Infamous hacker Kevin Mitnick warns IT managers that unless they educate every employee -- from the CEO to the receptionist -- about how hackers work and how to bolster security, corporate networks and Web sites will never be safe from attack.
In the closing keynote at the recent Giga Information Group Infrastructures for E-Business conference -- his first such speech since being released from prison in January -- Mitnick described the mindset, objectives and methods hackers use to compromise corporate computer networks. He said the key to security is detection and reaction.
"You should adopt the mantra 'In God we trust. Everybody else is suspect,'" he said. "People are the weakest link when it comes to security, and an important question to ask yourself is not if, but when, is your e-business going to be targeted?"
Mitnick was convicted on five federal counts of wiretapping and computer fraud and was released from prison after serving a five-year sentence. He was accused of causing millions of dollars in damages by hacking into the computer systems of Fujitsu, Motorola, Nokia and the University of California. He is is currently serving a three-year probation, during which he is required to obtain special permission to use a computer.
What to be on the lookout for With the proliferation of e-commerce, Mitnick said, every employee must be aware of techniques and ruses used by attackers to gain control of internal computers. Technology, he said, isn't enough. Employees at all levels must know how to choose good passwords and write policies and procedures to protect the enterprise from viruses, worms and Trojan horses.
"It's naïve to assume that just installing a firewall is going to protect you from all potential security threat," he said. "That assumption creates a false sense of security, and having a false sense of security is worse than having no security at all."
Mitnick also gave IT managers insights into the physical methods attackers use to gain access to vulnerable network access points. He warned against keeping conference rooms with data jacks, computer training rooms and telephone and cable closets unlocked when not in use. And he advised organisations to classify sensitive and confidential information and erase or destroy data on all discarded magnetic media in order to dissuade dumpster diving, a favorite hacker trick used to obtain password lists and corporate directory information.
Mitnick recommended that businesses analyse the costs and benefits of security risk reduction as they would any other part of their business. He recommended that organisations do risk assessments to determine threat impact and expected loss per incident, to balance cost with risk reduction and to keep current on security vulnerabilities.
Mitnick concluded by advising IT managers to motivate every person in the organisation to see the benefits of security. Without the help of everyone, all the technology in the world can't keep a computer network safe, he said.
"In today's world, there's no way to eliminate the total threat because there will always be people who can get behind the walls," Mitnick said. "But people are the weakest link. Make sure they understand security is a dynamic process."
