Ex-hacker spills secrets of fighting social engineering

By J. Peter Bruzzese

Created 2012-08-01 03:00AM

window.cmcb["idge-11271792004_1363748233"]();

Keen to the importance of not simply clicking on any email I receive in my inbox, I recently received a message with a subject line I could not resist: "Kevin Mitnick Security Awareness Training." For those unfamiliar with Kevin Mitnick, he is a world-famous hacker and engineer, now turned author and security advocate. My curiosity was piqued.

In this case, the email was no social engineering scam. The training is legit, and the concept is simple: When it comes to protecting your organization from security breaches, your users are your weakest link. We've known this for years. No matter what technology you put in place to protect your environment, your users need to know the basics: never give out their password, never pick up a USB keychain in the parking lot and plug it into on your network, never open the email that says it is from their bank or, worse, a bank they never recall using.

[ Also on InfoWorld: Believe it or not, these 10 crazy IT security tricks actually work. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Stu Sjouwerman, founder and CEO of KnowBe4, the company offering Kevin Mitnick Security Awareness, had this to say when I spoke with him about the training: "When we built an antivirus product from scratch at my former company, and had thousands of customers, we realized that the bad guys were bypassing the end-point security tools in Windows-based networks and going after the end-user instead. They attack the employees and use social engineering to make them click on a malicious link or open an infected attachment. Once they infect the workstation with malware and get credentials, they penetrate the network and hack into the servers."

That experience led Sjouwerman and KnowBe4 to offer the course, which Sjouwerman describes as Mitnick's "30-plus years of hacking and social-engineering experience distilled in a 30-minute training."

"All organizations should take the defense-in-depth concept serious, and especially pay attention to the outer layer: policies, procedures, and awareness," Sjouwerman says.

Social engineering training: How to make it stick
Of course, training your users is one thing; making it work once the training is over is another. To get an idea of what you could expect, I asked Sjouwerman if I could take a look at the course.

What impressed me most was the use of case studies within the training material, where Mitnick personally demonstrates the threat of opening a PDF, opening a document, or plugging in a USB stick that you are not sure of.  He shows the tools that the hackers use on the other end and how easy it is to now grab your passwords, take control of your systems, and more. I have to say the training series scared the bejeebers out of me, and this is coming from someone who has provided training and spoken often at conferences on this very subject.

Training alone isn't enough. There were quizzes and red-flag scenarios in the course materials as well. But even these can only do so much. In speaking with Sjouwerman, I asked him what else can be done to ensure the training sticks. Is there some kind of final exam the users take?

The process actually doesn't begin with the training, according to Sjouwerman. It begins with a baseline Phishing Security Test where the users in an organization are sent a phishing email (something regarding banking, online services, social networking, current events, and so forth). The company then notes how many persons click the links and are unaware of the dangers or are taken in by the message.

Once that is done, the users go through the training, then administrators have the ability to send out different types of fake phishing tests to their users as often as they like (once a week is recommended). The administrators can see clearly if there is a return on investment, as well as which users may need more training.

I thought the process made sense. Obviously, it'd be great if admins could sprinkle USB drives around the parking lot to see what users do or perform additional social engineering tests, but this seemed like a good method of benchmarking the level of awareness among your user base.

We're still dealing with humans. They need repetitive training to ensure they get the point, whether it is sexual harassment training, safety training, or in this case, security awareness. But I also believe there has to be valid methods for ensuring the training is sticking, especially if the greater concern is not just to be able to prove to compliance regulators that you did, indeed, provide the training required, but to also ensure your users are learning.

This story, "Ex-hacker spills secrets of fighting social engineering," was originally published at InfoWorld.com.

via infoworld.com