Munir Kotadia
ZDNet Australia
April 14, 2005
Companies can better protect their confidential information by creating an incident response department to deal with suspicious queries, says infamous ex-hacker Kevin Mitnick.
At a social engineering prevention workshop in Sydney this week, Mitnick explained that this group should be trained in the art of social engineering, be able to investigate any potential [security] attacks and respond in an efficient and effective manner.
The founder of Mitnick Security Consulting (formerly known as Defensive Thinking) also called on companies to properly educate their workforce and strengthen their so-called "human firewall".
At the workshop, Mitnick and business partner Alex Kasperavicius shared some of the tactics used by social engineers to bypass a company's technical security by exploiting employees' psychological vulnerabilities.
Mitnick said there is no point spending millions of dollars on the latest hardware and software to protect corporate networks if it is relatively simple for an attacker to persuade one of the company's employees to divulge their log-in details.
"As the attacker I am going to look for the weakest point where I can gain access. A security program is made up of people, processes and technology. Your company could be strong in one area, such as technology, but its people may not be trained up to recognise where the bad guys are going to strike. The attackers are going to look for the easiest way in," said Mitnick.
More