Former hacker doubts total security

Read time 2min 40sec

There is no such thing as total information security and to spend the time, money and resources to make a system 99% secure is not really worth it, especially in a business environment.

This is the view of former hacker turned security consultant Kevin Mitnick. He shot to prominence in 1995 when he was arrested by the FBI and jailed for five years for breaking into the computer systems of organisations like Sun Microsystems.

According to Mitnick, the best any business can do is deploy cost-effective security controls based on a reasonable risk assessment that takes into consideration the likelihood of attack and the value of the information that needs to be protected.

"We can`t eliminate the threat. All we really can do is raise the bar to an acceptable level," he says.

Mitnick is to address the ITWeb Security Summit when he visits SA for the first time in March and plans to emphasise the importance of educating employees about security and deploying secure wireless networks.

Hackers can use a technique called social engineering to manipulate a trusted insider to reveal information that makes it easy to bypass security technology and get access to computing and information resources, explains Mitnick.

"Securing the human element is vital to protect against hackers using a combination of technology and a con game," he says.

Mitnick says the need to deploy secure wireless networks is another message he hopes to impart because statistics show about half of the wireless networks in the US are unprotected and most of the protected networks are using an insecure protocol.

"At the summit, I will demonstrate how easy it is to bypass insecure protocols and set up rogue access points that enable attackers to intercept credentials and even carry out client side attacks to gain control of computers in an organisation."

Mitnick says although greater security awareness among organisations has made systems more secure than they were in the past, hackers do not have to be as technically astute because it is now possible to become a point-and-click hacker by downloading pre-packaged exploits.

Although unwilling to make any future predictions, Mitnick says identity theft is likely to continue as a popular way of committing cyber crime as well as using confidential information about mergers and acquisitions to carry out insider trading.

"I see everything remaining essentially the same: security will be a cat and mouse game with criminals continually finding new ways to commit crimes and the police trying to catch them. Companies will develop increasingly resilient security products and criminals will figure out how to break them."

Related stories:
Insights from a master social engineer
DDOS attacks are the responsibility of business
Zombies and X-rated fantasies will cost you dearly

See also