Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Security is both social and technical

image of Kevin Mitnick

16-Apr-2013 - While he was speaking on a tour 10 cities for Citrix

and Palo Alto Security, Securebuzz had the pleasure of speaking with Kevin Mitnick on the human factor of security.

“Security is both social and technical, because social engineering is what an attacker uses to get the target to comply with the request,” he said. “Then the technical side is used to exploit it. My job was to educate the delegates about the human factor, which is usually the weakest link.”

He discussed attacking over the telephone, using emails, and other types of attacks we’re seeing today.

Internet-facing applications are popular, because attackers are breaking in via client side vulnerabilities, such as getting a user to open a booby-trapped file.

“You can have a poorly developed application that faces the Internet,” said Mitnick. “The most successful attackers manipulate humans and network.”

Adobe has been a major target, because so many people use the software on their desktops. The java applet is another favorite. I use a Publisher name that looks like it’s speaking to the security of the applet.

In his demonstrations Mitnick displayed a website to his audience, and asked them to tell what they saw wrong.

“I spoke to security professionals in 10 cities, and only in three were people able to tell me what was wrong,” he said. “Many guessed at the wrong thing, or picked on tiny things. And these guys are all security professionals. Imagine if regular users were shown this.”  

For what it’s worth when Mitnick demonstrated to Securebuzz the page – which we promised not to publish, as he still uses it in his presentations – we didn’t find the problem.

We can tell you it’s another useful and successful social engineering attack, which can easily contain a booby trap for unsuspecting users.  

These days he focuses on security awareness training for users.

How do you resolve social engineering attacks?

“The best way is to use technology to ensure that even when a user follows the attacker’s directions, the attack still doesn’t work. I open up docs in Google cloud... so my machine can’t get exploited. Or if you’re running Adobe 11, an infected PDF file won’t work.”

The second method is future education and training.

“If something works, people forget or they’re not interested. When it doesn’t work, then it’s an IT problem. If a user opens a malicious file and his laptop stops working, he gives it to IT, because they don’t have any self-interest.”

Since humans are the weakest link in the security-technology chain, Mitnick has helped develop user technology training at Knowbe4.

http://www.knowbe4.com/  

“Inoculation is the newer method that I think is extremely valuable,” Mitnick said. “We’re doing mock social engineering attacks against the user base. From time to time we test, so it doesn’t lower employee morale. That way you can target users who fall for the attacks for further training. When they’re told they screwed up, they become more aware.”

Mock spear phishing attacks inoculate users against real attacks by training them to not act on every request. Yet some attacks can still be very real.

“If an attacker has done a lot of research and reconnaissance they can still forge an email that looks like it’s authentic, and that contains a malicious hyperlink,” said Mitnick. “Because it appears to have come from a trusted source, users click on it.”