eWEEK: Now that youve been back online, whats your sense of whats changed in terms of how enterprises are dealing with security? Are they more or less savvy? Mitnick: Savvy? I would think so because security technologies have advanced tremendously since 1995. Back in those days, the Internet was just starting to become commercial. In fact, when I was last using the Internet years ago, there was no e-commerce. It was just sharing information. The world has completely changed to where companies are doing business on the Internet and rely on the Internet to not only sell their services and products to clients and to connect with business partners and suppliers I think that more organizations are taking a proactive approach and treating information security like insurance, and they are investing some budget to managing their vulnerabilities.eWEEK: But perhaps across the board not as proactive as it should be? Mitnick: Unfortunately, some organizations dont see return on investing [in security], and they look at security as a liability. I believe that many businesses in the private sector and many government agencies have to take a hard look at the harm that could be caused if they suffer a security incident. eWEEK: Shouldnt that be self-evident given the steady stream of attacks we continue to see? What will it take for more enterprises to take a proactive approach to security? Mitnick: The sad thing is [that it will probably take] being attacked and to suffer some humiliation and some damage. Then theyre forced to act, or theyre educated as to what the threat is out there, that the threats are changing on a daily basis, and that security is really analogous to insurance. And, once companies buy into that idea, companies are more likely to treat security seriously. eWEEK: In your time as a hacker, you took advantage of a lack of education in order to engage in social engineering. Whats the most common source of vulnerability youre seeing today? Mitnick: Education. And I believe unpatched systems and misconfigured systems are obviously the greatest vulnerabilities out there. And the people. As a previous attacker, I used to analyze the target from all sides: their physical security, their host, their network security and their people, and look for the quickest way that was the least costly and the least amount of risk to me. And, unfortunately, a lot of enterprises believe that buying a firewall or an [intrusion detection system] is all they need to do. And theyre lulled into a false sense of security. You really have to look at securing the enterprise from the perspective of how the bad guys are going to break in. What vulnerabilities, what access points exist and where the most critical, sensitive and valuable information assets reside, and really focus on those issues. eWEEK: Since you were in it, do you think the nature of hacking has changed from exploration to something more sinister? Mitnick: I consider hacking a skill set. And people from all walks of life use the skill set to advance their own personal agendas. In todays world you have [everything from] benign hacking to very serious criminal activity. From the kid down the street who wants to hack into their neighbors cable or wireless network just for the fun of it to people like Robert Hanssen, who was actually looking at internal government intelligence systems like at the FBI to see if they were doing any countersurveillance when he was spying against the United States. eWEEK: In your own history, the government obviously wanted to make an example of you, which is why they want after you in the way they did. Do you think that example dissuaded anyone else from hacking? Mitnick: Look at how hacking has grown today. Go to CERT and you can see the trend, and its rising upward. Unfortunately, the government is treating hacking like terrorism, and theyre trying to impose these ridiculous penalties for what I consider a serious crime. But its being taken out of context. There have been changes to the federal statute to allow life imprisonment for anybody who uses a computer to recklessly or intentionally cause serious injury or death. Life without the possibility of parole. But if anyone takes their car out on the freeway and recklessly, negligently or intentionally seriously injuries somebody or kills them, how come they dont get the same penalty? Why is using a computer so much more serious? Read more security stories:
Search for more stories by Jeff Moad.
Find white papers on security.
But I also see enterprises using crisis management as a tool. So that, when something bad happens, they are concerned about their security. But I think security today is more proactive than it was back in 1995.
Find white papers on security.