Keen to the importance of not simply clicking on any email I receive in my inbox, I recently received a message with a subject line I could not resist: "Kevin Mitnick Security Awareness Training." For those unfamiliar with Kevin Mitnick, he is a world-famous hacker and engineer, now turned author and security advocate. My curiosity was piqued.
In this case, the email was no social engineering scam. The training is legit, and the concept is simple: When it comes to protecting your organization from security breaches, your users are your weakest link. We've known this for years. No matter what technology you put in place to protect your environment, your users need to know the basics: never give out their password, never pick up a USB keychain in the parking lot and plug it into on your network, never open the email that says it is from their bank or, worse, a bank they never recall using.
[ Also on InfoWorld: Believe it or not, these 10 crazy IT security tricks actually work. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Stu Sjouwerman, founder and CEO of KnowBe4, the company offering Kevin Mitnick Security Awareness, had this to say when I spoke with him about the training: "When we built an antivirus product from scratch at my former company, and had thousands of customers, we realized that the bad guys were bypassing the end-point security tools in Windows-based networks and going after the end-user instead. They attack the employees and use social engineering to make them click on a malicious link or open an infected attachment. Once they infect the workstation with malware and get credentials, they penetrate the network and hack into the servers."
That experience led Sjouwerman and KnowBe4 to offer the course, which Sjouwerman describes as Mitnick's "30-plus years of hacking and social-engineering experience distilled in a 30-minute training."
"All organizations should take the defense-in-depth concept serious, and especially pay attention to the outer layer: policies, procedures, and awareness," Sjouwerman says.
Social engineering training: How to make it stick
Of course, training your users is one thing; making it work once the training is over is another. To get an idea of what you could expect, I asked Sjouwerman if I could take a look at the course.
What impressed me most was the use of case studies within the training material, where Mitnick personally demonstrates the threat of opening a PDF, opening a document, or plugging in a USB stick that you are not sure of. He shows the tools that the hackers use on the other end and how easy it is to now grab your passwords, take control of your systems, and more. I have to say the training series scared the bejeebers out of me, and this is coming from someone who has provided training and spoken often at conferences on this very subject.