Mitnick: Security Not about Technology
renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"
Isn't this what (ex)hackers have been telling the IT industry all along?
'We can't expect our employees to be human lie detectors,' Mitnick said.
Sure we can: http://content.monster.com/martynemko/articles/arTechnical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.
------ Take away the right to say fuck and you take away the right to say fuck the government.
remember this
The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
You should read up on the guy. His talent lay more with the social engineering aspect of security. He could talk his way into or out of just about anything. His book on social engineering is a good read, McPaper-sized examples, but still very eye-opening. I'm a network admin, 18 years running, and I wound up with a large security laundry list to discuss with my boss the following Monday.
The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.
Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.
It's just that they don't know when to say "no" versus when not to say "no".
Any dealing with any large, bureaucratic organization (a government bureau of any stripe, any telco, any cable company, any other sort of "utility", eBay/PayPal, Microsoft, IBM, etc.) will demonstrate quite aptly that no, they have no bloody problem saying "no". You can make a reasonable request and they'll quite cheerfully say "no" since it isn't part of their "script" to say "yes". (Then they'll tell you they're "sorry" they couldn't say yes. They aren't.) Meanwhile, the "bad guys" probably know how to work the system anyhow, and can get them to say "yes" by understanding said "script".
Simple example: I do business under my initials, and PayPal wouldn't let me change the name on my account to my initials for "security reasons". Even after I provided proof that both of my bank accounts had already been changed (to my initials). Even after I went back and forth with them at least half a dozen times. I finally had to go in the "back way" via talking to an ex-PayPal employee, who talked to a current PayPal employee, etc. etc...
They wouldn't change my name to my initials despite indisputable (and verifiable) proof from two established brick-and-mortar banks, yet they have absolutely no problems letting you set a crappy-ass password on your account... You see? Their priorities are backwards. They love saying "no", but they have no clue when to do it and when not to. The end result is that they suffer not only from security risks, but from bad PR.
With spending like this, exactly what are "conservatives" conserving?