Former US black hat hacker Kevin Mitnick used social engineering to infiltrate companies during the 1990s. These days, he now uses his skills to help organisations understand how they can protect themselves.
Speaking at the CeBIT conference in Sydney, the CEO of Mitnick Security Consulting said that a lot of attacks involve the exploitation of insecure Web applications — and the exploitation of humans, through social engineering.
“With a lot of attacks, the foot in the door is through social engineering and then you can use technical exploits to gain access to targeted systems. That’s how the White House was hacked [in 2014]. The attackers got into the State Department using a phishing email,” Mitnick said.
He said that social engineering can involve several steps: First, for example, can be convincing people click on a link in an email.
“Once they click that link, it has to go to some site or they have to open up some application that exploits a vulnerability in their desktop whether that is the browser or Adobe Flash,” said Mitnick.
For companies trying to deal with social engineering, he said that user education and training is a “no brainer.”
Inoculation is the best remedy.
“Inform your employees that you do testing from time to time and have internal or external security people trying to con them,” he said.Read more: How to 'hacker-proof' your employees
“When an attacker uses a social engineering attack, they want to gain persistent access to that network. They drop malware that is not going to be detected by anti-virus software.
“What that makes malware so successful is that companies are good at controlling incoming connections, but they are poor at configuring their firewall so the malware connects to the bad guy.
“If the company controls and only allows certain ports out to the Internet, this reduces the threat that malware could communicate with the attacker."
It is also important for companies to deploy technology that can secure the internal environment, not just scan the external environment to look for anomalies, he said.
"Is someone up at 3am using certain types of admin tools? If they are, send out an alert.”
Mitnick added that when he conducts penetration testing, he comes across password patterns.
“Once we are able to compromise the company and obtain their domain passwords in an Active Directory environment, we can determine the patterns that people use. For example, when Sony was hacked, [CEO] Michael Lynton’s domain user account was SonyML3.”
He suggested using a password manager that fills in the form with randomly generated passwords.
However, Mitnick acknowledged that the “password is dead.”
“I saw some technology at a conference where you could wear a bracelet which measures your heart beat. This is communicated as an authentication to your work systems. But who the heck is going to go to work and put on a bracelet?”
He said that the IT industry needs to come up with a transparent technology that can positively identify the user.
“The password is dead and as a hacker, we always succeed,” he said.
Follow Hamish Barwick on Twitter: @HamishBarwick