Skip to main content

Security tips from a legendary hacker- Kevin Mitnik


Kevin Mitnick was once the "most wanted" computer hacker in the world. After being nabbed by the FBI and doing his time, Mitnick became one of the good guys, helping businesses understand and address information security weaknesses and threats.
Mitnick, now a leading consultant and speaker on the subject of information security, and author of the New York Times best-seller Ghost in The Wires, spoke with me about the most serious threats of which every business should be aware. Mitnick says that these issues aren't just concerns for large corporations -- small companies face the same challenges, and dealing with them effectively doesn't require massive resources or IT departments. Here are the top threats, and some tools small businesses can use to address them:
Attacks are becoming more complex
The threat: Attackers have become more sophisticated, and it's often extremely difficult to detect an intrusion until after the damage is done. "Hacker gangs," often operating overseas, have acquired online banking credentials and wired funds out of corporate accounts, or stolen intellectual property, with little or no detection.

The solution: There are several solutions on the market for small- and medium-sized businesses. Cisco (CSCO) and others offer integrated services routers (ISR), which integrate routing, firewalling, intrusion detection, VoIP solutions and wireless networking, at a low cost (entry level models run around $1,000). There are more robust systems for larger enterprises, but ISR provides good baseline protection for smaller businesses.
The risk landscape is increasingly difficult to understand
The threat: Attacks are evolving every day, making it crucial -- and difficult -- to keep up with current hacker methodologies. As a result, thousands of systems are compromised every week. We often hear about distributed-denial-of-service (DDoS) attacks carried out by "botnets" of compromised computers. Hackers use similar techniques to gain access to small business computers, where they can access financial and other information, perpetrate theft and do all kinds of other damage.
The solution: Small businesses are increasingly putting many of their system functions in "the Cloud," where they can be kept up-to-date in real time. In these situations, it is critical to clearly outline expectations regarding application and data security in the Service Level Agreement (SLA).
If the necessary technical expertise is not available in-house, enlist the services of a security consultant or qualified IT specialist. Companies like Mitnick's offer advisory services and implementation of the best practices and solutions for keeping up-to-date on threats. For many companies, a modest investment in this kind of expertise can save them from far more costly problems down the road.
Outgoing network traffic can be as dangerous as inbound
The threat: Most businesses have some type of firewall for incoming traffic, but few address potentially risky outgoing connections from their own workstations. This is a major shortcoming, because a user's computer may become infected with malware that connects back to the attacker. According to Mitnick, antivirus software is only 60 percent effective at detecting and eliminating malicious code.

The solution: Reduce the number of services a user can connect to outside the company by configuring the firewall to restrict outgoing traffic to what's necessary for business operations. The ISR solutions mentioned above facilitate this type of configuration.
Desktop software is often out of date
The threat: Hackers used to focus solely on exploiting security flaws at the server level, but this has changed, and individual desktops are now common targets. One of the reasons this is appealing to hackers is that businesses rarely update the client application software that resides on individual workstations. Small businesses can be particularly easy marks for these kinds of attacks.
The solution: Products like Secunia's Corporate Software Inspector automate software updates on user desktops. These updates are as important as applying software and security patches for the operating system, as out-of-date software significantly increases the risk of a security breach. Products like the Secunia application can cost a couple-thousand dollars, but again, the investment has to be weighed against the risk.
Humans can be the biggest problem
The threat: The biggest risks to information security are people. Studies have shown that most security incidents start from within, and are usually accidental. Sophisticated attacks use "social engineering" (predicting or manipulating human behavior) to trigger the exploitation of desktop application security flaws.

The solution: Constantly reinforce to employees the dangers of opening attachments and clicking links sent in email, messenger applications and posts on social networking sites. All it takes is one person making a bad decision to compromise the entire business. One clever and effective strategy for keeping employees on their toes is simulating attacks (similar to a surprise military drill), using an Internet Security Awareness Training program, which costs about $15 per person per year.
Of course, these are just quick snapshots of key threats and tools. It's a big and complex subject (Mitnick has filled three books on it so far), but these are great starting steps for most small companies. As Mitnick says, "The most important point is that computer and information security is not, and can never be, a one-size-fits all-solution."

Comments

  1. kevin mitnic spoke with you.../??

    "about the most serious threats of which every business should be aware.."

    ReplyDelete

Post a Comment

Popular posts from this blog

CIA Triad for- Base of Information security

The essential security principles of confidentiality, integrity, and availability are often  referred to as the  CIA Triad. All security controls must address these principles. These three  security principles serve as common threads throughout the CISSP CBK. Each domain  addresses these principles in unique ways, so it is important to understand them both in  general terms and within each specific domain: Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified by  authorized subjects only. Availability is the principle that authorized subjects are granted timely access to objects  with sufficient bandwidth to perform the desired interaction. Different security mechanisms address these three principles in different ways and offer varying  degrees of support or application of these principl...

10 Steps to Become a Top Information Security Professional: A Comprehensive Guide

In 2024, the demand for skilled information security professionals is higher than ever. As cyber threats continue to evolve, organizations around the globe are in desperate need of experts who can safeguard their critical data and systems. If you're aspiring to become one of the best in the field, you're in the right place. This comprehensive guide outlines ten essential steps to help you build a successful career in information security. From foundational education to advanced certifications, hands-on experience, and continuous learning, we'll cover everything you need to know to excel and stand out in this dynamic industry. Let's embark on your journey to becoming a top-tier information security professional. 1. Foundation in Computer Science Degree : Obtain a degree in computer science, information technology, or a related field. This will provide you with a strong foundational knowledge. Programming : Learn multiple programming languages such as Python, C++, Java, a...

My Article :- હેકર બનવું છે? કઈ રીતે?

મારી ૨ વર્ષ ની કારકિર્દી માં મને કેટલાય  લોકોએ, ખાસ કરીને કોલેજ ના વિદ્યાર્થીઓએ ઘણી વાર પૂછ્યું છે કે "મારે હેકર બનવું છે. તો હું શું કરું? " અને મારા બ્લોગ્સ માં પણ પૂછવામાં આવે છે કે એક સારો હેકર કઈ રીતે બની શકાય? એવું હું શું કરું અથવા તો મારા માં કઈ લાયકત હોવી જોઈએ એક હેકર બનવા માટે? આ પ્રશ્ન નો સંતોષકારક જવાબ આપવા માટે મેં internet પર શોધખોળ કર્યા પછી મને જે કઈ માહિતી મળી તેને હું આજે અહી રજુ કરું છું. મિત્રો, સૌપ્રથમ હેકર કઈ રીતે બનવું એ જાણવા પહેલા એ જાણવું જરૂરી છે કે ખરેખર હેકિંગ શું છે ? અને હેકર કોને કહેવાય. હેકિંગ ની સીધી અને સરળ વ્યાખ્યા નીચે મુજબ છે.  "તમારા કમ્પ્યુટર,નેટવર્ક(ઈન્ટરનેટ કે LAN દ્વારા) કે કોઈ ડીવાઈસ માં (ફોન, ટેબ્લેટ) માં કરવામાં આવતા ગેરકાયદેસર પ્રવેશ અને ઉપયોગ એ હેકિંગ કહેવાય છે."અને હેકિંગ કરતા લોકોને હેકર કહેવાય છે. હવે તમને થશે કે આવું શું કામ કરવું જોઈએ? આ તો ક્રાઈમ છે. તો તમને જણાવી દઉં કે હેકર મુખ્યત્વે ૨ પ્રકારના હોય છે.    વાઈટ હેટ હેકર્સ (એથીકલ હેકર્સ) : ધારો કે તમે તમારો ફેસબુક નો પાસવર્ડ ભૂલી ગયા(ખરેખર ના ભૂલતા ક્યારેય..)કે ત...