News: Security in Small Business

Kevin Mitnick: Hacking targets the human firewall

'Social Engineering' technique tricks the unsuspecting

by Keith R. Wheeler

3/12/2006

At one time, Kevin Mitnick made the FBI’s most wanted list. He was arrested. He served nearly five years in prison. So why should technology types pay so much attention to him? Simple, he was probably the most famous hacker ever to get caught. Now, he teaches the big companies how to make their networks more secure. Mitnick claims that he never used his hacking for financial profit or to cause damage – he just enjoyed the thrill from it. For instance, he stole software from Sun Microsystems and Motorola. Now, firms of their size are likely to hire his firm to help prevent the next hacker’s attack on their systems. However, Mitnick doesn’t just focus on what can be done to improve things from a hardware or software point of view. Mitnick’s not even referring to router configurations and topology. He says that hackers use a technique called “social engineering” to break into companies. Effectively, social engineering refers to the concept of tricking people into believing that the hacker is a colleague or other trusted entity and convincing a knowledgeable person to actually give up or change a password to get access to a restricted network. Hackers scrutinize a company’s information and then focus on very personal information to reach a level of “insider” camaraderie to steal access. Well, what kind of firewall can be purchased to stop the social engineering hackers? Oops. To stop these types of hackers, an organization needs to have a clear and strict policy of managing both personal and network information. This means training and testing to make it clear to each employee handling sensitive information and/or access control for any part of the network. Could the reason for the focus on human deception be due to the efforts that major providers as well as consumers of technology have expended in the area of security? Microsoft has poured billions into security improvements of already existing software in the form of patches. They plan to push security even further in forthcoming operating system releases. Most companies have implemented more comprehensive firewall and virus protection systems. Taking a page from Mitnick’s observations and history, it wouldn’t hurt small business to remind our key employees to keep passwords private. The IT department or computer consultant should already be maintaining strong password policies along with the appropriate hardware and software protections. Creating a secure network can seem like a daunting task from a technical perspective. However, it takes more than a sophisticated routing diagram. The team members must understand their role and the assets they are charged with protecting. Ultimately, it takes a balance of technology and plain old common sense to provide the best network defense.