In his youth, American Kevin Mitnick (pictured below) engaged in “pranks” that involved hacking, such as directing friends’ phones to payphones.
“I never did it to make money; I never did it to do any damage; it was all about the intellectual curiosity and the pursuit of knowledge and the adventure for me and the fun. Eventually, fast-forward, I got myself into a lot of trouble,” he says.
That trouble was with the US Federal Bureau of Investigation (FBI). Yet getting caught has led him to a lucrative career consulting some of the world’s biggest companies and governments on how to better protect themselves online.
Here, My Business speaks with the man sometimes billed as 'the world’s most famous hacker' about why SMEs are a high-risk target, what hackers typically look for and how business owners can protect their most sensitive assets.
My Business: What made you turn from being chased by the FBI to becoming a globally renowned consultant on cyber security?
Kevin Mitnick: I was never on the FBI's most wanted list; I was the guy they were chasing back in the 1990s, but I was never on any official FBI's most wanted list. I was kind of a prankster – I loved pulling pranks and doing things like changing a friend's home phone to a payphone, so whenever he would try to make a call, it would say 'please deposit 25 cents', that sort of thing.
Then I started pushing the envelope and I was very interested in how cell phones worked, and so I went after the source code for a cellular handset. And then I started playing cat and mouse with the FBI, and was pretty much a fugitive while the FBI was trying to catch me. And to me, at the time during my younger years, it turned out to be a game.
Once I was released from custody, the federal government – a Senator named Fred Thompson – invited me to testify for Congress on how the federal government could better protect computers that are owned or operated by the government.
MB: How do you operate now as a consultant in the security space?
KM: I have a company [Mitnick Security Consulting] where we do security testing – where clients hire us from all around the world to test their security, to make sure their security controls can withstand an attack basically by hacking the client. So it's basically like an ethical hacking exercise.
And I have another company [KnowBe4] where we do security awareness training and we offer the ability for our clients to phish their employees to see who is susceptible to phishing and also to train them, because they will have that very teachable moment if they happen to open an email that's a phishing attack, because right then and there we will train them.
And then finally I'm a public speaker – I go around the world speaking on security.
MB: Are SMEs really a target for cyber attacks?
KM: I think everybody is a target, for the consumer, the small and medium business ... Don't forget, your system as a small business owner, it might not be that you have valuable information to steal, but if an attacker gains access to your systems, they could basically pivot through your systems and master a location to attack an upstream target.
For example, if I wanted to hack your company's systems, get access to them and then attack a bigger target – like a bank, for example – and do it from your systems, so that if it ever gets tracked back, it gets tracked back to you. So you're like the cut-out, so to speak.
[Also] people host wares, copyrighted material – they might dump it on your server and then give other people in their trusted circle access to the data, so you're basically like a file server.
MB: What are the vulnerabilities of SMEs?
KM: Usually small businesses don't have the resources or the budget to actually deal with security. Normally, they don't even have an IT department; what they do is they have some IT guy set up a couple of servers at the company, maybe some desktops, maybe some laptops, configure everything, get everything up and running, then the consultant goes on to his next gig. So what happens is these small businesses end up being what we call the low-hanging fruit, and easier targets to attack.
MB: What are some of the steps that you take businesses through to better protect themselves?
KM: It's basically layered security controls. Each business is different, from what they have to protect and how to protect it.
But essentially, looking at what are the important assets of a business and how can we segment those assets off on the network and putting up layered security controls between users and sensitive IT assets, whether it's customer lists, access to the CRM system, whether it's manufacturing information like the formula for Coca Cola or whatever you want to call sensitive within your company, and layering security controls.
[This is important] not only to prevent a bad guy from breaking into the system, but also to detect, so that if one or more persons have compromised the business, that those persons can be detected.
For example, if you have an intrusion detection system, it's not going to be very useful to the business unless it alerts and logs anomalies, and in some cases I find businesses don't even inspect the logs.
So one of the processes that would help the business have a better or more mature security program is assigning some employee the responsibilities to inspect logs, to see if there is something that needs to be further investigated.
MB: What mistakes do you commonly find businesses make around security protection?
KM: A lot of times I come across clients that make simple mistakes. For example, there is a company that is a retailer that I recently tested their security, and I found out that inside the retail store this company had printers, and the printers were on the corporate network. And I figured out that these printers actually had the default passwords that the printers came with, that the company never bothered to change them, and because of that we were able to leverage the printers to get further access into this client's network.
These companies are hiring us to break into their systems and networks, usually with a higher level of sophistication, but we do look for common mistakes that businesses make – like, for example, not changing default passwords – that we could bring to the client's attention to obviously shore up their defences.
MB: If a business is hacked or they suspect a breach, what should they do? And conversely, what are the big no-no’s?
KM: 'Do' is not to shut the system off! The first thing to do is unplug it from the internet, and then probably call a security professional that knows what they are doing, because you want to collect any sort of evidence and try to hopefully track back the intruder.
Also, you can lose valuable data on what the bad guys were doing if you shut down the system. So the first thing that businesses should do in the event that they think they've been compromised, they should reach out to a professional security company to do the assessment for them – it's not the type of task that you could just run like your anti-virus software and try to find out what some intruder was up to.