Mitnick tells IT managers to trust no one

The famous hacker says everyone in a business from CEO to receptionist must be wise to the ways of computer system infiltrators.

By Anne Chen, September 28, 2000 7:22 AM PT

LOS ANGELES – Infamous hacker Kevin Mitnick warned IT managers Wednesday that unless they educate every employee – from the CEO to the receptionist – about how hackers work and how to bolster security, corporate networks and Web sites will never be safe from attack.

In the closing keynote speech here at Giga Information Group’s Infrastructures for E-Business conference – his first such speech since being released from prison in January – Mitnick described the mindset, objectives and methods hackers use to compromise corporate computer networks. He said the key to security is detection and reaction.

“You should adopt the mantra ‘In God we trust. Everybody else is suspect,’” he said. “People are the weakest link when it comes to security, and an important question to ask yourself is not if, but when, is your e-business going to be targeted?”

Mitnick was convicted on five federal counts of wiretapping and computer fraud and was released from prison after serving a five-year sentence. He was accused of causing millions of dollars in damages by hacking into the computer systems of Fujitsu, Motorola, Nokia and the University of California. He is is currently serving a three-year probation, during which he is required to obtain special permission to use a computer.

What to be on the lookout for

With the proliferation of e-commerce, Mitnick said, every employee must be aware of techniques and ruses used by attackers to gain control of internal computers. Technology, he said, isn’t enough. Employees at all levels must know how to choose good passwords and write policies and procedures to protect the enterprise from viruses, worms and Trojan horses.

“It’s naïve to assume that just installing a firewall is going to protect you from all potential security threat,” he said. “That assumption creates a false sense of security, and having a false sense of security is worse than having no security at all.”

Mitnick also gave IT managers insights into the physical methods attackers use to gain access to vulnerable network access points. He warned against keeping certain rooms unlocked when not in use, such as conference rooms with data jacks, computer training rooms and telephone and cable closets. And he advised organizations to classify sensitive and confidential information and erase or destroy data on all discarded magnetic media in order to dissuade dumpster diving, a favorite hacker trick used to obtain password lists and corporate directory information.

Mitnick recommended that businesses analyze the costs and benefits of security risk reduction as they would any other part of their business. He recommended that organizations do risk assessments to determine threat impact and expected loss per incident, to balance cost with risk reduction and to keep current on security vulnerabilities.

Mitnick concluded by advising IT managers to motivate every person in the organization to see the benefits of security. Without the help of everyone, all the technology in the world can’t keep a computer network safe, he said.

“In today’s world, there’s no way to eliminate the total threat because there will always be people who can get behind the walls,” Mitnick said. “But people are the weakest link. Make sure they understand security is a dynamic process.”