Welcome Guest. | Log In| Register | Membership Benefits

InformationWeek.com October 23, 2000
Printer ready
Printer ready

Vulnerabilities Beckon Some With A License To Hack

continued...page 3 of 3

More on hacking:

  • sidebar: Hacking For Dollars

  • VARBusiness: Cybercops to the rescue (10/16/00)

  • TechWeb: Is security in the cards? (10/13/00)

  • InternetWeek: Security made simple (10/2/00)

    • Send Us Your Feedback
    Haden recalls one large company that hired CiscoSecure to review security problems, and its surprise upon learning what its internal security team didn't know about its network. "They had a network they thought was secure. We managed to find, through a rarely known exploit, a box running a version of Unix, and one of our engineers was able to get guest-account access and exploit the network."

    Simon Perry, Computer Associates' VP of eTrust Security, says that just because someone knows how to hack into a network doesn't mean that person is proficient in making a network secure. "They're two completely different skill sets," he says. "Just getting a list of identified vulnerabilities isn't enough. They need to communicate the potential business processes affected by the vulnerability, along with a list of impact assessments and countermeasures. Just because you have the power to break something doesn't mean you have the power to fix it."

    It may also be that some of the shine is wearing off superstar hackers as more people become concerned about Internet security. Convicted hacker Kevin Mitnick was invited to speak at Giga Information Group's Infrastructure for E-Business conference in Los Angeles in September; that speech, scheduled to be presented by reservation only, was opened to the general audience because of a lack of interest.

    Mitnick, who was accused of causing millions of dollars in damage to technology companies by hacking into their networks, was convicted and imprisoned, but only after a three-year manhunt led by the FBI that ended in 1995. When Mitnick was freed from federal prison early this year, he was barred from any contact with computers, or even speaking publicly about technology-related topics. Mitnick was successful, however, in challenging some of the conditions of his release and was allowed to pursue some computer-related work, including speaking appearances.

    Mitnick was greeted by applause from IT and security professionals at the Giga conference, people who once would have been his targetsııand had some interesting security advice.

    Mitnick told the audience the most significant security risk from hackers has nothing to do with technology, and pertains to the area over which businesses may have the least control: people. "People are the weakest link," Mitnick noted during his closing keynote address. "Somebody can call an unsuspecting employee, and that's it, baby. They got the whole thing."

    Mitnick relayed a story about a hacker who obtained secrets from a small software company by barely touching a keyboard. The hacker turned to social engineering to ply his craft. He arrived at the company's office, pretending to accidentally be a week early for a meeting with the CEO. Acting embarrassed, he then took the staff to lunch to make amends. After managing to speak with someone from every department, he followed up with the secretary, saying he had talked with the CEO. He convinced the secretary he had met with the CEO and needed information about the new product to help him prepare for a meeting, and got her to E-mail everything to a Yahoo address.

    When the CEO arrived at the office, he said he'd never even heard of the visitor, and the phone number on his business card was bogus. A short time later, the CEO read a story about another company launching his exact product weeks before his own company's product was due to launch.

    Forrester analyst Frank Prince agrees with Mitnick's assessment of the weakest link. "It's all about people, process, and technology," Prince says. "Technology is dead last in the order of importance when it comes to security."

    Mitnick says companies need to forget the notion of 100% security and think of security as an ongoing, dynamic process of risk management. The key, he says, is detection and reaction. If a company stays static in its security posture, it's going to be in trouble.

    Mitnick says hackers are like adventurers. "Hackers are motivated by intellectual curiosity. The more secure you make your systems, the more you attract them. The hacker mind-set is like exploring space, except they're exploring the network."

    However, Axent's Clyde doesn't think that hackers' desire to explore the network makes them better prepared to help companies build more secure networks. "Just because you know how to break something," he says, "doesn't mean you know how to fix it."

    return to page 1, 2

    Back to This Week's Issue
    Send Us Your Feedback
    Top of the Page