Kevin Mitnick is one of the world's best known hackers, bestselling author, and the top cyber security speaker. Once one of the FBI's Most Wanted because he hacked into 40 major corporations just for the challenge, Kevin is now a trusted security consultant to the Fortune 500 and governments worldwide.

Mitnick GETS PAID to hack into systems now, and maintains a 100 percent successful track record using a combination of technical exploits and social engineering. As Chief Hacking Officer of KnowBe4 he helps produce critically acclaimed security awareness training programs to counteract social engineering and to improve security effectiveness.

As someone who is "tech efficient" but naïve to the unlimited restrictions of technology, I took away so much from Mitnick's presentation. Gone are the days of the Saudi Prince looking for money, and here's the terrifying challenges in its place.

  • Fun fact - It takes under 10 mins to gain sensitive data using a social engineering attack, like "phishing". This is where attackers use emails, social media, phone calls, instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URL in the attempt to compromise their systems.
  • It attracts the user’s curiosity with information on a specific topic and directs the victims to a specific website to gain further data. Subject lines are used to entice the recipient to believe that the email has come from a trusted source, attackers use a forged sender’s address or the spoofed identity of the organization.
  • They gather user’s information by presenting a sense of urgency to trick the victim into disclosing sensitive data to resolve a situation that could get worse without interaction.
  • Shortened URLs or embedded links are used to mislead victims to a malicious domain that could host exploit codes, or that could be a clone of legitimate websites with URLs that appear legitimate.
  • Multi-factor authentication is highly recommended and a great start to protecting your data, but it's fallible and should be combined with other network protections.
  • There are devices that can create malicious wifi networks. These networks can steal your info when you connect to them. They can read your "wifi preferred networks" and mimic them.
  • Best way to avoid connecting to a malicious network is to hot spot off your phone using a wpa2 encryption, or to VPN into your secure worksite connection. VPN systems create an encrypted connection between your computer and your networks.
  • For physical hacking, there are proximity devices that can hack and replicate your HID cards. These are cards that are often used to access secure buildings/departments. This allows hackers instant access to your office & data! Be sure to research different HID card security features & storage/practices for them.
  • Web faced hacks are the 2nd most common threat. This is where hackers attack your web applications (much like what equifax faced). Use pen testing services to test your web applications and see where your network holes are for future hackers to find.
  • Ransomware - Mitnick did a fabulous presentation on how EASY it is to hold a companies emails hostage with ransomware, even with O365 and Google Mail. Microsoft and Google do NOT backup your email! Make sure your company's emails are being backed up, so you don't have to pay to get them back. Configure your user settings to prevent giving permissions to employees who might provide access to these intrusions by way of phishing emails.

 

Allyson Turner, HI Tech Hui