Preceded by reputation
Kevin Mitnick is perhaps best known as the hacker who made it to the FBI’s Most Wanted List for breaking into the computer systems of multiple government agencies and over 40 major corporations. Mitnick was a fugitive for four years, and after getting caught was put on trial and sentenced to five years in a federal prison, including a year in solitary confinement.
“I did it for fun,” he says. “I am a prankster at heart.” Mitnick says he liked performing magic tricks for friends and family when he was young.
Since leaving prison, Mitnick has changed tack. He still hacks, but now works as a white-hat hacker whose consultancy firm helps clients find the vulnerabilities in their systems so that cyber-criminals don’t find them first.
Mitnick also serves as Chief Hacking Officer for KnowBe4, a company that trains employees of organizations to spot vulnerabilities, including their own. He has authored four books: The Art of Intrusion, The Art of Deception, Ghost in the Wires, and The Art of Invisibility.
He also goes on speaking tours all over the world. His website lists 29 destinations just in the first 10 months of 2018. During these tours, he shows people the tradecraft that’s used by the bad guys to compromise their businesses and their personal systems and what steps to take to mitigate the risk so they do not become victims,” he says.
Hackers then and now
Different people hack for different reasons. “You have people who do it for challenge, for profit. You have hacktivists, and you have nation states.” During pre-internet days, more hackers did it for the intellectual curiosity and pursuit of knowledge. Now there appears little reward for doing this for just the challenge. The risk is just too high, “because it’s illegal now, when it wasn’t illegal before.”
These days there are more criminal hackers whose motivation is to commit theft and fraud using hacker tradecraft.
And are they operating individually or as a group? “Both, I think,” Mitnick says. They hack individually because there is less risk of being double-crossed. And they hack in groups, because that’s how organized crime works.
Playing catch up
Normally, organizations are reactive. “They respond when they are attacked. Or when government regulation forces them to respond.”
Still it’s possible to be on pro-active mode instead of just reacting. “A good first step is to do a security penetration test,” says Mitnick. “They should see how well – or how poorly – their security controls hold up to sophisticated attacks. This way, the company or government agency could determine what security controls its employees are really failing. Or what additional securities or controls they need to add, to mitigate risk to whatever their acceptable level of risk is.”
The attackers try to be one step ahead. They find vulnerabilities they are able to exploit – it is only once they are caught exploiting that vulnerability that people play catch up and try to patch it. “It’s a complete cat-and-mouse game,” he says.
The problem is that many organizations are not aware of certain flaws in software that people weaponize, exploit, and take advantage of. “Since they don’t have the knowledge of what these are, and they get hit with these exploits and then it’s too late and they have to obviously catch it through a monitoring perspective rather than a prevention perspective. “
And then, even if companies and governments are more aware, it does not mean that they can, or are going to, fix all their security problems.
“Just because companies are being aware and pro-active does not mean that they are not vulnerable,” he says. There are plenty of attack vectors that the attacker could utilize as part of their tradecraft to breach a company or government agency.
“The bad guys can always look for a misconfiguration or a bunch of several areas where they could be compromised whether that’s the human element, or applications that are vulnerable, or network service or wireless networks.”
Building a case before the board
Mitnick knows too well the main problem of CISOs. “Security is not something that is revenue generating. It’s actually an expense.” Thus, despite the need or desire to protect the organization as best as you can, companies don’t necessarily like to do security. Organizations balance the expense with the potential cost of the breach they are trying to prevent.
“You are not going to spend over a million dollars to protect a potential million dollar breach. Because that wouldn’t make sense,” he says. “Looking at it again, what is the risk to the bottom line? How much money, time and resources are you going to put in to your security efforts to reduce the probability that a security event will happen?”
What tips the balance? “That is all driven by market, by regulation and by scary events that happened either at the company itself or another business. When it’s something that become public, like the WannaCry ransomware, when the companies hear about this they go: ‘Oh My God, we better do something before we’re hit!’”
CISOs develop a plan to mature the security program, “because you need to protect your most important IT assets whether it’s your customer list or manufacturing process or whatever it is. The company will focus your budget and resources. If you are lucky, you get the best-of-breed technologies and consultants.”
One of the biggest challenges is to convince the C-suite and the board that they need to invest money into risk management to deal with security issues so they can protect these assets. How? “By citing current events,” says Mitnick. “(Tell them) what is going on in businesses being attacked and use that as an example of what could possibly happen.”
Don’t be that fruit
So what does this former convicted hacker now have to say to organizations who want to protect themselves from hackers?
Since it’s impossible to eliminate security risks altogether, they should instead “raise the bar high so that they are not the low-hanging fruit.”
Attackers are looking for easy targets. “If your company raises that bar high enough, that company will no longer be the low-hanging fruit, and the attacker will go to a target that’s easier.”