 2013 breach, in which stolen vendor credentials were used to take credit card data from millions of the retailer’s customers.
Deaton, a 39-year-old Mooresville native and former application-security tester for Bank of America, said his firm’s clients in the Charlotte region include financial services companies, retailers and technology companies.
Contracts can start at upwards of $10,000 for weeks of work to half a million dollars for a project that takes months, said Deaton.
Cybercriminals ‘very clever’
Having ethical hackers on board is not a guarantee that a company is safe, said Avivah Litan, a fraud analyst for Connecticut-based Gartner Research.
“In the most egregious targeted cases, the bad ones are almost always better at what they do than the ethical ones,” she said. “Still, a layered security approach, which can include employing ethical hackers plus other security measures, generally pays off.”
Some companies are facing hackers whose networks can span the globe.
This month, the Justice Department unsealed an indictment alleging a massive hacking operation whose victims included JPMorgan Chase & Co., Dow Jones & Co. and an unnamed company headquartered in Charlotte. The operation, whose mastermind was a resident of Israel, stole personal information from more than 100 million people, according to prosecutors.
The scheme’s operators used servers in Egypt, the Czech Republic and elsewhere to gain access to companies’ computer networks and steal individuals’ data, prosecutors say. They then made millions in profits by contacting those people and marketing stocks to them, as part of a scheme to manipulate share prices, according to prosecutors.
Ponemon, of the Michigan think tank, described the fight against bad hackers as like a game of chess.
“It’s more likely you’re going to lose the battle – maybe win the war – but lose the battle against the bad guys, because they’re very clever and have lots of resources,” he said.
“You want to win more than you lose.”