Mitnick Spills Secrets of Fighting Social Engineering

Keen to the importance of not simply clicking on any email I receive in my inbox, I recently received a message with a subject line I could not resist: "Kevin Mitnick Security Awareness Training." For those unfamiliar with Kevin Mitnick, he is a world-famous hacker and engineer, now turned author and security advocate. My curiosity was piqued.

In this case, the email was no social engineering scam. The training is legit, and the concept is simple: When it comes to protecting your organization from security breaches, your users are your weakest link. We've known this for years. No matter what technology you put in place to protect your environment, your users need to know the basics: never give out their password, never pick up a USB keychain in the parking lot and plug it into on your network, never open the email that says it is from their bank or, worse, a bank they never recall using.

Stu Sjouwerman, founder and CEO of KnowBe4, the company offering Kevin Mitnick Security Awareness, had this to say when I spoke with him about the training: "When we built an antivirus product from scratch at my former company, and had thousands of customers, we realized that the bad guys were bypassing the end-point security tools in Windows-based networks and going after the end-user instead. They attack the employees and use social engineering to make them click on a malicious link or open an infected attachment. Once they infect the workstation with malware and get credentials, they penetrate the network and hack into the servers."