Monday, September 10, 2012

Former Hacker Reveals How Business Owners Should Protect Their Web Sites


Kevin Mitnick
Mitnick was wanted for computer hacking — he bypassed security systems in organizations such as Motorola, Sun Microsystems, Pacific Bell and the FBI themselves — and he served five years in prison.
Today, he owns a security consulting firm called Mitnick Security. As a computer security consultant, Mitnick works with companies to prevent them from intruders like his former self. Below is a lightly-edited transcript of our conversation: Should businesses spend money on employing security consultants?

Businesses should absolutely set aside funding in their budgets for security consultants. What happens with smaller businesses is that they give in to the misconception that their site is secure because the system administrator deployed standard security products — firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. Most people assume that once security software is installed, they’re protected. It’s critical that companies be proactive in thinking about security on a long-term basis. Social engineering is when an attacker does thorough research on the company, using various simple investigative techniques to hack a company based on human error.

An attacker would call to ask a simple question; once they get that information, they make another phone call using the previous information provided. The hacker will go after the weakest link and if he can get one person in the business to make a bad decision, none of the security precautions taken will matter. I recently partnered with a company called KnowBe4 that specializes in security awareness training — a niche that wasn’t really available before. It’s important to note that information security policies cannot be written in stone. As a business needs change, new security technologies become available, and security vulnerabilities evolve, the policies need to be modified or supplemented. You should review security at least on an annual basis, but if you’re a bigger company, on a quarterly basis. Back in my hacking days, I was able to remain in some systems for over a decade as a result of companies failing to review their security measures.

If credit card information or other data is stolen, can I figure out exactly what has been taken?
In some cases, we can go into the system and see the logs of exactly what information was viewed, taken, and when it was retrieved.

1 comment:

  1. once they get that information, they make another phone call using the previous information provided. The hacker will go after the weakest link and if he can get one person in the business to make a bad decision, none of the security precautions taken will matter.


    Business security systems

    ReplyDelete

Note: Only a member of this blog may post a comment.