Advertisement

Penetrating IT security to find the weaknesses

Testing the defenses: By using high- and low-tech approaches, the entrepreneurs at NetSPI poke around their clients' security systems for problems.

November 19, 2008 at 3:58AM
Deke George, top and Seth Peter, bottom, are the founders of NetSPI, a Minneapolis company that specializes in trying to breach the IT and infrastructure security systems employed by corporate and government clients and recommending changes needed to plug any holes they find.
Deke George, top, and Seth Peter are the founders of NetSPI, a Minneapolis company that specializes in trying to breach the IT and infrastructure security systems used by corporate and government clients and recommend changes needed to plug any holes they find. And they find plenty, often in the oddest places. (Star Tribune/The Minnesota Star Tribune)

For a month before the recent Republican National Convention, Deke George, Seth Peter and a gang of cohorts schemed to break into the IT systems of the St. Paul police and other critical city agencies.

Not only that, but a couple of their accomplices, posing as delivery men, attempted to talk their way into off-limits areas of the city's Water Department.

Although city officials knew about these forays, no one was arrested. In fact, George and Peter collected a tidy payoff for their efforts.

The two gents, friends since grade school, are the founders of NetSPI, a Minneapolis company that specializes in trying to breach the IT and infrastructure security systems employed by corporate and government clients and recommends changes needed to plug any holes they find.

It's a business that grossed $3 million last year and is headed for a $5 million total this year, never mind the faltering economy. Indeed, despite flat revenue in 2006, NetSPI has generated a compound annual growth rate of 50 percent since its first full year of operation in 2002.

Better yet, "it's also a really fun business," said George, 37, NetSPI's CEO. He was referring to the delivery man disguises, phony credentials and magnetic signs attached to the side of company vehicles that NetSPI consultants occasionally use to talk their way past a client's security guards.

Oh, yes, there's one more item that's critical to such undercover operations, he said: "The key is, you gotta be carrying a clipboard."

So, what kind of weaknesses did NetSPI uncover in St. Paul's preparations for the Republican convention? The partners remain tight-lipped on that topic, although Peter said that "some adjustments in technology and procedural controls" were suggested. He declined to be specific.

Advertisement
Advertisement

But Peter said that, overall, "the environment was very well secured, particularly at the Police Department."

There's good reason for the firm's success in the face of economic difficulties: A growing body of legislation and industry rules are requiring ongoing reviews of data-protection systems, said Peter, 35, NetSPI's chief technology officer. For example, NetSPI has been authorized by the Payment Card Industry Security Standards Council to certify compliance with its rules.

Other sectors, too: The company is charged with testing the security systems in a dozen nuclear plants around the country and for the top five banking organizations in Minnesota. Its client list also includes Minnesota's Xcel Energy, Carlson Companies and HealthEast and national names such as Domino's Pizza, health services giant McKesson Corp. and Genworth Financial, the insurance spinoff of General Electric.

George and Peter started their trek toward entrepreneurship with jobs at a local data-recovery company, working in a computer forensics division that specialized in high-profile criminal investigations. They later moved to local IT security assessment firms, George as a salesman and Peter as a technology specialist.

But when the dot-com bubble burst, venture capital disappeared for any company with the initials IT attached to its business. Peter's employer went under, and he and George decided to fill the gap.

There were lean times at first, George said: "We paid ourselves entry-level wages for two years," and relied on income from rental properties. Then they landed HealthEast and Genworth Financial as clients in 2003 and they were on their way.

Advertisement

Except, that is, for 2006, when sales flattened at $2 million after the partners decided to stop installing firewalls and other security products to focus on consulting.

"The idea was to provide objective recommendations on solving security problems," whether or not a product was involved, George said. "We thought it was a good gamble," a notion born out by the fact that revenues have risen 150 percent in the past two years.

In the process, they've assembled an intriguing, if not disconcerting collection of stories about corporate security -- or lack thereof.

More than once, for example, they've shown how easy it is to access confidential credit card information online. And they've even accomplished the more difficult task of breaking into banking networks and actually redistributing funds.

Then there was what Peter calls "a procedural problem" uncovered at a large financial services company: A NetSPI agent posing as "a senior executive with a bad memory" called the client's IT help desk and persuaded the gent who answered to supply the exec's password and user name.

Their favorite story, however, involves a sizable Minnesota company whose chief information officer hired NetSPI to assess the company's IT security. Posing as the client's top personnel officer, a NetSPI agent launched a "phishing" expedition -- an e-mail blast to the client's managers -- asking them to sign up for a new online payroll system by providing their passwords and user names.

Advertisement
Advertisement

The first person to respond with that information? You guessed it: the chief information officer who'd hired them.

Dick Youngblood • 612-673-4439 • yblood@startribune.com

Advertisement
about the writer

about the writer

DICK YOUNGBLOOD, Star Tribune

More from Business

See More
card image

Attorneys for plaintiffs say retailer purposefully failed to use sophisticated security systems to thwart online criminals or return stolen money.

card image
card image
Advertisement
Advertisement

To leave a comment, .

Advertisement