When I learned about last week's Cyber Security Chicago conference via Twitter, I thought this would be a great opportunity. After all, how frequently does someone from the nonprofit or social enterprise community get to focus on security and data issues? (Plus, Cyber Security Chicago was making its debut this year, so I felt it was worth checking out for my own education as well). So I requested (and received) a complimentary press pass and attended last week's conference at McCormick Place.
Good news - there was plenty of great information that would provide some insights into digital excellence and literacy. Not-so-good news (depending on your perspective) - there is so much content that this week, One Cause At a Time will have four posts focusing on key issues from the conference, as well as key insights from specific people.
One of those people was Kevin Mitnick of Mitnick Security, who delivered the opening keynote address on how hackers and online con artists use their skills to compromise unwilling users. Despite a relatively over-the-top opening video (showing scenes from classic caper/heist films and television shows like Leverage), Mitnick delivered a really insightful presentation.
Mitnick discussed methods of social engineering, by which many hackers and con artists work to convince another to comply with a request to compromise their computer network. Many of these social engineering efforts involve influence, manipulation, and deception...and often do not require specific operating systems and which have a low risk for the attacker. (Mitnick also discussed more elaborate methods of deception, which will be discussed later). Social engineering is effective 99.5% of the time, and range from everything as simple as a phishing e-mail to more elaborate strategies like ransomware.
Mitnick also introduced (for me, this was a new idea) the concept of spear phishing or targeting a specific individual within an organization to acquire network access. During his presentation, Mitnick demonstrated how hackers could use special software to determine basic network information. By finding a specific person listed, an e-mail address could be generated (often through trial and error) and a specific e-mail crafted for a particular purpose (like generating a wire transfer of a large amount of money). Without necessarily thinking, the target user may enter the appropriate information, resulting in funds being sent to the hacker.
Online predators who engage in social engineering have a specific process for engaging targets. When engaging users to compromise their systems, hackers work to establish a false identity/role and frequently provide a reason for compliance. Building their target's confidence through information and attention, the hacker also builds rapport through positive influence and reinforcement. The hacker has usually crafted an appropriate response to overcome rejections and has an "out" that allows them to avoid burning their resource. Given the simplicity and ease of strategies....it's no wonder that social engineering efforts are effective 99.5% of the time.
Throughout the presentation, Kevin Mitnick provided several great real-world demonstrations of how such social engineers work to compromise systems. They often use special software which allows them to redirect phone calls for customer service, Skype contacts, and even false Wi-Fi signals. (One favorite highlight - a young student provided her name and social security number, and her life was revealed to the audience. This young woman consented, and speaking to her afterward...she was not prearranged or planted by Mitnick). Even PDFs can be used to send malware, allowing hackers to distribute ransomware and hold user data hostage.
So what can nonprofits, social enterprise, and other users do to ensure security? Much of Mitnick's talk focused primarily on being cautious and confirming information. (When that e-mail from the bank looks suspicious, it is easy to double check with your bank). Being aware of potential dangers is often the first step in ensuring security....and Kevin Mitnick's opening keynote to Cyber Security Chicago set a positive tone for the rest of the conference.
Many of you may be asking, "What can nonprofits, social enterprise, and other resource-strapped mission-driven organizations actually do to ensure digital safety?" Tomorrow's Cyber Security Chicago post will focus on that very subject.
Questions? Comments? Please leave them below or join the conversation via our Facebook page. (Please note that all comments are moderated). If you wish to contact me privately, information can be found via this blog's About page.)
And as always, thanks for reading!