October 07, 2002
—
CSO
—
Kevin Mitnick is the most famous computer hacker of our time. His capture in February 1995 by computer scientist Tsutomu Shimomura was the subject of three hugely popular books. Since his release from prison on Jan. 21, 2000, Mitnick has taken on the role of "reformed hacker extraordinaire"
This month Mitnick releases his first book, The Art of Deception. It is filled with stories of how an enterprising social engineer can outsmart office workers, circumvent security technology, and generally make a mockery of our attempts to protect computers and networks. Mitnick's message is simple: Humans are the weakest link in any security system. Companies need to spend more time training their employees on how to resist such attacks.
That's all true—and not surprising to hear from an allegedly reformed con man turned security consultant. (By almost all accounts, it was Mitnick's ability to trick people, rather than his skill at computing, which made it possible for him to penetrate so many organizations.) However, Mitnick's systematic downplay of technology and its value in defending sensitive information is yet another act of deception—one that could be far more damaging than any of his other exploits to date.
Awareness Isn't Everything
To be sure, many organizations need to improve the security of their "human factor." Social engineers use internal phone numbers, knowledge of procedures and even industry lingo to gain the trust of their intended victims.
One Mitnick anecdote: The intrepid social engineer calls up the network operations center of a cell phone company during a snowstorm. After befriending the operators, he asks them: "I left my SecureID card on my desk. Will you fetch it for me?" he asks. Of course, the network operators are too busy to do that, so they do the next best thing: They read off the ever-changing code on their own token, allowing the hacker to break in and steal the company's source code. In this example, the caller is able to "prove" his identity by telling the network operators his office number, the department where he worked and the name of his supervisor—all information that the attacker had gleaned from previous phone calls to the company. Mitnick's message is that organizations need to treat phone lists, org charts, technical procedure manuals and other information as highly confidential in order to protect themselves from social engineering attacks.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Safeguarding the New Currency of Business
Watch this webcast to learn how your organization can leverage PricewaterhouseCoopers' Global Information Security Survey 2008, the world's largest survey on privacy and infosec practices.
- View Gartner Video: Best Practices on Web Application Security
- Safeguarding the New Currency of Business
- The Evolution of Application Security - Reducing Risk in Your Organization
- Data Protection: Challenges for the Traveling User
- Revolutionizing Endpoint Security with a Single Agent
- Make Compliance Regulations an Ally Not an Enemy
- Optimizing Infrastructure Control
- IT Service Management: Metrics That Matter
- Effective Security with a Continuous Approach to ISO 27001
- File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
- Configuration Assessment: Choosing the Right Solution
- Understanding Data Location is Imperative for Data Loss Prevention
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partner
CSO Executive Seminar on Application Security
-
January 29, 2009New York, New YorkRegister now »
-
February 25, 2009San Francisco, CaliforniaRegister now »
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
