In the 1990s, he was listed as the most wanted hacker by the FBI, but in a story at the height of Hollywood production, today Kevin Mitnick is known around the world as one of the most intelligent cybersecurity consultants. He did not expect it, not even himself, who admits that his earlier adventures were out of purely intellectual interest, which his clients today appreciate and who follow him will be able to listen. Next Thursday, September 23, in an interview series Banku Itai leaders’ visions.
Today, as an expert, he travels the world advising companies from his own company Mitnick Security Consulting, dedicated to penetration testing services where its engineers simulate cyber attacks to test the security mechanisms of its clients, and from KnowBe4, which focuses on helping you make smart decisions when it comes to attacks like phishing .
With his experience on both sides of the road, he asserts that cyber security should be a priority for both companies and nations, something that appears to have been clearly understood by the “Five Eyes” intelligence coalition, made up of the US and UK. Canada, Australia and New Zealand, but South America still has a long way to go.
When you were hacking, did you think you would end up as a cyber security consultant?
-not at all. I was involved in hacking through an intellectual challenge, tempted by adventure, and it was never about making money. I never thought that this would lead me to an opportunity like the one I am having in my life today.
It took a long time to gain customers’ trust. It took years because I had been in trouble with the federal authorities in the United States on a few occasions.
Because of that, it took a while for them to trust me. But I think a lot of people in the world know that my motivation for hacking was never really criminal, and it wasn’t about stealing money or credit card data or installing viruses on computers, that kind of thing.
It also allowed clients to see me being able to drink lemons to make lemonade every day.
How did hacking evolve from what you observed from your days as a hacker to what current penetration testing services show you?
It has evolved a lot since the 1990s. Since 1995, the Internet has begun to develop more aggressively in commercial fields. What is most commonly done is attacking people with what we call a social engineering attack, where the bad guys call someone on the phone and try to manipulate them to get information or do something that would allow them to get into computers.
One part of that is phishing, where bad guys send malicious emails with links or attachments that give them access to computers.
There are very different ways to get around a computer system network, but these two methods are the most used.
Innovation in hacking is particularly dynamic. How do you promote to do your job as a consultant?
I always keep my ears open. I constantly attend security information conferences, stay updated by following up on other experts and also have field work with my company, where we have several engineers working on security tests for our clients. In other words, we act as a hacker so that customers can control their own defenses.
On the other hand, I am part of another company called KnowBe4 where we focus on helping companies make smart decisions when it comes to social engineering attacks like phishing. We then simulate phishing experiences to generate security warnings and training to help contain such issues.
However, as a security expert you have to always keep your ears grounded, you have to pay attention to what is happening and how things change when it comes to technology. Otherwise, you will be behind in a week.
It is always realizing to be in this position. You should always stay up to date on the tools bad actors are using and on the new technology available so that clients can mitigate risks.
Given the advances in cybersecurity in developed countries, has Latin America become more vulnerable to attacks?
It’s hard for me to talk about Chile, but I know South America definitely faces more risks because it doesn’t have the technology and staff to help them manage the risks. Even in America, they hire security professionals. In my own company, we are constantly looking for these professionals, because we definitely lack talent.
Hopefully this will change over time and we will have more people available with the skills to help companies protect themselves from these attacks.
In Chile, the government recently committed to a bill to develop a national cybersecurity agency. Are we late? How urgently should we go given the risks we face?
– I am surprised that there is no cybersecurity agency in Chile. Perhaps the good news is that there is a bill, but what should not happen is that these agencies end up spying on people. We had this problem in the US in 2013, when Snowden revealed that the US government and its national security agencies were wiretapping, hacking any target they wanted to do.
This is something to avoid in Chile. They must aspire to certain rules and regulations that prevent this, at the same time as they develop the infrastructure to counter cyberattacks. You have to know how to balance the security of the country and the privacy of the people.
What are the challenges facing a government agency responsible for cybersecurity in a country?
– This is complicated, because we are talking about the security of a country. Each country has its own offensive and defensive capabilities, which means that other countries are constantly hacking other countries, like the Russians always hacking the United States, we’re hacking China … This is something that constantly happens.
In this context, Chilean state agencies must have good people on board to really protect themselves from these types of attacks, because they are very sophisticated and use types of intrusion that cannot be detected by companies like Apple or Microsoft.
In addition, there are experts who sell their services to hack people’s phone services. In Saudi Arabia or the United Arab Emirates, they go looking for defectors, putting their cell phones at risk to follow them.
It is more challenging than what financial institutions in Chile can face to mitigate the risks.
How should coordination between the public and private sectors be in relation to cybersecurity?
I can talk about what happens in the United States when companies are at risk. They don’t want to disclose their information to the government, but in the US under state laws when a company experiences a data breach, they must disclose the information or else they will face fines.
This information is important, because if I am a victim of a data breach, I want to know about it so I can do everything I can to mitigate it. In this framework, I encourage government agencies to partner with the private sector to work together as a team.
Which country is at the forefront of cybersecurity?
– Probably the “five eye” countries, ie the United States, Canada, the United Kingdom, Canada and New Zealand. These countries in particular have developed robust cybersecurity services, I’m now in New Zealand and I was recently in Australia and I think the US and maybe the UK are a little more advanced than these, but from a government perspective I don’t have that vision to be able to assess.
But I know America is the leader when it comes to cybersecurity information.
Which companies are outstanding?
– I’m not sure about a specific company, but it seems to me that financial institutions are definitely the most modern, like Itau and banks in general, because they obviously have good teams protecting them to reduce risk. Of all things they are the first target for you to attack because that is where the money is. This means that financial institutions must be more vigilant in their security practices.