Mitnick: Security depends on workers' habits

Forget about fancy tools, ex-hacker says. Teach your employees not to give information to strangers.

David Braue Special to CNET News
3 min read
Famed ex-hacker Kevin Mitnick is warning against security strategies that focus on technology. Rather, teaching your staff to say no will help keep your network secure, he says.

Mitnick, a cyberspace legend known for having penetrated the networks of such companies as Motorola and Nokia, spoke Thursday at Toshiba's MobileXchange conference in Melbourne, Australia.

"What you can find in the trash is simply amazing. People throw out notes, drafts of letters, printouts of source code."
--Kevin Mitnick,
hacker turned security consultant

Mitnick led the FBI on a 15-year manhunt that ended in 1995, and he ended up behind bars for nearly four years. Older and seemingly wiser, he now uses his skills for good as a Los Angeles-based security consultant.

Many companies invest heavily in technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him. Rather, some carefully planned social engineering--or even a bit of dumpster diving in one's spare time--can often be far more effective at penetrating the weakest security link at most companies: their people.

"What you can find in the trash is simply amazing," Mitnick said. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they're working on. In some cases, they even write down passwords and access information, or calendars that list every person that person has talked to or met with."

This information provides invaluable assistance to hackers keen to worming their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping in and pretending to be a business associate. Because people hate to say no, even when they're suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company's network than brute-force technological attacks.

Modern technology is an enabler for such attacks: If a hacker can worm his way into a conference room for just a few minutes, for example, a wireless access point can be plugged into an out-of-the way network access point, providing an open back door into the network, even when the hacker is parked outside the building.

The solution to such security vulnerabilities is easy to understand but often hard to implement: Develop clear security policies for issues such as treatment of strangers, handling of information and access to physical facilities by visitors. Teach employees to fall back on those policies when they're in suspicious circumstances rather than trying to ad-lib their response or give in to their natural inclination to accommodate the hacker's requests.

Even a simple request for contact details, so that a company employee might call back the person requesting assistance, can be enough to make many hackers turn tail and run.

"We can't expect our employees to be human lie detectors," Mitnick said. "One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.

"Social psychology has found that people should generally pay attention to their own discomfort. If something doesn't feel right, or it's nagging at their gut, they'd better check it out. They're not always going to remember a security policy, but what you want is to come up with some very simple protocols that will trigger employees to refer to security policy. The only people who are going to object to this are the bad guys."

David Braue reports for ZDNet Australia.