Properly trained staff, not technology, is the best protection against
social engineering attacks on sensitive information, according to
security consultant and celebrity hacker Kevin Mitnick.
"People are used to having a technology solution [but] social
engineering bypasses all technologies, including firewalls," Mitnick
said. "Technology is critical but we have to look at people and
processes. Social engineering is a form of hacking that uses influence
During his keynote address at this year's Citrix iForum conference in
Sydney today, Mitnick said hackers are analyzing the "bigger picture"
and are looking for the weakest link, which is "people like you and
"Why do hackers use social engineering? It's easier than exploiting a
technology vulnerability," he said. "You can't go and download a
Windows update for stupidity... or gullibility."
Mitnick said social engineering appeals to hackers because the
Internet is so widespread, it evades all intrusion detection systems,
it's free or very low cost, it's low risk, it works on every operating
system, leaves no audit trail, is nearly 100 percent effective, and
there is a general lack of awareness of the problem.
"Social engineering attacks can be simple or complex and take from
minutes to years," he said, adding that surveys have revealed that
nine out of 10 people will give their password in exchange for a
chocolate Easter egg.
Mitnick spoke of how social engineering has been used to extract
millions of dollars from banks and how he used the technique to siphon
source code for a mobile phone out of Motorola by posing as an
employee in its own R&D department.
Mitnick also mentioned how he is not immune to the social engineering
scourge and was sent an e-mail 'phishing' for information from his
PayPal account earlier this year.
"The attacks are real and the threat is real so I encourage everyone
to do something about it," he said, adding the main target is the
helpdesk because "it's there to help".
Pretexting, where the hacker takes on an acting role, is the heart of
social engineering, Mitnick said, because people need reasonable
justification to fulfill a request.
Hackers establish an identity and role, build a rapport through
linking or other influence tactics, and leave an "out" to avoid
"burning" the source.
Intelligence gathering exercises may include seeking titles of company
positions so hackers know who to target, and good old "dumpster
diving" where the company's garbage is screened for information.
Mitnick said even large companies participate in dumpster diving as
Oracle was recently caught sifting through Microsoft's garbage. When
Mitnick was 17, he did some dumpster diving and found an employee
directory and source code in piles of rubbish.
To combat social engineering attacks, Mitnick said organizations need
to build a "human firewall" and fill existing holes such as illusions
of invulnerability. "It can happen to anyone," he said. "People
naturally want to help people and underestimate the value of
Mitigation techniques begin with top management buy-in and
demonstrating personal vulnerability.
"Establish an employee participation program," he said. "Develop
simple rules to define what is sensitive information [and] build a
human firewall by raising awareness."
Mitnick recommends performing social engineering pen-tests, and not
forgetting the periodic dumpster diving, and modifying the
organization's politeness norms - "it's OK to say No!
"Use technology to remove employee decision making," he said. "The big
challenge is to balance productivity and sensitivity."
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.