Today, ERM has about 150 clients, González said, with a 95 percent retention rate. “We offer high-quality IT and security services,” she added, “The big firms charge $200 or more per hour than we do.” González declined to disclose revenue figures.
One of ERM’s most sought-after skills is ethical hacking. “They pay us to hack into banks, airports and multinational companies,” to test for weaknesses in their systems, said González, who has a full-time staff of 14, and offices in Washington, D.C. and India. “One time, we were able to hack into the e-mail of a CEO.”
But when ERM is trying to hack into a bank or a company, “we have restraints,” she added. “We can’t break the law and we have a time limit. Illegal hackers don’t have these limitations.”
Esteban Farao, director of research and development at ERM, is an ethical hacker. Farao, a tall, well-dressed man who looks like he could be a college professor or a banker, described what he does when he attempts to penetrate a customer’s IT system.
“When you go to war, you need to know your enemy,” said Farao, who earned a bachelor’s degree in information systems, an MBA and a master’s degree in management information systems. First you have to do your research, looking at the website, checking out the target on Google, finding out as much as you can, and sometimes even searching through trash for clues, such as account numbers or pieces of a confidential memo, said the ERM executive, who has more than 15 years of experience carrying out attack and penetration projects and has worked with PricewaterhouseCoopers and several multinational companies. Farao studies a website thoroughly, identifying traffic patterns and looking for a weakness.
After the initial research, a hacker plans the next steps, he noted. Often, it’s a question of testing a system to see if the people and procedures are sound.
For example, if the goal is to compromise a bank account, the hacker finds out how someone usually accesses the account — online, by phone or fax, and uses that information. A hacker may impersonate someone, phone a bank, say that he or she is traveling and has forgotten the password. “If the bank has sound security procedures in effect, the hacker is stopped. If not, the hacker may get some information and use that to build on — from obtaining a user ID to resetting a password,” Farao said. “Small businesses are particularly vulnerable if they don’t have a proper security in place.”
ERM uses a portfolio of specialized computer programs, such as Qualys, Nessus and John the Ripper in carrying out its penetration tests, and develops its own sophisticated programs in house. The company also carries out “social engineering tests” to probe the “human firewall” at companies. These tests may involve leaving a flash drive with supposedly sensitive information in an office to see if someone tries to steal it, or checking on whether employees are properly following security policies and procedures.
ERM’s clients come from a wide range of sectors and include: Banco Santander, Brightstar, Rinker Materials, Citibank, Banesco, Broward County, the State of Mississippi, Homeland Security and the U.S. State Department.
Mount Sinai Medical Center in Miami Beach, which runs a sophisticated IT system to protect the confidential patient information at its six locations, has been working with ERM for several years. “They perform penetration and vulnerability testing for us — they test our system to find gaps or weaknesses,” said Carlos Bitar, director of IT operations at the hospital, which has about 120 people in its IT department. ERM also helps the hospital ensure it is fully compliant with HIPAA (The Health Insurance Portability and Accountability Act), which sets strict standards for the security and privacy of patients’ data.
“They are very capable, very easy to work with, and they’re local,” Bitar added. “They provide great service.” The company is up to date on the latest IT technology, and they respond quickly when a problem arises, he added. “Even after a contract is over, I can call them and ask what other people in IT are doing, what are the best practices? And they don’t charge.”