8 Steps to Better Security. Kim CrawleyЧитать онлайн книгу.
to become the hardy maple trees of a resilient business with a strong security posture. Even though I don't intend for this to be a cheesy self-help book, I'm not going to stop with the flowery analogies. So, just hang on for the ride!
Before I get further into explaining how to foster a strong security culture, I really need you to understand how important psychology and sociology are to cybersecurity. So, I will start with a really abridged version of the story of Kevin Mitnick, the man who may still be the world's most infamous cyberattacker.
Kevin Mitnick, Human Hacker Extraordinaire
Kevin Mitnick is so notorious that you've likely heard of him, even if you've never taken an interest in cybersecurity. His name was mentioned in news headlines in the 1980s and 1990s.
Mitnick is known for conducting two major cyberattacks. The first one was in the news throughout the 1980s: a penetration of Digital Equipment Corporation's (DEC's) network, called The Ark. DEC was a major manufacturer of computer hardware and developer of computer software from the 1960s to the 1990s, focused on the enterprise market. It was perhaps best known for its PDP line of minicomputers. The minicomputers of the era were definitely not “mini” by today's standards. Early PDP hardware consisted of large boxes the size of a few refrigerators stacked together. Even the later PDP models produced in the 1970s were at least the size of a single refrigerator. They were classified as minicomputers simply because they didn't require the space of multiple rooms of a building. Anyway, I'm going to refrain from rambling on and on about the history of computing. Just understand that PDP computers are very important when it came to large businesses being able to process thousands or millions of customer records, in areas such as the airline industry or public utility companies. This was the most frequent way computers were used in the years before PCs (known as microcomputers) entered most people's homes.
In late 1979, a teenaged Kevin Mitnick acquired access to DEC's own computer system that he was not permitted to have. This was widely reported in the news during his criminal trial in the 1980s.
Mitnick intended to describe how he maliciously accessed DEC's computer system in his book, The Art of Deception, published by my own book's publisher, John Wiley & Sons, in 2002. This material didn't end up in the first edition of Mitnick's book, but he confirmed to Wired that he wrote this:
Claiming to be Anton Chernoff, one of the (DEC) project's lead developers, I placed a simple phone call to the system manager. I claimed I couldn't log in to one of “my” accounts and was convincing enough to talk the guy into giving me access and allowing me to select a password of my choice.
Something stands out to me here. Without an account name and password, he wouldn't have been able to get in. The way he acquired those credentials was by social engineering. Social engineering in a cybersecurity context is all about fooling human beings into helping you acquire access to computer systems you aren't allowed to have. The specific kind of social engineering Mitnick did is called vishing. Vishing is when someone uses phone calls to pretend to be a trusted party, such as DEC developer Anton Chernoff, to acquire information that you're not entitled to have and that you can use to facilitate a cyberattack. Vishing is a category of phishing, where media such as text messages, web pages, emails, or social media messages are used to impersonate trusted entities to acquire malicious computer access. All kinds of phishing, including vishing, are common types of social engineering attacks. Mitnick exploited human psychology. The Art of Deception, indeed.
Mitnick started to learn social engineering when he was really young. In the mid-1970s when he was 12, he wanted to be able to ride Los Angeles public transit for free. So, he dumpster dived for unused bus transfer slips. He tricked a bus driver into giving him a ticket punch by saying he needed it for a school project. From there, young Kevin Mitnick was able to spoof bus transfers for free rides. But he couldn't do it without social engineering the bus driver.
Mitnick's successful Los Angeles bus exploit gave him the confidence to attempt social engineering in other ways. He went on to trick his way into DEC's computer system. After years of criminal investigations and a trial, he was convicted in 1988 and sentenced to a year in prison and three years of supervised release. By the early 1990s, toward the end of his supervised release, he conducted his second notorious cyberattack.
Mitnick social engineered his way into the voicemail system of Pacific Bell, a major telecommunications company in California. His techniques were very similar to how he penetrated DEC. Those in the know didn't consider Mitnick to be a master of computer science; rather, he was a clever conman. Eventually, Mitnick targeted an actual computer science master, Tsutomu Shimomura. Shimomura studied physics with the famous physicist Richard Feynman before he pursued computer technology research at San Diego Supercomputer Center full time. Mitnick wanted access to Shimomura's work. He chose the wrong target this time, because Shimomura helped law enforcement investigate Mitnick's Pacific Bell breach and other criminal activities. The FBI arrested Mitnick in 1995, and he was in prison until 2000.
From there, Mitnick decided to use his skills in law-abiding ways. He wrote books, some of which were published by Wiley. And he also started his own cybersecurity firm, Mitnick Security Consulting, LLC.
The Importance of a Strong Security Culture
The cyber threat actors who will try to harm your company could be just glorified conmen like Mitnick or brilliant computer scientists like Shimomura. Either way, the majority of cyberattacks involve social engineering at one point or another. A strong security culture hardens against social engineering exploits by making your employees, contractors, and executives less likely to succumb to them. A strong security culture also encourages your workers to develop good habits in the ways that they use computer technology, so your precious data assets are better protected.
A strong security culture doesn't stop at your IT department. Everyone from the janitors to the CEO must be a part of it because computer systems aren't used only by people with IT certifications. Even an authorized person entering your office could put your computer networks at risk.
One of the most important things you can do to make sure your company can thrive in our rapidly evolving cyber threat landscape is to establish and maintain a strong security culture. And that's what step 1 is all about. With this crucial step taken care of, the other seven steps in my book will be feasible. For a cybersecure business, start with people's behaviors and attitudes.
Let's start by demystifying the word hacker, shall we?
Hackers Are the Bad Guys, Right?
When most people hear the word hacker, they think of cybercriminals. Apparently, hackers are the bad guys. This is a misconception that's not only reinforced in Hollywood movies and TV shows but also in the news. When cyberattacks are covered in TV news shows, newspapers, magazines, and online news sources, the bad guys who perpetrate the crimes are called hackers. Those of us who promote a more accurate use of the word face an uphill battle with the public consciousness.
One of my favorite books of all time is Steven Levy's Hackers. It was published by Dell, Penguin, and O'Reilly in various editions between 1984 and 2010. That book is one of the best ways to learn about the history of actual computer hackers, beginning with the first proper electronic computer, ENIAC, deployed in 1948. Levy covers the history of hacking from the 1950s onward.
Hackers are people who find new and innovative ways to use computer technology. Some of the people who became famous billionaires in the tech industry, such as Steve Wozniak, Steve Jobs, Bill Gates, and Mark Zuckerberg, started as hackers themselves. In fact, the street address of Facebook's Menlo Park, California, headquarters is 1 Hacker Way.
Hackers developed the computer technologies you use every day: the TCP/IP backbone of the modern internet, the Linux kernels of the Android systems and Red Hat servers you interact with whether or not you're aware, the GNU Public