Kevin Mitnick, the world-renowned hacker, would go to lengths to pen test your organization, because if he can break it, so can a persistent adversary. Mitnick shared some advice on how to protect yourself from malicious hackers.
At one point during his life, Kevin was the FBI's most wanted hacker. Now, he is a chief hacking officer at KnowBe4 and uses cutting-edge techniques to pen test organizations to help them resist even the most persistent and tenacious hackers.
Since 2000, he has been a successful security consultant, public speaker, and author. Kevin does security consulting for Fortune 500 companies, performs penetration testing services for the world's largest companies, and teaches Social Engineering classes to dozens of companies and government agencies.
During the KnowBe4 virtual summit, he and KnowBe4's CIO Colin Murphy discussed the latest trends hackers use to social engineer end users. They've been working together for around five years.
"We have a lot of experience together working finding security gaps in clients' systems. Threat actors are using the same type of techniques to break into your organization and steal your IT assets or deploy ransomware," he said.
The most shocking discoveries
The whole point of pen testing is to make companies better at protecting their IT assets. One of the first things that Mitnick and his team do is trying to find out whether employees of a particular company are storing any credentials in their browsers. And they are, 80% of the time.
"You wouldn't believe the credentials that we find," Mitnick said. For example, people store information to access their crypto exchanges on their work computers, the 24-word recovery key in their work password managers, brokerage, financial accounts.
In one case, I was testing this very large payroll company, and one of the main engineers, I dumped all the credentials from his browser, and there were thousands of different sites there, and it turned out to be mostly porn. What is this guy doing? He is working at a company, and he is storing this type of information in his browser, which was beyond shocking that somebody, especially an engineer, would actually do that on a work machineMitnick recalled.
That person didn't realize anybody could find these things out. People store many different pieces of information on their working machines thinking no one will ever find out.
"You see a lot of credentials for their personal medical insurance provider. Unfortunately, people are lured into this sense of security that they believe this information could not be compromised," he said.
Mitnick emphasized that employees need to be educated on what they can store on their corporate devices and what information should be kept on personal computers.
"People are more comfortable with storing personal information on that particular laptop that they are using the VPN into the company, so it's an illusion of invulnerability, nobody's going to find out. But a hacker can get in, or if the company is doing a security test, maybe a pen tester can get in and see exactly what you are doing," he said.
Malicious hackers are trying to capitalize on the hybrid work model, and employees joining the meetings remotely and opening attachments from their homes. That's a gold mine for cybercriminals.
During the KnowBe4 summit, Mitnick demonstrated a couple of sophisticated attacks that can fool even the most intelligent people. For example, imagine getting an invite through Microsoft Teams to an urgent meeting set up to discuss salary cuts - an unavoidable measure for a company that has experienced financial losses because of the pandemic. Wouldn't you join the meeting? Of course, you would. Only when you open your Microsoft Teams, it asks you to update the software. You click on a few seemingly legit buttons to update your software when in fact, you allow malicious downloads and let the hacker in that way.
Don’t forget service accounts
There are a couple of things organizations can do to make it harder for adversaries to break in. One of them is enforcing a good policy on choosing passwords.
Don't forget, the bad actor here is trying to guess common passwords. So if you have a really good password policy that prevents users from choosing poor passwords, that will go a long way,Mitnick said.
He encourages using passwords that he "knows it sounds crazy" - 25 or more characters not following specific criteria like the lower case, upper case, number, but rather long sentences, such as "I went to the beach today, and it was very warm."
Companies should also make sure that multifactor authentication (MFA) is enabled on every account.
"What companies typically miss is the service accounts. Service accounts do not have human operators log in, they are created for applications, and typically 2FA is left off those accounts, and those accounts usually have the weaker passwords assigned. That's one thing you need to do - focus on the service accounts, making sure that those accounts have very strong passwords, and that should help eliminate the problem," he said.
How to recognize social engineering?
"That's a tough one. You are almost asking me how to be a human lie detector," Mitnick replied to a question on how to recognize when someone is trying to social engineer them.
When someone lies to you in person, certain microexpressions can give the liar away. However, when you are dealing with social engineering, it is a much more complicated task.
Rather than trying to figure out whether an email is a legit one, a company should craft a verification policy, meaning that an employee should not release any information or perform any action on their computer without a caller or sender passing specific verification steps that would allow them to identify the person.
"You have a rule that says I'm not going to cooperate with any caller or anyone sending an email that is asking me to do anything on my computer system or to reveal any information unless I can properly verify who they are. I think that's the better way to go than trying to be that human lie detector," he said.
Certain red flags point to phishing attempts. However, sophisticated adversaries are better at conducting these attacks and can easily pass the red flag tests so that emails wouldn't look suspicious.
Unfortunately, sometimes even legitimate businesses, such as banks, call their users and ask them to identify themselves.
"They call you and ask for your PIN code or the last four of your social security number. To me, that's a huge red flag, but unfortunately, companies do that. Financial institutions are calling you back and wanting to verify your identity. They are legitimate, but I won't cooperate with them because they are calling me, asking me to verify my identity. I never agree to give my identity information," Mitnick said.
You can learn more about social engineering here. CyberNews has listed the top social engineering attacks for you and provided the most important tips on how to protect yourself.
Subscribe to our newsletter