Mitnick's tips to combat social engineering
One of the most consistently reliable techniques used by online attackers to expose a vulnerability to exploit is social engineering, according to information security expert and former hacker Kevin Mitnick.
He should know; he used it to great effect in his black hat days -- days that saw him feature on the FBI's most wanted list, and ended up with him serving five years behind bars for wire fraud, interception of wire or electronic communications, possession of unauthorised access devices, and unauthorised access to a federal computer.
One of his most successful techniques for uncovering vulnerabilities in an organisation's systems or processes was through the use of social engineering -- the psychological manipulation of people into performing actions or sharing sensitive information.
According to Mitnick, social engineering could be as simple as an attacker strategically targeting a specific operative in a company with a phishing email. Or it could be what he calls the "long con": An intensive, weeks- or months-long manipulation of one or several significant employees within an organisation.
In either case, social engineering plays the first part of a two-step attack, where the first part is the "con", getting the target to comply with a request, and the second part is the exploit resulting from the vulnerability thrown up by the con, such as a vulnerability in the software that resides on the victim's desktop.
Social engineering is a particularly effective method for breaching a secure network, because any weakness that emerges generally comes down to human error, according to Mitnick, because "you can't download a patch for stupidity".
Latest Australian news
Best of all, most of the time, social engineering evades existing intrusion-detection systems, whereas technical exploits will usually leave a log trail.
"Social engineering evades all intrusion-detection systems," said Mitnick during his keynote presentation at the CeBIT business IT conference in Sydney on Wednesday. "There's nothing on the market that could detect it. There's no technology out there ... yet.
"It's free or low cost. Why? Because the attacker's using email to target your people, or they're calling you on your toll-free number at the company so the company pays for the call. They don't even want to pay for the phone call," he said.
Mitnick, whose company Mitnick Security Consulting does penetration testing and security consulting for clients, said at the event that when a client allows his company to use social engineering in a penetration test, the success rate is 100 percent.
"It works on every operating system platform, no matter if you're running Windows, or Mac OS X, Linux -- it's completely platform independent. And the success rate is nearly 100 percent," he said.
He argued that antivirus is dead, with most exploits arising from social engineering able to bypass such security software, leaving would-be attackers to simply look for the weakest link in a system or process in order to gain access to an internal network.
During his presentation, Mitnick demonstrated several techniques with which to gain access and control of a computer network, as well as devices and an individual's trust.
These methods included pulling seemingly benign, publicly available metadata from a company's website in order to extract internal network information, a "bad USB" attack, enabled by rewriting the firmware on a USB stick, a Java applet attack, and a Wi-Fi-based man-in-the-middle attack.
While a technical exploit is necessary in these attacks, in Mitnick's experience, the weakest link in a company's security system is most likely to be an individual employee.
"The users are the problem," he said, suggesting that companies should work to develop and strengthen their "human firewall". Social engineering exploits are very hard to guard against for this reason, but there are ways to mitigate the risks, according to Mitnick.
"The primary ways are user education and training; but not those alone. Because when people are educated and trained, it still doesn't work. Probably, you will get a high percentage of people that will fall for these attacks," he said.
Organisations should be looking at deploying what he calls "inoculation", the practice of testing employees from time to time with exploits that could be expected to happen in the wild, and showing them the results in order to familiarise them with the warning signs that potential threats could throw up.
"Inoculation's kind of like a flu shot: You inject a flu shot, your body builds the antibodies towards that particular virus, so when the real one comes along, your body's able to fight it," he said.
Another mitigating factor is making sure that software is updated on employees' desktops, thus minimising the chances of individuals opening a potentially untrustworthy software update.
Additionally, Mitnick suggested that companies could take better control over their firewall rules and make moves to develop more filters on outgoing traffic, not just incoming data -- as many exploits make contact with an external server once injected into a network.
He also suggested regular penetration testing, as well as the creation of easy-to-read security manuals for organisations.
Another key technique that can be used to strengthen an organisation's security is to simply take away the potential for an employee to share sensitive information by incorporating technology and systems that effectively disallow such mistakes.
"Whenever possible, use technology to take the decision making away from the employee. You try to control their technology with technology," he said.
For individuals, he highlighted online tools, such as Google's quick view, that can allow people to view an email attachment without downloading it.
"You need to educate, train, and inoculate. Security is about people, processes, and technology," he said. "The attackers are going to look for the weakest link, if it's in your processes, or your technology, they'll exploit you there.
"And in my experience, it's always been the people," he said.