Skip to Content
MIT Technology Review

A CEO called Alien

Cybersecurity firm founder Sherri Davidoff ’02 says MIT’s Course 19 was the best training for calculating risk.

June 26, 2019
A collage with a photo of Sherri DavidoffA collage with a photo of Sherri Davidoff
A collage with a photo of Sherri Davidoff
Emily Haasch

Sherri Davidoff is sprawled out on the carpet in her office building in downtown Missoula, Montana. Dressed in a black business suit and leather boots with fluorescent orange and pink laces, she pushes a three-foot flexible steel loop under the gap below a locked office door. She slides the loop up the other side of the door and attempts to hook it on the inner doorknob. 

The device, known in breaking-and-entering circles as an “under-the-door tool,” recently arrived in the mail, a gift from a friend in the hacker community. Davidoff, the 38-year-old CEO of the cybersecurity consulting firm LMG Security and cofounder and CEO of the cybersecurity training company BrightWise, is breaking into her own office for fun, just to see if she can.

After several attempts, she gets the tool around the doorknob and pulls.

The door pops open.

“I just had to get one of these,” she says, brushing off her pants. 

Davidoff, who is better known in some circles by her hacker name, Alien, has been drawn to the challenge of eluding conventional barriers since moving into Fifth East as a first-year student nearly two decades ago. She majored in electrical engineering and computer science but spent much of her time on so-called Course 19, the off-the-books curriculum in which students surreptitiously explore campus buildings, steam tunnels, and—yes—domes with the help of lock pick sets and strong flashlights.

“Course 19 became more relevant to my working life than probably any of the classes I took,” she says.

LMG, which Davidoff founded in 2009, provides cybersecurity services and training for financial institutions, health-care organizations, and manufacturers, as well as some clients in government, retail, and other sectors. The company specializes in penetration testing—imitating black-hat hackers in order to expose privacy vulnerabilities. LMG employees orchestrate attacks, attempting to gain access to sensitive e-mail and other proprietary data. They then write reports on their successes and suggest fixes.

LMG also cleans up after information breaches. When computers are compromised, its consultants track how hackers gained access and follow footprints to learn what information may have been stolen. They also train staff and executives in cybersecurity and perform compliance audits to ensure that companies are following state and federal laws.

High-profile hacks, including the break-in to Democratic National Committee servers prior to the 2016 election, have put a stronger spotlight on cybercrime and information privacy. So has recent news of massive consumer data breaches, including the 2018 attack on Marriott that exposed the personal information of some 500 million people. Davidoff says all that has been a boon for the cybersecurity industry—and that small fixes, like educating users on the tactics of phishing attacks, can prevent major losses.

“You can see how cybersecurity can change the world,” she says, referring to the phishing attack on the Gmail account of Hillary Clinton’s campaign chair, which led to the release of campaign e-mails by WikiLeaks.

The rise in demand for cybersecurity services has led to rapid expansion of the industry, with accounting firms and large government contractors getting into the market. Estimates vary, but Global Market Insights puts it at more than $120 billion. And Davidoff expects business to continue to grow.

“Over the next decade, cybersecurity will become easier as networks become more standardized,” she says. But right now, every business has to decide what their network is going to look like.”

Montana hacker mom

LMG Security is housed in a building next to a fly-fishing shop along the Clark Fork River in downtown Missoula. No sign announces the company. Inside, a cardboard cutout of a shirtless Dwayne Johnson, better known as The Rock, guards the lobby. There is no indication of the work that goes on upstairs. The lack of signage isn’t for secrecy. Davidoff worries the public might be confused and show up looking for tech support. “If people need to find us, they know where we are,” she says.

Missoula may seem an odd place to site a cybersecurity firm, but Karen Sprenger, LMG’s chief operating officer, says the remote location has not harmed business. The company’s team of around 30 employees works from laptops whether they’re in the office or traveling from the tiny airport—which features a trophy grizzly bear near the baggage claim—to see clients around the world.

Pacific Coast Banking School in Seattle regularly hires Davidoff to try to hack into the system where students’ personal information is kept. The results of such tests are usually shrouded in secrecy, since organizations are reluctant to publicize even small vulnerabilities. But Gretchen Claflin, the president and CEO of Pacific Coast, says Davidoff’s penetration tests have made the school’s security measures even harder to crack.

A hacker’s tips for protecting your organization

  • As a security consultant, Sherri Davidoff ’02 has seen many damaging data breaches. In her forthcoming book, Data Breaches, she dissects some high-profile examples. Many could have been prevented if employees had followed these three simple rules.

  • Think before you click.

    E-mail may contain links or attachments that will infect your computer. Carefully examine them—as well as links on websites—before clicking on them. Hover your mouse over a link to see where it goes. Check the address and spelling carefully. When in doubt, don’t click! You can always type in the target website’s main address and browse to your destination.

  • Back up regularly.

    Back up your data. Test your backups. Store a copy securely off site whenever possible. Repeat.

  • Use two-factor or multi-factor authentication.

    When you log in, verify your identity using two or more methods, such as a password and an app on your phone. Two-factor authentication is easy to set up with many providers, such as Google and Office 365.

“This last time, we were pleased to have them shut out of our system pretty quickly,” Claflin says. “I rest easier at night.”

Davidoff held a number of information security jobs before opening LMG. During her final year at MIT, she worked with the school’s information systems department, where she created a tool to analyze the flow of traffic through the Institute’s entire network. After a stint studying gamma-ray bursts on the RAPTOR telescope at Los Alamos National Lab, she returned to network security with a staff position at a hospital and staff and contract work with some of the most cutting--edge cybersecurity firms.

Along the way, Davidoff drew on Course 19 skills and undertook several physical penetration assignments, including sneaking into executive offices in the financial industry; she once left with an unsecured laptop. In another security test, she impersonated an inspector and talked her way into the vault of a branch of a major bank.

“Confidence is the key,” Davidoff says. Before making her move on the bank, she cased out the building, noting when management left for breaks and which times were so busy that staff would be under pressure and less able to make good decisions. She arrived dressed in a sharp suit, with a name badge made at Kinko’s, and struck fast. “I made it clear I was part of the organization, and I acted slightly intimidating,” she says. “You don’t give them time to think.”

By 2008, she was ready for a change and moved to Missoula. She brought a few private consulting contracts with her, and that eventually turned into LMG.

Being her own boss would prove critical once she started a family. “I reached a point where I had to either quit or clone myself,” she says of the time shortly after her first child was born. “I realized I can’t be on the road as a traveling consultant. But I can train people to be traveling consultants.” Now that she’s raising her two children (ages five and seven) and running a business, Davidoff is less likely to perform the in-the-trenches consulting work she once did, unless it happens between 10 p.m. and 2 a.m., her preferred work hours.

collage

Calculating risk

Davidoff’s cybersecurity career and MIT hacking exploits have begun to receive notice outside the hacker community. Breaking and Entering, a book by Jeremy N. Smith, tracks her career and the rise of cybersecurity in the 1990s. Since the book’s release in January, Davidoff has made multiple media appearances. On NBC’s Today show, she and LMG staff executed an on-air phishing attack on a Missoula insurance company.

In the popular imagination, hackers are men in hoodies who lives in their parents’ basements and struggle to communicate away from a keyboard. Davidoff defies that stereotype, and colleagues say her people skills, as much as her tech skills, are responsible for her success.

“Many people want to work in this industry because it can be lucrative,” says Deviant Ollam, a Seattle-based lock-picking expert and security consultant who has been friends with Davidoff for more than a decade. “But people skills and soft skills are not something that are known as hacker skills. That’s a major driver for those who find work. It’s the difference between a person with a project and a person with a business.”

Ollam first met Davidoff in 2007 at a hacker convention, where he was showing off a cable-man disguise he used on security assignments. “Sherri said, ‘I need to acquire some of those.’ It wasn’t for fun,” he recalls. “It was for an actual professional engagement.”

Davidoff is as surprised as anyone that hacking, which started as a college adventure, has turned into a profession. But she is disappointed that the term has taken on a more sinister meaning in the popular culture. “It makes me sad when I heard the word ‘hacker’ used with a negative connotation,” she says. Hacking at MIT meant pulling low-tech pranks, she says, citing the famous 1994 case of the police cruiser on the Great Dome. “It never meant stealing, or causing real harm.”

Another change is more positive. Davidoff says the hacker culture has become more inclusive since the late 1990s, when people at conferences and consultant jobs “assumed you were someone’s girlfriend or assistant.” Even at MIT, she says, she was usually one of the few women taking part in hacking excursions. That made her push herself hard, and perhaps take risks that in hindsight were dangerous, in her quest to access places no other hacker had ever been.

MIT in the late ’90s was an excellent place to take risks and learn from them, she says: “What made MIT special was a culture where they treated you like an adult, and they respected the students and encouraged you to explore.”

There were risks involved, she says, but she believes learning to calculate risks and understand what level of danger you are willing to live with is the key to life. And the same is true for creating a strong information security plan. “You can’t fully secure your network,” she says. “But as an organization, you have to be able to say, ‘We are comfortable with the risks we are taking, and we are not going to stress about it.’”