Ok, if you have not heard of Kevin Mitnick and you are in the software industry, then he is someone you need to know about. He is probably the most notorious hacker in US history, and he released his new book Ghost in the Wires (A 5 Star Rated Book on Amazon.com) a few months ago.
So here are some takeaways from the perspective of a software attorney that only represents Software, SaaS and IT services companies.
1) Read the Book. Ok I get that this is circular logic, but you will learn things that I think you cannot learn other than by reading the book. What I am trying to say here is that the way that he describes how he moved effortlessly in and out of a tech company’s systems, steals source code, gains direct access to deverlopers, is nothing short of amazing. Without getting a real gut feel for this by reading the book, the importance of this book will be missed.
2) The Weakest Link in Your Security. Kevin Mitnick coined a phrase ‘social engineering‘ and you need to know about it (there is even a wiki page dedicated to it). Essentially it is all about how a hacker uses trickery and deception to get information to gain access to a computer system. In other words, it is all about the human element. No matter how great your company’s technical and physical security is, the human element is the weakest link (at least I think so after reading the book).
3) Next Steps. I think that if any IT security program is not equally focused on how to prevent social engineering, it is missing the boat. So how do you prevent it? Well there is no guaranty, but I highly recommend some basic training of certain departments within your organization regarding identifying social engineering. I would train these groups, and in this order:
(a) receptionist (definitely first),
(b) tech support, and
(c) and developers.
If you train these groups, you will hopefully see an attack coming, and have a great chance of preventing it. Oh yea, there are some great training materials for this on the web.
Look I am a software attorney and not an IT security expert, but what is very clear to me is that the most notorious hacker is sharing some of his greatest insights and real world examples (many of them) of how he hacked (deep) into major tech companies. If you have not read this, or don’t feel like you know much about this topic, then go read this book!! I think he is really providing a valuable service to all of us by writing this book. As Daniel Tosh of Tosh.O would say, “and for this we thank you.”