Kevin Mitnick presents at Infragard General Meeting.

Last Friday, I joined Kai Axford and we went and saw Kevin Mitnick present on the Art of Deception and the danger of being conned.  You can read Kai’s write up of the event here:  Mitnick and Me.  Also look for Kai to get a TechNet Radio interview with Kevin.  I have to tell you it was enthralling and very eye opening.  So I wanted to have a blog post and share some insight I gained from listening to Kevin speak.

Kevin spent his entire talk discussing the weakest link in the chain in regards to security in our day and age. What is that link? Us, People, our Users. The nature of social engineering makes it the greatest threat to our networks. After hearing Kevin speak I believe this even more. I also came to a conclusion that even though we call it social engineering, it really is an elaborate and well though out con job where the attacker is trying to gain a sense of trust and confidence of his target.

So why is social engineering the greatest threat?

  • hacker-headlineEasy --- After hearing Kevin. I firmly believe there is definitely a good deal of planning that goes into these types of attacks but the entry point for most of these attacks is a simple phone call.  He shared some examples that were easy, his books listed below have even more!
  • No Intrusion Detection System --- Since people are involved, unless they are trained, and follow company policies to the letter there are no magical warning bells.
  • Low Cost --- The attacks usually start with phone calls, and in most cases these are toll free numbers.
  • Low Risk --- Most attacks start with simple questions and calls, and in most cases the person that has been targeted is not even expecting or perceiving an attack.
  • O/S Neutral --- Social engineering attacks bypass all technical loads and the person being targeted does all the work for the attacker.

firewallKevin discussed several examples of attacks he had heard of and they were frighteningly simple. Simple calls into your help desk, receptionist, or even accounting department can turn into security nightmares for your organizations. Why is that? Kevin called it holes in the human firewall (I really like that phrase):

Let’s face it there is no patch for human gullibility. I know the phrase is supposed to contain the word stupid, but after hearing the talk, I am convinced anyone is open to these kind of attacks.


What are the holes?

  • Sense of invulnerability ---- That will not happen to me! I am smarter than that! One of the demos that Kevin showed during his session was a program called Asterisk. It was a voicemail scamming program that clones a company’s auto attendant system. Very scary stuff!
  • People are naturally trusting and helpful --- This is just human nature and it is a good thing but something you need to be aware of.
  • Security procedures are seen as a waste --- how many times have you said, those rules do not apply to me!
  • Cannot say no --- Heck nobody likes to tell people no, there is even a device called a telephone butler that tells no for you when telemarketers call.

So how can we help improve the human firewall? This really involves your whole organization and needs involvement from top management. This also involves looking at all the information inside your organization and treat it all like gold! Some bits of information may seem trivial but you have to ask yourself, what if I combine all the pieces of “trivial” information. The answer may surprise and startle you.

What are some measures you can take to help protect your company?crosscut_shredder

  • Defend and Define enterprise policies and stick to them! ---- Especially when it comes to throwing sensitive materials away, in other words buy a cross shredder! 🙂
  • Educate, Educate, Educate --- This is the most important part to educate yourself and your people first and foremost about policies and let them know it is okay to say no.
  • Do a test periodically ---- Test your policies - pose as another person and call into your business and try to get information or do your own dumpster diving.
  • Use Technology to remove employee decision making where it makes sense for organization --- Obviously we need to be involved in our company’s business but in some cases

If some of this information resonates with you I recommend taking a look at some the additional resources I have listed below.


Kevin’s Security Consulting:


(looks like I have some books to for the book of the month club.  🙂 )

Comments (4)

  1. omar ecko says:

    this post is incredable thank you for

    all that of info i’m a really huge fan

    of kevin



  2. Matt Hester says:

    Thanks Omar, I am glad you liked the post!

  3. Joe Libuszowski says:

    Hello Kevin,

    Great posting; especially given how Infragard has grown over the years.  Clearly the level of awareness of this organization as well as others is due to both the security community and hackers alike.  

    I’ll give you a recent example that recently happened to me several months ago; I had my personal laptop stolen, luckily I had encrypted the laptop to DoD standards and had tracking software on the laptop in case of this occurring.  The result while the laptop was stolen, the important thing to consider is that non of my personal data (PII -SS#, job applications or other data was impacted).  I wish the same can be said about a lot of organization(s) today, who fail to safeguard their data "because as you said they believe ‘it won’t happen to me’." Say hi to Darcy for me and I hope all is well with you.

    ~Joe Libuszowski  

  4. Michael Jones says:

    I can’t believe Infragard would let Mitnick speak, or anyone else for that matter.

    This man happens to be a writer for the hacker magazine 2600.  I’m holding the latest 2600 copy right now and his name is in it.

    Him being a writer for a hacker/phreaker mag should tell people something which is that he’s playing both sides of the fence, talking "I’ll help you with security" on one hand while helping hackers hack you on other.

    Pick up 2600 magazine at Barnes and Noble and you’ll find his name in the back.

    Any man who would help hackers on one hand while supposedly claiming to be reformed is NOT someone I’ll pay attention to, thanks but no thanks.

Skip to main content