I recently attended a presentation by Kevin Mitnick, the infamous and reformed hacker and president of Defensive Thinking, a consulting and training company aimed at helping clients prevent information theft. His topic was social engineering, a concept focused on what Mitnick considers to be the weakest link in corporate infrastructure security—human beings.
According to Mitnick, too few companies have stringent security governance policies and procedures in place. Information is not valued, and most employees—besides receiving e-mails from the IT department about this virus or that—are clueless as to the real threats of damaging security breaches.
Most employees think of hacks originating via a computer. Wrong, says Mitnick. He points the most damaging finger at the telephone, a device preferred by social engineering hacks to extract small pieces of seemingly useless information that they can then piece together to cause catastrophic security breaches.
Telephone-enabled hacks are preferred by the really smart bad guys over computer hacks because there is less of an audit trail. Moreover, telephone break-ins work against any company regardless of its tech infrastructure.
According to Mitnick, social engineering hacks target four typical categories of employees: low paid employees and staff with low morale; executive gatekeepers; remote office workers; and new hires. To prevent security breaches, Mitnick encourages people never to share or transmit their e-mail or network log-in passwords. He recommends companies pay particular attention to remote workers by counseling them to be especially vigilant in protecting remote access dial-in data. He advises companies to put generic e-mail addresses on their websites such as email@example.com rather than revealing the real e-mail addresses of real employees (firstname.lastname@example.org). If a sophisticated hacker can easily guess your company’s e-mail nomenclature, that hacker can do lots of damage fast.
Social engineering criminals are adept at surveillance techniques, and they are also experts at exploiting human trust. Plus, they are avid readers of IT employment ads in local newspapers or sites like Monster.com—ads that often provide great detail on the tech infrastructure in place at their intended target. Paper shredders, too, might be a good deterrent; according to Mitnick, hackers are skilled Dumpster divers!
Feeling secure? Several months back, this column suggested the formation of the Security Underwriters Laboratories, or SUL (see “Certify Security,” www.cio.com/printlinks), a group that would focus a great deal of energy in auditing security governance policies and procedures. Too many companies are penny-wise and pound-foolish when it comes to addressing their most vulnerable security threat: employees. A strong SUL would address that need. Drop me a note with thoughts on how collectively we can get the SUL started.
As Mitnick is fond of saying, “There is no patch for stupidity.”