Hacking`s final frontier Individuals are increasingly being targeted in a new wave of hacking. iWeek takes tips on avoiding risk from the world`s most notorious ex-hacker and others in the know SECURITY REMAINS one of the hottest topics in IT today, one that keeps users baffled and petrified, boards of directors tied up in discussions and the poor IT manager awake at night, wondering where the next hole will be punched.

Traditionally, security is the domain of the IT director, whose natural instinct is to plug holes, using technology. In the past two years however, a new breed of threat has appeared, one that can exist without technology and be every bit as damaging.

And while it`s been around for decades, it is gaining prominence only now. It preys on the user`s natural tendency to trust others, stemming from being mis- or uninformed, or from employees becoming disgruntled with employers.

In a nutshell, intruders with malicious intent gain access to user credentials by manipulating them in any number of ways, to gain access to corporate networks and computer systems.

What makes this difficult to track is the fact that these hackers are using `legitimate credentials`.

In the past two years these attacks have mutated and are no longer staged for `effect`, but for financial gain.

Examples include the recent spate of `phishing` attacks, and viruses and malicious code embedded in media formats aimed at stealing user credentials. There`s also a `cold-calling` real-world method. Ultimately, all these fall under the banner of social engineering.

ADVICE FROM A SOCIAL ENGINEER

Kevin Mitnick, probably the most notorious ex-hacker in the world, is also probably the best authority on social engineering, since his exploits earned him jail time.

Mitnick now offers advice on securing organisations, in his book, `The Art of Deception,` and through numerous keynotes around the world. Mitnick will address ITWeb`s Infosecurity conference in March 2006.

On social engineering, he says: "The term describes the techniques hackers use to deceive a user into revealing sensitive information, or into performing actions that create a security hole."

Mitnick himself used `phone-phreaking`, allowing him unauthorised access to some of the most secure computer systems in the world.

"The first stage is research. Using open information like SEC filings and annual reports, you learn everything you can about the company and its people. Who has access to the material you`re seeking? Where do they work and live? What operating systems do they use? What`s the organisational chart?

"As a social engineer you`re trying to pass yourself off as someone who has a right and a need to know. You have to know the lingo and the systems of the company you are targeting.

"After [that] you develop the pretext or ruse needed to build rapport with an individual," he explains.

"In my opinion, people are very trusting [and] wouldn`t think of deceiving someone, so they rarely assume someone would try to deceive them.

DEFINITELY ON THE INCREASE

It is exactly this trust that makes social engineering so threatening to corporates.

Local gurus agree that, generally, user-focused attacks present perhaps the biggest threat today. So what can companies do about users, who typically care less about corporate security than their employers? And how do they protect them from themselves without unduly hampering their access rights?

Rogan Dawes, senior consultant at Deloitte`s Enterprise Risk Services Division: "This has been on the rise since the `Melissa` and `I love you` viruses. The big difference now is that attacks are being used for financial gain.

"On the Internet you`re always living in a bad neighbourhood. The only gated communities are LANs and VPNs. [And] while these are relatively safe, we`re still seeing many breaches, resulting from users opening e-mails they shouldn`t. My overriding advice is to take a healthy dose of scepticism every morning."

ACTION IS POSSIBLE

What makes averting these kinds of attacks so difficult is companies` reliance on users to notify them. "It`s almost impossible for the company to be proactive," Dawes says. "So they need to react as soon as possible.

Another tactic, he says, is submitting bogus information to `phishing` sites.

"If a large volume of bogus information is submitted, the `noise` portion is higher than the value of the information and [it`s less productive] for hackers to continue."

Paul Strauss, manager of information security at Absa, says there`s a clear need for increased user awareness. "Users know that if they`re connected to the Internet, they need an anti-virus solution. What they often don`t take cognisance of is the need for maintaining it."

Echoing Dawes` statements, Strauss says uses must also exercise caution. "Quite simply, don`t open suspicious looking e-mail. The problem is, people are inquisitive. [But] they should exercise restraint and try to determine the validity."

He says hoax-checking is key. "Users ... often don`t know the difference between a valid virus alert and a hoax. Before sending e-mails to everyone they know, alerting them, they should check with places like www.symantec.com/avcentre/hoax.html.

He also advises checking corporate policies for tips and best practices. "Users should use this same policy at home, since it will give them a clear idea of what threats exist today." Lastly, he says, users should back up data. `Even the best technologies, policies and practises can fail."

BE CIRCUMSPECT

Ben Pentz, information risk consultant at FirstRand Bank, agrees that the user carries a massive responsibility for curbing attacks. "It [often] boils down to common sense," he adds. "I believe users should be circumspect with people, internally and externally.

"They should provide information on a need-to-know or need-to-use basis. Users should also be discouraged from finding out more than they need to know to do their jobs. For example, you should only get enquiry rights to a database if you only need to view the data, and not manipulate it."

A second tip he cites is for users to keep private information private. "Users should question the motives of anyone that encourages them to divulge their personal info. When in doubt, they should consult the company`s policies or speak to a superior.

"My third tip is to be informed. There are numerous resources, including vendors, media websites and the consulting firms. Users should [however] double-check information received from these sources before making judgement calls," he concludes. Kevin MitnickWith Computer Security Day taking place on 30 November, members of the Information Security Group of Southern Africa (IGSA) have put forward a list of tips for industry consumption, with the aim of creating awareness about security with corporates and their users.

The theme this year is `responsibility`.

Barry Cribb, MD of IS Digital Networks and White Hat committee member, says corporates should use this awareness to carry out five simple tasks to improve security.

"As a first step, conduct a mini-review of your security policy and ask if it is complete," he says. "If you don`t have one, get one.

"It will help highlight security weaknesses and allow you to put methods and processes in place to strengthen your position. A security policy will also be useful, should it be necessary to discipline any user for inappropriate network use," he explains.

"It`s also a good idea to have your servers tested for vulnerabilities and to conduct a penetration test. All of the 2 000-plus sites attacked in SA the past year had one thing in common - a vulnerability that was found first by the bad guys. Without exception, had those companies had theirs servers checked before the attack, it could have been prevented," he opines.

"Thirdly, change your password to a stronger one and get all employees to do the same. A password should be at least 6 characters long, use upper and lower case characters, numbers and special characters.

"It should also not be written down, and not a dictionary word or the name of a family member. Using a pass phrase (for example a series of memorable but random words) might also be useful," he says.

For home users, IGSA chairman Craig Rosewarne says numerous common-sense tips apply. "Firstly, always use a personal firewall when connected.

"Update your software regularly. Users should update their operating system and anti-virus at least every 2 to 3 months and never disable the scanning capabilities of AV and anti-spyware," he says.

"Thirdly, download anti-virus and anti-spyware signature updates frequently. Fourth, never share account details, whether they are banking, ISP, e-mail or chat-related.

"And lastly, make regular backups, especially of those bits of personal information that you value and took you a long time to create,"