Source: St. Charles Journal
By: Eric Becker
Date: June 19, 2007

While you might be worrying about computer hackers trying to pry into your personal information online, some financial institutions are hiring hackers for that very purpose. But wait, these are the good guys.

Parameter Security in St. Peters employs certified ethical hackers - contracted professionals that have been instructed and licensed to expose weaknesses in databases containing sensitive information. After breaking down a company's network and determining vulnerabilities, the hackers tell clients what they need to fix.

Dave Chronister and his wife, Renee, opened Parameter Security in May, after working for years in financial information technology. Chronister says he saw a need for more IT firms working to ensure a business's network security goes beyond federal standards. "When I was working in the financial industry, trying to find a good company for these types of services made me realize there was a real need for this," he said. "I've spent the last few years working on finding out more about offensive security fields and getting credentialed (to provide security services)."

Identity theft through the Internet is one of the fastest growing crimes in the United States. In 2006, the Federal Trade Commission reported more than 204,000 complaints of Internet-related fraud, with an average loss of more than $3,000 per victim.

In 2006, identity theft involving credit cards, loans and banks composed nearly 49 percent of all identity-theft cases in the St. Louis area that were reported to the FTC. Financial institutions are taking the risk of these thefts seriously.

"It was a pretty easy decision (to get a network vulnerability check) when you have colleagues in the business and you hear horror stories about the ways they got hacked," said Dan Holmes of Lincoln Bancorp., which counts People's Bank & Trust in O'Fallon among its member banks.

Holmes says his company has recognized the threat hackers can pose and has chosen to rigorously examine his company's network and online security.

"I decided that I needed someone with expertise to do (the security test). It's about trying to be proactive," he said.

Parameter Security was built with the complexities of hacking in mind.

"I try to get various backgrounds when I hire, because you have both the programming and networking aspects of hacking," Chronister said. "Our hardest problem in hiring is that when someone comes to us, we have to ask, 'Well, how do you know how to hack?'"

All of Parameter Security's employees are certified ethical hackers. The certification ensures that employees don't have malicious intent, Chronister said.

"If we find out someone is even downloading from Napster, they're out," he added.

Once a company contracts with Parameter Security, the process of preparing a security report takes about two weeks. Clients then receive information on their particular vulnerabilities.

"Others can say, 'We promise you can pass the government standards.' We say, 'You can be safe,'" Chronister said when differentiating his services from similar companies.

Now small and mid-sized businesses are taking notice of the security threats, Holmes says.

"We have to come to terms with the fact that we can't know everything about hackers, so I've sought out those who know the existing vulnerabilities and those that think like a hacker and know how they think and that we can avoid problems," he said.