IP EXPO Europe. Powering the Digital Enterprise. 8-9 October 2014 ExCeL London. Register Now www.ipexpo.co.uk. Incorporating Cyber Security Expo and Data Centre Expo

Editorial & Analysis

About the author

Jessica Twentyman

Jessica Twentyman

Jessica Twentyman is an experienced journalist with a 16-year track record as both a writer and editor for some of the UK's major business and trade titles, including the Financial Times, Sunday Telegraph, Director, Computer Weekly and Personnel Today. Jessica has also worked on contract publishing projects for organisations as diverse as the Institute of Directors, Microsoft, 3i, BT, English Heritage and the Royal Bank of Scotland. Jessica is the editor of IP EXPO Online. Contact Jessica on jessicatwentyman@ipexpo.co.uk

Also by this author

Former hacker turned security expert Kevin Mitnick opens IP EXPO 2013

14 Oct 2013

IP EXPO Online chats with Kevin Mitnick about the challenges facing IT leaders today when it comes to safeguarding valuable corporate information.

One employee, one bad decision: that’s all it takes for a hacker to get their foot in the door of an organisation. And once they’re inside, all the investments that the target company has made in anti-virus software count for nothing.

That was the message from Kevin Mitnick, once the world’s most-wanted hacker and now one of its foremost IT security experts, in his opening keynote at IP EXPO 2013.

Addressing a full house, Mitnick recalled his former life as a hacker and the skills he acquired in social engineering - the art of deceiving employees of a company into handing over information or performing a specific task by posing as someone else.

“Security is about people, processes and technology, and organisations need to bolster the weakest link, which invariably is the human element,” he said.

That’s as true today as it was during Mitnick’s time as a hacker in the 1970s and 1980s, when social engineering was the “cornerstone” of his hacking activities. Today, Mitnick said, cyber-criminals and hackers tend to use both social engineering and the exploitation of application vulnerabilities in order to breach corporate IT security. Attacks that use the two in combination, he said, are by far the most likely to succeed.

During a 40-minute Q&A interview, Mitnick gave the audience several live demonstrations of the ways that hackers use social engineering to get their hands on information, just by persuading them to open an emailed Word or PDF document. These documents appear perfectly safe to recipients - and to anti-virus scanners. But once opened, the Word document could be used to steal usernames and passwords, while the PDF installed a Trojan that handed control over of the user’s PC to the hacker, enabling them to upload or download files to or from the computer, change its registry and turn on the webcam, for example.

In an age of social networking, where many people share personal details online on sites such as Twitter, Facebook and LinkedIn, it’s never been easier for hackers to find out information on targets that they can later use to deceive them. Information on an employee’s role, skills, previous employers and network of associates are all ammunition to the determined hacker, he said.

These days, in addition to speaking engagements around the world, Mitnick leads his own company, Mitnick Security Consulting, which specialises in helping companies from a range of different industries prevent information theft. Penetration testing is one of the services provided, and where clients agree to some element of social engineering to be used in tests, the company has never failed to breach its defences, Mitnick told the IP EXPO 2013 audience.

“I used to provide free penetration tests,” he joked with them. “Now I charge. The difference is I have permission.” But the thrill of penetrating a system, even with the permission of its owners, is still the same today for him as it was back in his hacking heyday.

blog comments powered by Disqus