A Lesson Learned From The World’s Most Famous Hacker

I woke up excited.

It’s my birthday. The day I eat whatever I want, my wife and kids are nice to me, and things are generally groovy all day long.

I open my email and there’s a gift from my friend Adam…a digital gift card to my favorite online purveyor of technology, Newegg!

Adam, you are awesome!

I open the link and log into my account $25 richer. Or so I thought…

Instead, I just compromised my computer, my network, and every account where I use “P@55w0Rd?” as my login password.

What just happened?

An anonymous snooper crawled my Facebook page and learned that it was my birthday, that I shop regularly at Newegg, and that I correspond regularly with Adam.

No super hacker skills required.

I just gave away all the data necessary for an attacker to compromise my digital life. How did that happen?

My attacker used the pretext of a birthday gift to get me to click on the link that allowed him to sniff my network traffic and implant a backdoor on my PC. A backdoor that could have allowed him unrestricted access to my life had I not recognized it. (At least the part of my life I kept on my PC.)

I’d just become the victim of a computer exploit that worked 28 years ago.

This is the exact recipe used by Kevin Mitnick, the world’s most famous hacker and author of “Ghost in the Wires”…the recipe that got him into the security systems at IBM, Nokia, Motorola, Sun Microsystems, and Pacific Bell.

“Ghost in the Wires” is a good first book to start building your background knowledge in cybersecurity. It’s fast-paced and reads like a thriller. Mitnick and his co-author William Simon do a stellar job in portraying the humanity of Mr. Mitnick, and the obsession that drove him to the top of the FBI’s most wanted list 28 years ago.

The lesson? What worked then, still works now.

My most illuminating takeaway after reading Mitnick’s book is when I realized the principles of both criminality and security remain unchanged.

  1. Research your target, until you know their weakness.
  2. Create a plausible pretext to gain their confidence.
  3. Offer your target something they want in return for the act you want them to perform.
  4. Reaffirm the pretext that gained the confidence of your target to ensure future usefulness.

In short, phishing emails then…phishing emails now.

You can start solving the most vulnerable part of your computer systems today…your people.

The most vulnerable part of any system is the human who uses it. Social engineering is used in 66% of all cyber-attacks, and 67% of targets are willing to give up their and their co-workers personally identifiable information (PII).

How do we get better in recognizing when an email is used to compromise our information? The key factor in study after study is a combination of regular security training AND testing.

Do you remember what you ate for lunch last Tuesday? I know I don’t.

But if you quizzed me weekly on your lunch habits, do you think my memory might improve? The answer is yes.

Your employees don’t remember the security training you required them to take 6 months ago.

But if you send them regular phishing emails to test them — and use their clicks on a link they shouldn’t to reinforce your policies — statistics show that your vulnerability to these attacks plummets 1200%!

Here’s how to test and improve your business’s defense against a social engineering attack on your employees.

  1. Determine the systems you most need to protect to ensure your business stays up and running.
  2. Determine who has access to those systems.
  3. Craft your own email phishing campaign. Send something this audience would normally receive via email, or would be excited to see.
  4. Keep statistics on who takes the bait from a phishing email. Bait that would have compromised your system had it been sent from a cybercriminal.
  5. Send test phishing emails every month, especially to leadership.
  6. Require remedial training for repeat offenders.

Watch your vulnerability to the most popular attack vector plummet!

Kevin Mitnick knew 28 years ago that your people are the best way to attack your systems.

Criminals way more malicious than him know that today…