Dell Security Peak Performance introduced us to a new concept – ethical hacking. We met dozens of “security ninjas” holding the title of certified ethical hackers. These developers are hackers who have made a career of “hacking for the good guys,” or hacking with the intent to find vulnerabilities for other developers to patch before unethical hackers get the chance.
Rob Krug, Senior Systems Engineer at Dell, and Certified Ethical Hacker told us of the times when he’d sit in a Starbucks in full view of all patrons, wearing a T-shirt with the bold word “Hacker,” and no one paid him any mind. Armed with a WiFi “Pineapple” – a small, portable server, he created a duplication of the open coffee shop network. When victims connected, he directed them to fake versions of popular sites like Bank of America hoping to catch someone entering valuable information so he could say to them, “what if I had been a bad guy?” Let’s hope that people get the idea to quit using open networks to share our most private information.
“The World’s Most Famous Hacker” Kevin Mitnick gave a chilling presentation as well about just how easy it is for your personal information to be stolen. Using an inconspicuous piece of equipment, he was able to capture a credit card’s information simply by having it nearby. Hear him on Colbert explaining his past in “phone freaking” and how’s that lead to an ethical present.
He’s made a career of hacking, first, as a criminal, and now after 5 years in prison he’s still up to the same tricks. He used to do it “just for the challenge,” and today he’s still seeking that thrill. The difference now is transparency and who’s asking him to hack. Fortune 500 corporations like Dell want him to find their vulnerabilities FIRST.
The thing is that a corporation’s #1 vulnerability is HUMANS, and that will never change. Kevin spoke at great lengths about “social engineering” as hacking. Without a doubt the most unethical way to mine information, it’s the old-fashioned deception and con. Hackers can call a corporation, a bank, or any system and find a person with an innate desire to be helpful. By sharing the wrong piece of information and perhaps believing the caller when they say they “work in HR,” or some other measure to sound like they are privileged, the one answering the phone has threatened an organizations entire system. As SecuriTay on Twitter says: “Networks are hard, people are soft.” https://twitter.com/swiftonsecurity/status/467122491811307520
The only way to avoid the breech of humans is through training and education. Mitnick suggesting the website KnowBe4.com, and of course having an airtight firewall system. He also suggests a “Social Engineering Incident Response Program” so that an incident can be dealt with, and risk is mitigated. Your employees need to know that every piece of information they give out, if found in the wrong hands, has the potential to breech a much larger system. It’s scary, and yes it should inform how you trust unknown emails and calls, and how customer service is handled.
So, as much as security is about robots speaking to robots, it can be ethical or unethical. Hacking for the good guys is sometimes the only way to know your systems are secure, and understanding that humans are innately involved throughout the process means understanding that human error is inevitable. Humans may be soft, but we can all adapt, learn, and prevent risk just the same with the right tools.