Home » Data Protection » Malware/Cybercrime

Kevin Mitnick and Anti-Social Engineering

Lessons from reading Mitnick

A more radical technical solution, of course, is simply to avoid running Microsoft products. Although Mitnick never says so, social engineers, virus writers and computer attackers of all stripes have benefited immeasurably by the computational monoculture that much of corporate America has created on the desktop. Companies with Macs or Linux on the desktop simply don't have problems with viruses and other hostile code that haunt most Microsoft shops.

Most companies don't know when they've been hacked. It's all too easy for a social engineer to erase a log file or have an employee unwittingly e-mail a file to a "drop dead" mailbox somewhere outside the country. Again, this is a job for technology: For a few hundred dollars most companies can deploy log serversspecial computers that receive and record log events from elsewhere on your network but don't allow any remote access. Firewalls can be configured to log all files that are transferred in or out of an organization. Perhaps you can't prevent an employee from e-mailing a critical file to a spy, but you don't have to keep yourself in the dark about it.

Don't get me wrong: Lectures, training sessions and awareness briefings all have their place. But they only go so far. Probably the best way to teach employees techniques for resisting social engineering is to repeatedly hit them with actual social engineering attacks. That is, CSOs should "penetration test" employees, the same way we penetration test servers, firewalls and telecommunications systems.

All companies should have a policy of reporting attempted social engineering incidents to the corporate security group. Companies should then randomly call employees, attempt to hack them and see what gets reported. New employees are exceedingly vulnerable to attacks; for this reason, new employees should receive several social engineering attacks during their probationary period, and then on a regular basis throughout their career.

Fact or Fiction?

It's easy to imagine that many CSOs will be turned off by the thought of purchasing a book from a convicted computer criminal. Certainly it's not good for society when criminal hackers are rewarded for their misdeeds.

As it turns out, the courts agree. Mitnick, under the terms of his court-supervised release, is prohibited from selling his story until 2010. That's why the anecdotes in The Art of Deception are all told through the veil of fiction. Each con artist and victim is given a made-up name, history, motivation and so on. While this artifice results in a book that is unfocused and frequently repetitive, there are occasional gems contained within the book's coverssuch as when Mitnick explains how Caller ID can be forged, and why it is so important to protect backup tapes.