CSC EXECUTIVE EXCHANGE
Always Connected, Always Vulnerable:
Kevin Mitnick
Executive Exchange
is sponsored by CSC Consulting
Group and designed for — and
strictly limited to — audiences
comprising senior executives
from major organizations.
For more information on
upcoming events, agendas
and attendees contact your
CSC Account Executive or
Norm Staniford at 214.523.5527
Can the Enterprise be Protected?
November 5 – 8, 2006
The Art of Deception
Kevin Mitnick, Legendary Hacker and Security Specialist
When it comes to information security, most security executives invest the
bulk of their time and budget dollars on thwarting technological factors
that can snatch data.
At a recent CSC Executive Exchange, a renowned hacker-gone-good
said those executives should be investing just as much time and money
protecting their enterprises against the human factor which, he said, can
snatch that data just as smoothly and easily.
Kevin Mitnick is the president of Mitnick Security Consulting and the
author of the best-selling books “The Art of Deception” and “The Art of
Intrusion.”
“Most companies don’t realize the extent to which bad guys these days
resort to what I call social engineering in order to gain entry into corporate
networks and data,” said Mitnick. The consultant who spent five years in
prison for hacking into some of the United States’ most advanced computer
systems during the 1980s and 1990s went on to say, “you can have the best
firewalls, encryption tools and such in place, but they will neither detect nor
protect you from a social engineering attack.”
Mitnick defined social engineering as “using personal manipulation, deception
and influence to get some target to reveal sensitive information, which then
can enable a more technologically based attack on one’s network or data.”
“The most basic and amateurish form of social engineering,” he said, “is
what occurs when one person calls another posing as a business
professional and asking for the other’s person’s password, hoping the target is
distracted enough at the time to reveal it.” “Social engineering has taken
on much more sophisticated approaches than that,” Mitnick warned.
“A slightly more novel scam is one where someone poses as an employee
and calls the help desk claiming they can’t access the network after having
recently reset their password,” he said. “The help desk asks for an
authentication credential — last four digits of the person’s social security
number for example —– and the intruder now knows what credential the
company uses for authentication.”
“That person then researches such information about
other employees in the company, which is easy to find
on the Internet, and calls back a few days later using a
different employee’s name and authentication
credential. The password gets reset…and then the
intruder, posing this time as a help desk clerk, calls the
victimized employee to tell them their password had to
be reset and not to change it for a few weeks. The intruder
then uses the new password at will, undetectable for
several weeks.”
Other savvier forms of social engineering include calling
someone in accounts payable claiming to be from the
phone company and then asking that all phone numbers
not on the Centrex be faxed to them so some billing
issues can be resolved. What gets included in that fax
are the phone numbers for any dial-up modems in the
firm, through which the intruder gains access to the
network. Or, a flash drive gets “left” in a parking lot or
bathroom and when the employee who finds it pops it
into his or her laptop, it takes control of their computer
giving the intruder full access to data.
“Security managers need to understand that sometimes,
the bad guy doesn’t care about getting into your infra-
structure or network,” Mitnick said. “Sometimes all he
wants is to get to your data.”
“Managers,” he said, “need to be on the lookout for several
varieties of holes that can appear in their organizations’
human firewalls. At times, it’s the illusion of invulner-
ability that will cause a slip up. At other times, a rupture
occurs when an employee decides that the established
security protocols are too cumbersome so they, for
example, take a password and leave it taped to their
computer monitor for easy access (by everyone). One
employee slips because she underestimates the value of
the information she’s sharing, another falters when he
wants to be seen as helpful and still others inadvertently
hand over the keys, because their lack of technical
acumen causes them to be unaware of the security
consequences of their actions,” he said.
About CSC
Computer Sciences Corporation helps clients achieve strategic goals and
profit from the use of information technology.
With the broadest range of capabilities, CSC offers clients the solutions they
need to manage complexity, focus on core businesses, collaborate with
partners and clients, and improve operations.
CSC makes a special point of understanding its clients and provides experts
with real-world experience to work with them. CSC is vendor-independent,
delivering solutions that best meet each client’s unique requirements.
For more than 45 years, clients in industries and governments worldwide
have trusted CSC with their business process and information systems
outsourcing, systems integration and consulting needs.
The company trades on the New York Stock Exchange under the
symbol “CSC.”
The best way to prevent the human firewalls from
coming tumbling down is to build resistance to social
engineering into one’s workforce. Getting top manage-
ment buy-in is key, Mitnick said, and, “a great way to
achieve that is to conduct a stealth attack on a manager’s
personal information before a training session and then
present the results of the attack during the training,” he
said. “If you use social engineering tactics to gain access
to their data before the meeting, people will be less on
guard than if you try to do it during the meeting.”
Mitnick also recommended developing clear procedures
for classifying, sharing and trashing data and assessing
the company’s security awareness by performing attacks
that rely on social engineering tactics.
“I also consider it wise to develop “keep-it-simple-stupid
security protocols,” Mitnick said. “Rather than expect
employees to read a security handbook on the intranet,
create protocols for different classes of data. Then, when
employees encounter a security situation, they can then
refer to the electronic handbook for guidance.”
Mitnick left his audience shaken, but better equipped to
stave off attacks via social engineering. Those attending
learned that today’s bad guy needs a false I.D. to gain
trust, and therefore might use a spoof caller I.D. to appear
to be calling from a location within the company rather
than a nearby coffeehouse. That bad guy also needs an
out in case an employee does seem hesitant to reveal
precious information, so all should be wary of the caller
who says a supervisor will call back to get the data later
or that they suddenly have another call coming in.
Security managers even need to scan what the company
says on its Web site and what it tosses into the trash.
“Hackers these days will carefully reconstruct any
documents you have shredded by hand,” he said. “They
will also search your Web site to learn the lingo of your
company so they can more effectively pose as an employee,
and they’ll dive into dumpsters to find source code or
tossed CDs full of great internal data they can use to
wreak even more havoc on your organization.”
Computer Sciences Corporation
Consulting Group
266 Second Avenue
Waltham, Massachusetts 02451
+1.781.890.7446
Copyright © 2006 Computer Sciences Corporation. All rights reserved.
ny06_0367