Clearwater, FL-based cybersecurity outfit KnowBe4 provides training for business and enterprise groups on what to expect when an attacker (be it malware or a person) attempts to gain access to their systems. They have joined forces with previously famous hacker Kevin Mitnick—well known for penetrating the Army and the Pentagon in 1983 when he was the tender age of 16. He has since made a name and a brand for himself, training people to understand how hackers think and exploring how their systems may be exploited and security could be overcome.
He has joined KnowBe4 to bolster their products and training in the area of social engineering—a potent part of all cybersecurity defense in that it uses human custom and social thinking as an exploit to circumvent equipment and code as security. After all, you don’t need to defeat the lock on the front door if you can convince the occupant to open the door for you.
“We’re excited to announce our partnership with Kevin Mitnick, who is widely recognized as today’s foremost social engineering and hacking expert,” said Stu Sjouwerman (pronounced “shower-man”), KnowBe4 founder and CEO. “With the revelation that Stuxnet, Duqu and Flame were developed by the U.S. Government and the state of Israel, it is only a matter of time before this cyberweapon will be turned against us.”
We can expect that state-sponsored hacking has been going on for quite some time now and the current crop of security experts and antivirus vendors are not well equipped to detect it. Not because state-sponsored malware—such as Stuxnet, Duqu, and Flame—happen to be particularly more sophisticated than what we see in the wild; but because many of these projects are designed and developed for very specific deployment and we don’t tend to see them escape into the wild.
Business and enterprise IT security teams can still employ familiar tactics to detect and defeat such malware and intruders as long as they’re aware of their own limitations and shore up the likely flaws in their defenses. They can do this even before antivirus and IDS vendors update their products to detect these new threats.
Social engineering and employee awareness is central and key
“The attack vector that made these powerful cyberweapons effective was social engineering,” Sjouwerman continues. “It is critical that employees be educated and inoculated to resist social engineering attacks. I’m confident that our combined expertise will give organizations the ammunition they need to effectively combat cyberattacks of every kind.”
This sort of training has been covered before on SiliconANGLE in mentioning that cybersecurity experts need to learn the lesson of the Kobayashi Maru—that of thinking like the enemy, knowing that they will study the rules we expect to be followed, and use them against us in a security context. Cyberattacks don’t just occur across the Internet, on computers themselves, they also abuse inherent expectations and limitations posed upon workers and experts by their equipment and customs.
Most leaks are caused by insiders and many are unintentional
“The biggest risks to information security are the people. Studies have shown that most security incidents start from within, and are usually accidental,” explained Mitnick, citing the use of social engineering tactics by cybercriminals. “All it takes is one person making a bad decision to compromise the entire business. One effective strategy for keeping employees on their toes is simulating phishing attacks – similar to inoculating a person against a virus–using an Internet Security Awareness Training program, which costs about $15 per person per year.”
At Motorola we had a personal project called POPI: “Protect Our Proprietary Information.” It was important to train individual workers to identify what information was proprietary (i.e. shouldn’t leave the company, department, or room) and make certain it wasn’t just laying around. Being aware of the flow of information and how it can escape was paramount to protecting sensitive data when it was being used. Behavior as simple as locking a cabinet, or closing a door (that would lock) behind you when leaving could stop a large number of accidental leaks.
As Mitnick explains above accidents happen, the same psychology works with protecting data on computers and in networks themselves.
In what is probably the most amazing line of any quote Sjouwerman added in conclusion about the partnership, “We are excited to have Kevin join us as our Chief Hacking Officer.”
CHO? That’s a new three-letter prefix to add to someone’s name. Talk about a cushy celebrity hacker title.