I just got done reading one of the best thrillers I’ve read in years. And it wasn’t a work of fiction. Nor was it one of those “based on a true story” type docu-dramas. This was a true story of a life of computer hacking told by one of the greatest hackers of all time. The book was “Ghost in the Wires,” an autobiography by security expert and former FBI’s most wanted hacker, Kevin Mitnick. Even though I’ve read a great many books on the author’s exploits, I was freshly agog at the author’s adventures, told for the first time from his point of view. The man was a force of nature when it came to breaking into computer systems. There was almost no system he couldn’t breach, no act too outrageous. And while his computer hacking skills were impressive, the area where he was a true artist was social engineering. In fact, one might say he was one of the first and best.
Now younger techies might not be impressed with his retro skills. Most of his best hacks were on phone systems and done over dial up modems. And till he went on the run, most of his hacks where not wildly publicized; unlike today where Anonymous, Wikileaks, and other hacker groups have become almost political figures. Kevin plied his art in dark cyber alleys, acknowledged only by other hackers and the law enforcement officials he continually stymied. So while his computer skills might be passé today, the social engineering he practiced still works today and is practiced by the legions of phishers, pharmers, and other cyber crime denizens.
Reading this book should keep any IT security professional awake at night. Because it’s the only thing that we can’t spend technology dollars on to fix. The people element. No matter how many firewalls, IDSs, IPS and malware detectors you have, all it takes is one well meaning employee to bypass it all.
So the lesson of “Ghost” is not that we need better technology to combat the waves of electronic fraud sweeping our companies and governments, but rather we need to spend time on our people. This includes the entire enterprise, not just our direct IT staffs. Figure out how you can allocate some of that money destined for more software and hardware toward boring things like policies and training. Every firm with significant IT resources to protect should have some form of IT security awareness training at least once a year. Get people to think twice before they help that “employee” on the phone or to take an extra moment to verify that request coming in via email. I highly recommend this book for any manager, not just in IT. Read it. Learn it. Fear it.