World-famous hacker-turned-security expert Kevin Mitnick shares best practices for staying safe in an increasingly exploited digital universe.

Ask Kevin Mitnick and he’ll tell you that there is a silent war happening everywhere around us. You could even be a casualty right now, and more than likely not even know it — most don’t. As he writes, “One of my team told me recently: ‘It’s almost a Cyber World War now, but barely anyone knows it, and those that do actually don’t know at any given time know who, or why they are fighting.’”

In this one-on-one with Mediaplanet, the renowned computer security consultant opens up the tool kit of today’s hackers for us to better understand and stay protected against them.

Mediaplanet: What originally drew you into the world of hacking?

Kevin Mitnick: Challenge — pursuit of knowledge, seduction of adventure. In high school, I met this other kid who could perform magic with the telephone. It was called “phone phreaking,” and it facilitated my other great passion: pulling pranks. As the phone company started using computers to control devices, such as phone company switches, my interest in hacking began.
When I started, it was completely legal and hacking was cool. Hackers were considered the whiz kids. My favorite hack of all time, still to this day, was when I was young, hacking the McDonald’s drive-through window. Truthfully, my passion for hacking has always remained the same. Businesses hire my company to try and break into their organizations to test their security. It’s like living in a heist movie. What’s not to love about that?

MP: What are the biggest barriers a hacker faces when attempting to access private information?

KM: Not much. Private information is freely available if you subscribe to the right databases, typically used by information brokers. These databases allow you to query a person’s social security number, birthdate, current and past addresses, and current and past phone numbers. Once this information is obtained, it’s not too difficult to obtain the target’s credit report online.
As far as gaining access to enterprise information, the biggest barrier is layered security controls, meaning I would have to compromise several layers of security to break in. I travel the world and demonstrate live hacking at many conferences and speak to people of all walks of life. Lately, I’ve been showing how easy it is to steal someone’s personal identity in about 60 seconds! By accessing some databases, I’ll know an individual’s mother’s maiden name, social security numbers — a whole bunch of stuff.

MP: How does security for mobile devices differ from that of corporate services and PCs?

KM: Most people don’t even use security on their mobile phones, such as adding a passcode. The majority of people blindly use public Wi-Fi in public spaces. If there is one thing anyone can take away after reading this — use a virtual private network (VPN) service. One thing people should consider is purchasing a VPN subscription so that they can securely connect when using public Wi-Fi. Basically, if you aren’t using a VPN, your internet traffic may be monitored, or worse, you may be hacked when using open wireless networks.

MP: Information security breaches have been a hot topic in the past couple months with Equifax, Petya, and WannaCry. What steps would you tell organizations to follow to improve their cybersecurity measures?

KM: There are two important and easy steps that will provide much, much better cybersecurity for any organization.

Get tested regularly. Smart organizations are using the progressive strategy known as “red teaming.” This is a rewarding practice of using external, independent teams to challenge organizations to find ways to improve their effectiveness. The red teaming strategy encompasses and parallels the military use of simulations and war games, invoking references to competition between the attackers (the red team) and the defenders (the blue team).

For cybersecurity, this is known as security penetration testing, the use of third-party penetration testers to simulate attacks by real intruders against systems, infrastructure, and staff. The ultimate goal is to provide organizations with a thorough analysis of their current security.

Secondly, train all your staff on what social engineering is and how to detect it. People are the weakest security link. They can be manipulated or influenced into unknowingly and innocently helping hackers break into their organization’s computers, and they can be manipulated into handing over the keys the kingdom. Social engineering is a technique used by hackers and con artists that leverages your tendency to trust. Providing security awareness training for staff is absolutely crucial in light of social engineering.

Finally, I know that the “business” of cybersecurity is new and growing, and I don’t ignore the irony that I’ve been able to turn lemons into lemonade. But I do see a problem with cybersecurity business as it’s now becoming a modern-day gold rush with its own versions of fake claims. There is no silver bullet for security; there is no such thing as absolute security, nor is there any automated tool that even comes close to the skills of a motivated hacker probing for an organization’s vulnerabilities. The truth is simple. It takes one to know one.