'Human firewall' a crucial defence: Mitnick

'Human firewall' a crucial defence: Mitnick

Summary: Companies can better protect their confidential information by creating an incident response department to deal with suspicious queries, said infamous ex-hacker Kevin Mitnick.Mitnick explained that this group should be trained in the art of social engineering, be able to investigate any potential [security] attacks and respond in an efficient and effective manner.

SHARE:
TOPICS: Security
3
Companies can better protect their confidential information by creating an incident response department to deal with suspicious queries, said infamous ex-hacker Kevin Mitnick.

Mitnick explained that this group should be trained in the art of social engineering, be able to investigate any potential [security] attacks and respond in an efficient and effective manner.

The founder of Mitnick Security Consulting (formerly known as Defensive Thinking) also called on companies to properly educate their workforce and strengthen their so-called "human firewall".

At a social engineering prevention workshop in Sydney this week, Mitnick and business partner Alex Kasperavicius shared some of the tactics used by social engineers to bypass a company's technical security by exploiting employees' psychological vulnerabilities.

Mitnick said there was no point spending millions of dollars on the latest hardware and software to protect corporate networks if it was relatively simple for an attacker to persuade one of the company's employees to divulge their log-in details.

"As the attacker I am going to look for the weakest point where I can gain access. A security program is made up of people, processes and technology. Your company could be strong in one area, such as technology, but its people may not be trained up to recognise where the bad guys are going to strike. The attackers are going to look for the easiest way in," said Mitnick.

As an example of security weak points, Mitnick and Kasperavicius demonstrated how dumpster diving could reap rewards. Before leaving Los Angeles, the pair claimed they went to the offices of a prominent female entertainer to salvage some of her company's rubbish bags.

After removing the old pizza boxes, drinks cans and other garbage, they were left with a large number of e-mail printouts, faxes, wage slips, telephone bills and other documents. The workshop attendees were given the task of going through the leftover 'rubbish' to see if they could find anything that might help them launch an attack.

Among the old pay slips and invoices, the delegates found what were allegedly the home and mobile phone numbers of high-profile pop singers -- including Christina Aguilera -- and a well-known rock guitarist. There was also a printout containing the admin URL, username and password of the Web site of a reality television star.

Another item discovered in the pile was an unopened letter from a young fan asking for the prominent entertainer's autograph. Paper clipped to the letter was US$1. This letter was found, unopened.

"In the garbage you find post-it notes, calendars, project names, printouts of source code, billing, systems names and correspondence. Companies dumpster dive to get competitive intelligence -- it is not just the hackers and industrial spies," said Mitnick.

Mitnick demonstrated how social engineers use confidence tricks and simple charades to elicit valuable information from unsuspecting employees. The tricks ranged from simply pretending to be from the IT department and persuading an employee to reveal their password, to more elaborate scams that involve months of research and acting ability.

Mitnick advised delegates to create and enforce security policies that included defences against social engineering techniques. He said different staff members should be trained to look out for different types of attacks. For example, the company receptionist is unlikely to be targeted by the same type of social engineering attack as a telecommuter or a security guard.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Mitnick hit the nail on the head. I am sick of meeting IT security experts that are just glorifed Network administrators.
    anonymous
  • Security Experts should not train in the "art of social engineering". They should train in security techniques.

    Police training does not include how to pick locks.

    Likewise, train the trainer style awareness sessions do not need to create people with advanced social engineering skills.

    The skill is to stop an attacker - this is a separate skill to being the attacker.
    anonymous
  • You're kidding right?

    We see your suggestion put to practice by anti-virus companies the world over. It usually goes days or weeks after a new virus is released into the wild before its detected in adequate numbers for the AV bunch to stop it.
    Days or weeks in which time the virus can potentially cost people and companies millions of dolars in damage.

    Any security expert has a duty to completely understand ALL weaknesses in the system they are trying to protect, otherwise they are just glorified night watchmen, responding to problems rather than preventing them from occurring in the first place.
    zybch