Mitnick: Security Not about Technology

renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"

Re:Please...

[stuffisgood]

I think what the article is saying is more about social engineering. If companies can teach employees not to fall for social engineering tactics then they can move onto easier to fix things like regularly changed passwords etc.

Re:Con-man gains fame at others expense...

You should do a little research grashopper. E.g. Mitnick demonstrated that sequence number attacks were possible with TCP/IP. NOT a small thing.

Re:Please...

Good grief, changing your password regularly and make it non obvious... this is just such an outdated view that it's almost comical.

Two immediate issues - sure, the employees computer comes up every 'X' number of days and forces a password change. Most employees alternate between "password A" and "password B" with the only difference being one different letter or number.

Second issue, the password is forced to be some 8 character password that conforms to a complexity rule that requires letters and numbers, a mix of upper and lower case, and sometimes some non-letter/number characters. These conforming passwords are ones that very few, if any employees can remember so they do what? Write it on a post-it note and stick it on the monitor, under the keyboard, in a drawer, between the pages of the intercompany printed phone book or employee manual or some other 'safe' place that could be determined by an unauthorized person. How do these contribute to increased security??

Better to break those "politeness norms". You see someone you don't recognize involve them in a conversation. Introduce yourself, ask them about themselves, what they do, who their supervisor is. It's not confrontational, it's non-threatening, and if the person does not seem genuine the questioning employee can make a report to building security with a description. Stop tail-gating at controlled entrances, keep an eye out for co-workers who may forget or seem to be having problems. Respond to unusal requests from outside people by telling the caller you don't have the information handy but can call them back with it within a short time. It also gives time to check with others if the sharing of information is unclear. ALWAYS call back however even if it is to tell the caller that the information cannot be relased. These subtle changes as well as others should foster a culture of security that becomes so second nature to every legitimate employee that the "simple rules" and the threats that accompany non-compliance are no longer the focus.

I've been promoting and exposing these concepts as an admin and IT Manager since at least the mid 90's.

To the anti-Keven crowd

[chadpnet]

As I clicked on the comments link and expected to find a decent collection of Kevin flames, I knew I'd have to throw my two cents in.

To the ones that claim that this is old news, or that Kevin isn't as "leet" as many think; I advise to take your comments with a grain of salt. Anyone who has actually read his book, The Art of Deception, will appreciate Kevin's viewpoints. The truly great hackers use a good mix of social and technical engineered tactics to comprise security. I give you the advice is outdated and isn't news, but his advice will always outlast ever-changing technology. As a bonus he gives you open-sourced ;) policy suggestions that would be a nightmare for admins to write themselves.

Being a terrible social engineer

I'm a truly awful social engineer, I'm the typical antisocial geek, and not at all gregarious.

However, even I have managed to socially engineer my way into situations.

Rule 1. In Britain at least, no one will question you if you're wearing a high visibility (one of those day-glow flourescent) jacket or vest. They just assume you're maintenance staff. I bet you could walk out with half the server room and the staff would even help you to do so. Even more so if your jacket has a British Telecom logo on it.

Rule 2. Just act if you're supposed to be there. If you look shifty, people question. If you appear to be purposeful, no one asks questions.

The only non-socially-engineerable types I've found are IBM UK security. I used to work for IBM, and I got in trouble once or twice for even minor things like tailgating even though I had a valid badge.

not quite

[commodoresloat]

He was considered an outstanding hacker before he got caught. They wouldn't have gone after him as mean-spiritedly as they did if he had not hacked circles around the people after him. An undercover agent (who happened to be bald) that was after him found that his private phone numbers had been switched with the number for the hair club for men. Mitnick was a juvenile prankster, but his hacking skills were legendary, and his pranks pissed off a lot of people who ended up wanting to throw the book at him.

And when his archrival finally caught him it was only with the help of the FBI, the ISP he had been hacking, and a New York Times reporter who consistently exaggerated Mitnick's crimes and turned him into a symbol of America's fear of technology. His getting caught certainly made him even more of an icon -- especially since they went after him so viciously -- but his success as a hacker did not stem from being caught, as you say.

Re:How is this news?

[bluGill]

An IQ of 100 is average.

An IQ test is very reliable in that you will always get close to the same score. However it is worthless because nobody really knows what any particular score means. You can say your IQ is X, but that gives no insight to anything about you.