March 4th, 2005
Hacker speaks out.
Sigh, Yet another call for social solutions to technical problems. Hacker Kevin Mitnick calls for more employee awareness training.
Anyone who has ever been in an IT department knows that within a week after the two day seminar on using strong passwords like W9T%$zx0 instead of weak passwords like “manchester” or “pistons” or the perennial favorite: “password”, all of the users have forgotten their strong passwords and called the help desk and had them set to abc123.
I have always maintained that if someone points a finger at those dang *users* there is a better technical solution. Security consultants make lots of money giving seminars and designing security awareness training programs. With one exception these programs are a waste of time, money and resources.
Weak passwords being used? Enforce strong passwords with an identity management system. People dumpster diving? Hire a secure trash collection service. Someone installing wireless devices in the conference room? Use network access controls, MAC address enforcement, or products like Air Defense.
If there are weaknesses in your security they invariably have technical solutions.
What is the one area of security training that pays off? Teaching hacking techniques to system admins and developers. That pays off because they gain an awareness of just how easy it is to hack and they become a little more paranoid. Hacking techniques that Kevin Mitnick does not have direct experience with because he has not been allowed to touch a computer since 1995.
The security blog
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
