[credit provider=”Flickr” url=”http://www.flickr.com/photos/campuspartymexico/4889638678/sizes/m/in/photostream/”]
Nearly eighteen years ago, Kevin Mitnick was arrested in his North Carolina home after a heavily-publicized pursuit by the FBI.Mitnick was wanted for computer hacking — he bypassed security systems in organisations such as Motorola, Sun Microsystems, Pacific Bell and the FBI themselves — and he served five years in prison.
Mitnick has since remade himself and has written two books revealing common hacking methods and explanations to how infamous hacks might have been avoided. His newest book, “Ghost In The Wires: My Adventures As The World’s Most Wanted Hacker” details his life as a hacker and his cat-and-mouse game with the FBI.
Today, he owns a security consulting firm called Mitnick Security.
As a computer security consultant, Mitnick works with companies to prevent them from intruders like his former self. We asked him to help us understand how the mind of a hacker works and what business owners can do to protect themselves.
Below is a lightly-edited transcript of our conversation:
Should businesses spend money on employing security consultants?
Businesses should absolutely set aside funding in their budgets for security consultants. Unless there is an expert on staff, and there usually is not, it needs to be outsourced. What happens with smaller businesses is that they give in to the misconception that their site is secure because the system administrator deployed standard security products — firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. But those things can be exploited.
They need a security expert — not just an expert at installing security software. They also need to have someone monitor security. Most people assume that once security software is installed, they’re protected. This isn’t the case. It’s critical that companies be proactive in thinking about security on a long-term basis.
What is social engineering?
Social engineering is when an attacker does thorough research on the company, using various simple investigative techniques to hack a company based on human error. They attempt to identify the business relationships that a company has, such as what customers, suppliers, and vendors they do business with. This is especially successful with large companies who have call centres. An attacker would call to ask a simple question; once they get that information, they make another phone call using the previous information provided. Each employee who answers the next call believes the attacker to be a genuine customer or client based on the information they have acquired from the previous phone calls.
After a string of inquires, enough information has been obtained to hack the system. The hacker will go after the weakest link and if he can get one person in the business to make a bad decision, none of the security precautions taken will matter.
How can a company protect itself against social engineering?
Businesses can protect themselves through proper training and education. I recently partnered with a company called KnowBe4 that specialises in security awareness training — a niche that wasn’t really available before. Proper training demonstrates how hackers are able to manipulate the system through human error. One way to do this is through inoculation — planning a fake attack. When you plant attacks on the employees to test them, they are able to learn from their mistakes and will be less likely to make the same ones in the future.
How can e-commerce web sites protect themselves from credit card fraud?
To have transactions made on your web site via credit card, you must be PCI compliant. Businesses make the mistake of thinking that because you passed the requirements and are PCI certified, you are immune to attacks.
Just because you meet certain requirements doesn’t mean you’re secure. TJ Maxx, Marshalls, JC Penney, and Wal-mart have all been hacked. I had a client whose customers’ cards were compromised using a SQL injection (according to one study, 83% of successful hacking-related data breaches are a result of this) from someone in Vietnam. The application they had was full of holes. Having someone look over your system and code is extremely important if you are processing credit transactions on your server.
How often should you review and update your site’s security?
It’s important to note that information security policies cannot be written in stone. As a business needs change, new security technologies become available, and security vulnerabilities evolve, the policies need to be modified or supplemented. You should review security at least on an annual basis, but if you’re a bigger company, on a quarterly basis. Back in my hacking days, I was able to remain in some systems for over a decade as a result of companies failing to review their security measures.
What is the hardest form of security breaching to prevent?
Threats within the company’s own networks. This happens a lot with ex-employees, who leave the company with detailed inside information. One of the things to do is set up booby traps. If an unauthorised employee, such as a mail man, attempts to access something like the payroll, it sets off an alarm. One way to do this is through DLP software, which protects data breaches. When data is invaded, it advises the administrator of the intrusion.
If credit card information or other data is stolen, can I figure out exactly what has been taken?
That depends. In some cases, we can go into the system and see the logs of exactly what information was viewed, taken, and when it was retrieved. If the hacker deletes those logs, they are irretrievable; we won’t be able see it.