2018 Intelligent Reporting Summit Q&A: The Person Companies Pay to Hack their Networks

Clark Sells
August 13, 2018

This blog was last updated on March 11, 2019

Christopher Emerson is founder of White Oak Security, a company that tests the security of its clients’ business-critical systems by attacking them. Emerson will speak at the Sovos Intelligent Reporting Summit in Denver in October. Here, he talks about why companies still fail to secure their most important information adequately and what they can do to better protect their data.

Sovos: Tell us a bit about what White Oak Security does. Companies pay you to attack them right?

Christopher Emerson: We’re security testers who mimic malicious actors in clients’ networks and identify security issues. We can also help evaluate the effectiveness of controls clients have in place.

Sovos: What stands in the way of companies being able to secure their data adequately?

Emerson: The people we primarily work with have some background in IT. They know the constraints they have to work with. There’s a balance between securing the organization and delivering uptime. None of our customers want to push out vulnerable systems. Security can slow down the development process. As companies are trying to move faster, security can sometimes act as a barrier. Used correctly, it can be a value add. Used incorrectly, it’s basically just a cost center.

Sovos: But security has been a major concern and a headline-grabbing issue for years now. Why do so many companies still struggle with it?

Emerson: Every environment is different. Asset management for medium to large organizations is difficult because it’s hard to understand what systems you have, where they reside and what data you have on the systems. A hacker just needs to find one system nobody is patching or is afraid to touch for fear of it falling over.

Sovos: So, some companies aren’t patching systems even though they know that failure to patch can leave security holes?

Emerson: There are old systems that don’t get the same care and attention that newer systems do. It’s usually something like a mainframe managing time and activity or part of an ERP implementation. They work well enough, so nobody wants to do anything with them because patching them can be very expensive. It’s entirely possible that a simple configuration update could end up costing an organization thousands of dollars or more. 

Sovos: What is your process for identifying a vulnerability?

Emerson: We start from outside the network and try to start obtaining information about the organization. We start with info that is publically available while trying to maintain a low profile. We look at vulnerabilities, see how we can leverage information to gain a foothold in the network. It only takes one significant error for us to establish a foothold. In most organizations, hacking a system comes down to being able to take over control of the network and access any of their sensitive data. Sometimes it’s credit card data, sometimes personal health information. It is possible to get the information necessary to hack into a system just by doing some external research. 

Sovos: Is there an example of a particularly egregious security hole you can remember?

Emerson: One client had an environment that allowed them to spin up virtual servers to increase server load. Through open-source intelligence gathering, we were able to gain the information necessary to access that system and start spinning up our own servers. 

Sovos: Are there any companies left that really just don’t care much about security?

Emerson: There are definitely some of those that are intentionally lax. We have a couple of customers that do have that mentality. “Why do we need these additional security measures?” But with other customers, one of their goals is to prove that IT needs more budget for security. We get called back to some of the same clients over and over, and we see them being able to make greater strides toward improved security.

Sovos: How do you recommend companies go about trying to better secure their systems?

Emerson: Try to bake security in as a part of the entire process. A lot of companies do testing at the end of development or in production. However, the more integrated security can be early on, from threat modeling at the outset to enabling developers to perform security tests on their own, the less of a barrier security becomes. This idea is definitely gaining traction, but it takes to time to get going and has an upfront cost.

Sovos: What will you be discussing at the Intelligent Reporting Summit?

Emerson: We’re going to take the audience through the anatomy of a hack we performed for one of our clients. The example we’re going to walk through took us about four weeks in total.

Take Action

Learn more about White Oak’s security testing and how the company advises customers to be more secure, and meet Christopher Emerson in person. Register to attend the 2018 GCS Intelligent Reporting Summit in Denver in October. Plus, use code 2018GCS10 to receive 10% off your registration! 

Sign up for Email Updates

Stay up to date with the latest tax and compliance updates that may impact your business.

Author

Clark Sells

Share this post

alcohol deliveries
North America ShipCompliant
December 20, 2024
What if No One is Home to Sign for an Alcohol Delivery?

This blog was last updated on December 20, 2024 When no one is home to sign for an alcohol delivery, it becomes more than just a minor hiccup for direct-to-consumer (DtC) alcohol shippers. It’s a domino effect that transforms a perfectly curated product into a customer’s disappointment before it’s ever opened. This becomes an even […]

taxation of motor insurance policies france
North America VAT & Fiscal Reporting
December 18, 2024
Taxation of Motor Insurance Policies: France

This blog was last updated on December 18, 2024 France is one of the most challenging countries in Europe when it comes to the premium tax treatment of motor insurance policies. This is mainly due to the variety of taxes and charges that can apply and the differing treatment of different vehicle types. This blog […]

california bottle bill compliance
North America ShipCompliant
December 13, 2024
California Bottle Bill: Compliance Updates for Wine and Spirits

This blog was last updated on December 16, 2024 California’s bottle bill got a major upgrade earlier this year, and it’s changed the rules for wineries, distilleries and beverage distributors in a big way. For the first time, wine and spirits manufacturers will need to register with CalRecycle, report sales and pay California Redemption Value […]

unclaimed property compliance for wineries
North America ShipCompliant
December 12, 2024
Unclaimed Property Compliance: What Wineries and Wine Clubs Need to Know

This blog was last updated on December 12, 2024 Although hard to believe, unclaimed property obligations impact ALL industries, including wineries and other wine clubs. While most companies typically only associate unclaimed property with outstanding checks, including accounts payable and payroll, there are other exposures for wineries and wine clubs to consider. Understanding these risks […]

retail delivery fees for alcohol shipping
North America ShipCompliant
December 5, 2024
Navigating Retail Delivery Fees: A Guide for DtC Alcohol Sellers

This blog was last updated on December 5, 2024 Direct-to-consumer (DtC) alcohol shippers are no strangers to navigating a complex regulatory landscape. However, recently, a new challenge has emerged—the rise of retail delivery fees. From excise taxes to shipping restrictions, the industry has long dealt with a maze of state-specific rules that require careful attention […]