By Garrett Stanley, Security Analyst & Engineer, VirtualArmour
Recently there was a follow-up article about a hacker who was jailed for trying to break his friend out of prison. While the story does have a twist of humorous irony to it, the details of the attack truly underscore where the IT Security landscape sits today. The hacker, utilizing a mixture of technology and social engineering, targeted the weakest IT point: the employees.
If you’re in IT Security you’ve probably read The Art of Deception by Kevin Mitnick and know just how far a little bit of confidence and technical knowledge can get you. In the book, Mitnick shares the details of several fascinating stories explaining how all the firewalls and encryption in the world don’t matter if you don’t know how to identify the snake in the grass. To underscore the book’s credibility, we’re all seeing more often that some of the most damaging breaches are coming in the form of a “combination attacks” that utilize multiple avenues of offense. With the ease of use of the new malicious tools out there, a single individual can nearly duplicate the efforts of an entire Penetration Testing team.
As for the hacker in the primary article, take note that if one of the officers hadn’t noticed a faulty record, the story’s ending could have had a much less humorous ending. With this information in hand, it becomes clear that IT Departments cannot simply rely on technology or they will be crippled in their actions by a lack of adaptable defense and too few capable staff members. The IT Security industry must parallel itself to how Police Departments have fine-tuned their methods of hunting down malicious actors who have them out-manned and out-gunned; it must identify the overall patterns, behaviors, and thought-processes of our adversaries instead of focusing on isolated instances and specific tools. Far too many companies approach their data and information security as merely another compliance box to check off and often incorrectly see their security suites as another system that sends them unnecessary alerts.
As our foes progress so must we, as the consequences of ignorance and self-blindness are evident. Companies must have trained eyes on relevant data who understand current security techniques and strategies. With trained experts at their disposal and a willingness to shift resources depending on the circumstances of incidents, any company can re-position itself to not only meet potential challengers head on but hold themselves up as taking the lead on how a business in their industry should operate to protect itself and its clients.
The article referenced can be found here: https://www.justice.gov/usao-edmi/pr/ann-arbor-man-pleads-guilty-computer-intrusion-case