Security tips from a legendary hacker

(MoneyWatch) 

Kevin Mitnick was once the "most wanted" computer hacker in the world. After being nabbed by the FBI and doing his time, Mitnick became one of the good guys, helping businesses understand and address information security weaknesses and threats.

Mitnick, now a leading consultant and speaker on the subject of information security, and author of the New York Times best-seller Ghost in The Wires, spoke with me about the most serious threats of which every business should be aware. Mitnick says that these issues aren't just concerns for large corporations -- small companies face the same challenges, and dealing with them effectively doesn't require massive resources or IT departments. Here are the top threats, and some tools small businesses can use to address them:

Attacks are becoming more complex

The threat: Attackers have become more sophisticated, and it's often extremely difficult to detect an intrusion until after the damage is done. "Hacker gangs," often operating overseas, have acquired online banking credentials and wired funds out of corporate accounts, or stolen intellectual property, with little or no detection.

The solution: There are several solutions on the market for small- and medium-sized businesses. Cisco (CSCO) and others offer integrated services routers (ISR), which integrate routing, firewalling, intrusion detection, VoIP solutions and wireless networking, at a low cost (entry level models run around $1,000). There are more robust systems for larger enterprises, but ISR provides good baseline protection for smaller businesses.

The risk landscape is increasingly difficult to understand

The threat: Attacks are evolving every day, making it crucial -- and difficult -- to keep up with current hacker methodologies. As a result, thousands of systems are compromised every week. We often hear about distributed-denial-of-service (DDoS) attacks carried out by "botnets" of compromised computers. Hackers use similar techniques to gain access to small business computers, where they can access financial and other information, perpetrate theft and do all kinds of other damage.

The solution: Small businesses are increasingly putting many of their system functions in "the Cloud," where they can be kept up-to-date in real time. In these situations, it is critical to clearly outline expectations regarding application and data security in the Service Level Agreement (SLA).

If the necessary technical expertise is not available in-house, enlist the services of a security consultant or qualified IT specialist. Companies like Mitnick's offer advisory services and implementation of the best practices and solutions for keeping up-to-date on threats. For many companies, a modest investment in this kind of expertise can save them from far more costly problems down the road.

Outgoing network traffic can be as dangerous as inbound

The threat: Most businesses have some type of firewall for incoming traffic, but few address potentially risky outgoing connections from their own workstations. This is a major shortcoming, because a user's computer may become infected with malware that connects back to the attacker. According to Mitnick, antivirus software is only 60 percent effective at detecting and eliminating malicious code.

The solution: Reduce the number of services a user can connect to outside the company by configuring the firewall to restrict outgoing traffic to what's necessary for business operations. The ISR solutions mentioned above facilitate this type of configuration.

Desktop software is often out of date

The threat: Hackers used to focus solely on exploiting security flaws at the server level, but this has changed, and individual desktops are now common targets. One of the reasons this is appealing to hackers is that businesses rarely update the client application software that resides on individual workstations. Small businesses can be particularly easy marks for these kinds of attacks.

The solution: Products like Secunia's Corporate Software Inspector automate software updates on user desktops. These updates are as important as applying software and security patches for the operating system, as out-of-date software significantly increases the risk of a security breach. Products like the Secunia application can cost a couple-thousand dollars, but again, the investment has to be weighed against the risk.

Humans can be the biggest problem

The threat: The biggest risks to information security are people. Studies have shown that most security incidents start from within, and are usually accidental. Sophisticated attacks use "social engineering" (predicting or manipulating human behavior) to trigger the exploitation of desktop application security flaws.

The solution: Constantly reinforce to employees the dangers of opening attachments and clicking links sent in email, messenger applications and posts on social networking sites. All it takes is one person making a bad decision to compromise the entire business. One clever and effective strategy for keeping employees on their toes is simulating attacks (similar to a surprise military drill), using an Internet Security Awareness Training program, which costs about $15 per person per year.

Of course, these are just quick snapshots of key threats and tools. It's a big and complex subject (Mitnick has filled three books on it so far), but these are great starting steps for most small companies. As Mitnick says, "The most important point is that computer and information security is not, and can never be, a one-size-fits all-solution."

[TonyBusseri]

Mark,

Kudos on a very timely article. Both you and Mr. Mitnick touch on some very important points. With the meteoric rise of Mobile Internet and Cloud computing, security breaches have only increased in scope and frequency in recent years - and will continue to do so as more businesses store their data in digital files and thieves become increasingly sophisticated in how they gain access to those files.

As the U.S. workforce is increasingly embracing teleworking and mobile computing, I strongly believe that secure, remote access must also be part of this conversation. Simply put - with the percentage of teleworkers rising exponentially, so does the vulnerability of enterprise and government networks whose data files are accessed remotely.

As managers and business owners, we must balance our need to empower employees with functional, easy-to-use tools from wherever they work, while ensuring the integrity and security of data, sensitive information and enterprise networks, through identity management, data entitlement and other solutions that enable secure remote access

Route1 (www.Route1.com), a security and identity management company, is unique in that it provides organizations with products that are founded on assuring the identity of an individual, not a PC, tablet, smartphone or other device.

True, multi-factor authentication provides an easy-to-use security methodology to authorize remote users. Route1's MobiKEY device is the "something you have" and the user's existing PIV, CAC or FRAC smartcard in the case of the MobiKEY Fusion device or the smartcard embedded with the MobiKEY device are also "something you have". The password or pin, which is verified against both the smartcard and the MobiNET platform, is the "something you know".

Of note, is that Route1 truly speaks from experience. Among its global customers are the U.S. Navy, the Department of Homeland Security, ING, The Canadian Coast Guard, the Department of Justice, the Department of the Interior and the Federal Courts.