Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mitnick: Security Not about Technology

Posted by CowboyNeal on from the locking-the-doors dept.

renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"

2 of 387 comments (clear)

  1. Re:Con-man gains fame at others expense... by Anonymous Coward · · Score: 5, Informative


    You should do a little research grashopper. E.g. Mitnick demonstrated that sequence number attacks were possible with TCP/IP. NOT a small thing.

  2. Re:Please... by Anonymous Coward · · Score: 5, Informative

    Good grief, changing your password regularly and make it non obvious... this is just such an outdated view that it's almost comical.

    Two immediate issues - sure, the employees computer comes up every 'X' number of days and forces a password change. Most employees alternate between "password A" and "password B" with the only difference being one different letter or number.

    Second issue, the password is forced to be some 8 character password that conforms to a complexity rule that requires letters and numbers, a mix of upper and lower case, and sometimes some non-letter/number characters. These conforming passwords are ones that very few, if any employees can remember so they do what? Write it on a post-it note and stick it on the monitor, under the keyboard, in a drawer, between the pages of the intercompany printed phone book or employee manual or some other 'safe' place that could be determined by an unauthorized person. How do these contribute to increased security??

    Better to break those "politeness norms". You see someone you don't recognize involve them in a conversation. Introduce yourself, ask them about themselves, what they do, who their supervisor is. It's not confrontational, it's non-threatening, and if the person does not seem genuine the questioning employee can make a report to building security with a description. Stop tail-gating at controlled entrances, keep an eye out for co-workers who may forget or seem to be having problems. Respond to unusal requests from outside people by telling the caller you don't have the information handy but can call them back with it within a short time. It also gives time to check with others if the sharing of information is unclear. ALWAYS call back however even if it is to tell the caller that the information cannot be relased. These subtle changes as well as others should foster a culture of security that becomes so second nature to every legitimate employee that the "simple rules" and the threats that accompany non-compliance are no longer the focus.

    I've been promoting and exposing these concepts as an admin and IT Manager since at least the mid 90's.