"It takes one to catch one," according to Kevin Mitnick, and the best way to catch one is through security-awareness training.
The success of social engineering must frustrate those responsible for an organization's digital security. There is no simple solution or device that will take social engineering off the bad-guys' play list. And, if anyone knows that, it is Kevin Mitnick — one of the more, if not the most, successful social engineers.
Mitnick, at one time the most wanted computer criminal in the US, paid his dues and started Mitnick Security Consulting. Mitnick now uses his undeniable talent to help corporations secure their networks. Calling some of the top organizations in the world his clients, he proudly states, "We maintain a 100-percent successful track record of being able to penetrate the security of any system we are paid to hack into using a combination of technical exploits and social engineering."
, Office 365 MVP and well-respected writer, witnessed first-hand Mitnick's capabilities. Bruzzese recently spoke at a J. Peter BruzzesesecureCIO event in Dallas where Mitnick gave the keynote address. "Mitnick did a few demonstrations at the event that scared the bejeebers out of the audience," writes Bruzzese in this InfoWorld blog post. "He showed how he could steal a person's identity within two minutes by simply using his or her name. He pulled up their Social Security numbers from legitimate websites — one site charged only 50 cents per number — plus their last 20 years of addresses, driver's license information, birth certificates (which includes mother's maiden name), and more."
I am reminded of a famous Mitnick quote, "People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics."
It takes one to catch one
Mitnick, a firm believer in educating users about social engineering, has a mantra on his website — It Takes One to Catch One. Using that logic, Mitnick partnered up with Stu Sjouwerman, founder of KnowBe4 (and the past owner of Sunbelt Software acquired by GFI Software in 2010), to market e-learning security-awareness applications. "IT security starts with people," says Sjouwerman in this local television interview. "You have to start with employees: train them and then send them mock phishing attacks."
To help companies decide whether Mitnick's and KnowBe4's security-awareness training makes sense, KnowBe4 offers a free Phishing Security Test. That way, potential clients will see how many employees are what Sjouwerman calls "phish-prone." Sjouwerman mentions most management teams are surprised at the number of employees who do poorly on the test.
The security-awareness program combines web-based interactive classes with frequent simulated phishing attacks. The training employs actual case studies, live demonstration videos, and tests. The program also offers:
- a 40-minute module that can be split into four smaller units for time-constrained employees;
- a 25-minute module covering Advanced Persistent Threats, ransomware threats, and includes two new case studies; and
- a 15-minute condensed module dealing directly with Advanced Persistent Threats and phishing.
KnowBe4 offers the following training-administration options:
- Software-as-a-Service subscription running in KnowBe4's cloud
- Load the SCORM compliant training modules in your own learning-management system
- In-house managed service
The program also affords the client a certain amount of flexibility. For example, the training manager has access to a KnowBe4 administration console, and the manager can use the console to schedule Phishing Security Tests. The administrator selects tests from either the KnowBe4 library of templates or chooses a template from the community-templates section. Finally, remedial online instruction can be scheduled for employees who are still phish-prone after the initial training.
Putting his money on the line, Sjouwerman offers this guarantee: "We are so confident our security awareness training program works, we'll pay your ransom if you get hit with ransomware while you are a customer."
- Q&A: Kevin Mitnick, from ham operator to fugitive to consultant (CNET)
- Hacker Mitnick has a plan to help you stay safe online (Q&A) (CNET)
- Social engineering audits on the rise: What this means for CIOs and CSOs
- Technology can't stop phishing perhaps common sense can
- Penetration Testing and Scanning Policy (Tech Pro Research)
Note: TechRepublic, CNET, and Tech Pro Research are CBS Interactive properties.