Mitnick: Security Not about Technology
renai42 writes "Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday. 'We can't expect our employees to be human lie detectors,' Mitnick said. 'One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.'"
'We can't expect our employees to be human lie detectors,' Mitnick said.
Sure we can: http://content.monster.com/martynemko/articles/arTechnical or human, good security requires balencing convenience and control. If you give your employies the power to refuse information to potential customers, you gain control and security but loose convience and maybe money. If you tighten your network down so much that users have to jump through hoops to send files to each other, you may be more secure, but the hassle will lead to lost productivity. You can't try to too hard for control or for freedom. You have to weigh threat and risk. You want to ensure against potential disasters, and eliminate any more likely security risks. It's probably too costly to treat a low threat but high risk (common) security hole as if it were a disaster. This is why stores find it cheaper to set prices assuming a certain ammount of shoplifting will occur. It would cost too much in lost sales and increesed labor to secure the store against all theft. Training your dumbass users, helpdesk, and even sysadmins to recognise social engneering, might just cost more then any losses from security breaches.
------ Take away the right to say fuck and you take away the right to say fuck the government.
You should read up on the guy. His talent lay more with the social engineering aspect of security. He could talk his way into or out of just about anything. His book on social engineering is a good read, McPaper-sized examples, but still very eye-opening. I'm a network admin, 18 years running, and I wound up with a large security laundry list to discuss with my boss the following Monday.
The other thing is his *years* of jail time were spent before he was ever convicted, i.e. pleaded guilty to some of the charges to cut short his lack-of-a-speedy trial. He's done his time. He can talk as long as people will pay him.
Besides, ignorance is not unexpected. Many novices probably couldn't tell you who Philo Farnsworth was, even though they've been looking at his invention all their lives.
In my previous job I worked as a trainer and consultant for many blue chip companies and spent a lot of time in their corporate HQs, Call Centres and Help Desks.
Invariably, front desk security was adequate, but it was easy to get into many Call Centres and Help Desks without a key card, fob or access code simply by waiting for an employee to walk towards the main door and then approaching the same door carrying an abviously heavy, large box full of training manuals - most people in service delivery roles want to be helpful so they often hold the door open for you! In 6 years of consulting I was only ever challenged once.
In reverse, I would occasionally be coming out of a building and someone would ask me to hold the door because they had forgotten their pass - it would really piss them off when refused to let them in and said if they waited outside I would fetch a team leader or manager for them!
AT&ROFLMAO