Kevin Mitnick, founder of Mitnick Security, is known worldwide for his part in transforming the information security industry into what it is today. It’s hard to imagine that it all started with a kid who had unsupervised free time and an insatiable curiosity for magic tricks and the budding tech industry — but it did. Kevin grew up learning that tricking people in the form of social engineering and cybersecurity hacking was not only fun, it earned him attention and respect.
Kevin Mitnick — The Evolved White Hat Hacker
Eventually, Kevin’s antics led to five years of jail time and a deeper understanding of how hackers are treated — vs. how they should be treated — in the form of the Free Kevin movement.
Kevin Mitnick’s unprecedented hacking expertise and his acknowledgement that he had been on the “dark side,” formed his desire to share his knowledge in a way that would be helpful to organizations that had once feared him. Kevin went from being on the FBI’s Most Wanted list to becoming a white hat hacker and valuable consultant who spoke in front of a U.S. Senate Committee about their security.
Kevin, in tandem with the author, William L. Simon wrote “The Art of Deception” to share his story and help us understand why and how social engineering can be a threat to even the most protected organizations out there. Here, we’ll explore his book, and key takeaways about social engineering.
The Fundamental Tactics of Social Engineering
Accessing Innocuous Information
Gaining access to private company information is easy when employees see that information as harmless. When Kevin was a teenager, he was able to ride the bus lines for free throughout the L.A. area. This is partly due to the fact that a bus driver told Kevin where he could buy the same punch machine the bus company uses for punching tickets.
Since bus drivers had dumped their partly-used books of transfers in the trash bins at bus terminals, it was literally child’s play for Kevin to ride the bus without paying. The lesson learned is that innocuous information can be the key to your company’s most prized secrets.
The Human Factor
There is a natural-born urge to trust our fellow man (or woman), especially when a request seems reasonable. Social engineers take advantage of our trusting nature to exploit their victims and achieve their goals. Kevin Mitnick explains:
Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. (Mitnick, 16)
While some social engineering attacks are complex, a skillful social engineer can achieve their goal with a simple and direct attack. This is why the human factor is truly the weakest link in an organization’s defense.
Abuse of Trust
Having strong people skills may not be a requirement for a traditional hacker, but it is for social engineers. For them to fool the average person, they have to be charming and polite. This makes it fast and easy for them to gain trust and build rapport with their victims.
In many cases, a social engineer will be friendly and helpful enough that you’re pleased that you met them — without noticing that they were stealing important data from right under your nose. In some instances, it wasn’t really stealing information at all, but freely given, thanks to that trusting feeling social engineers are so good at manipulating to their advantage.
Social Engineers in Action
“Help” in a Darker Light
Kevin Mitnick explains in “The Art of Deception” that innocent questions such as, “Can you help me?” are far from innocent if they come from a social engineer. For example, the book tells the story of “Keeping up with the Joneses” where that simple question asked in a kind manner over the phone, led to the social engineer gaining the ID number of an upper-level employee who had thought the social engineer needed help fixing a payroll issue.
In another example, a social engineer insisted that they could help the victim solve a serious network outage issue. What the victim didn’t know is that the social engineer had caused that outage in the first place.
How To Prevent the Attack and Protect Your Business
Uneducated employees can cause businesses to be easy prey for social engineering attacks. Firewall Times reports that, “The average organization is targeted by 700+ social engineering attacks annually.” With this number of threats targeted directly at employees, it’s crucial to utilize cybersecurity awareness training as a part of their continued education so they understand the importance of safeguarding confidential information.
Consider the Source
Knowing who is asking for (and getting) company information can keep social engineers from working their magic. One way to do this is through multi-factor authentication (MFA) to ensure that one stolen or weak password can’t bring down your organization’s infrastructure from the inside out.
Everyone from your receptionist to your high-level managers can be the target of a social engineering attack. It’s easy to overlook the less obvious areas of your organization that could be vulnerable for an attack. For example, Kevin Mitnick’s book walks through how easy it was for a social engineer to ask for —and get — an internal company phone number by requesting a fax be sent to that number. The front-desk administrator had no idea that this was a targeted effort to gain internal information.
That’s why it’s crucial to make sure all employees are following security procedures without exception.
Take Your Security Protocols to the Next Level
Social engineering tactics can fool just about anybody. However, a trained eye and careful diligence can keep your organization better protected than any firewall alone.
In his book, “The Art of Deception,” Kevin Mitnick offers more advice on how to prevent attacks. If you want to gain an insider’s look into social engineering and how to protect your business, buy the book.