Black Hat 2012: Phishing and social engineering penetration testing

Black Hat 2012: Phishing and social engineering penetration testing

Black Hat 2012: Phishing and social engineering penetration testing

Date: Jul 26, 2012


Robert Westervelt, News Director

LAS VEGAS -- Some of the most high-profile data breaches started with a standard spear phishing attack, leaving some experts to advocate for more hardened technical defenses, but Rohyt Belani, CEO and co-founder of PhishMe Inc., believes user awareness training should be part of nearly every enterprise information security program.

"Spear phishing is going to be the attack vector of choice for a long time," Belani said. "The email protocol is broken. Human beings are as susceptible as they were 15 years ago."

More from Black Hat 2012

Get all the news, analysis, commentary and video interviews from Las Vegas on SearchSecurity.com's Black Hat 2012 special coverage page.

In an interview with SearchSecurity.com conducted at the 2012 Black Hat Briefings, Belani, who is also a founder of boutique security firms Intrepidus Group Inc. and Mandiant Corp., said sustained anti-social engineering training can help heighten the security awareness of end users and ultimately stop most end users from blindly clicking on links and opening email attachments. Belani’s new firm, PhishMe, provides Web-based security awareness training tailored to specific roles within an organization.

"Awareness should lead to behavior modification," Belani said. "We have statistics to prove that over time the end-user susceptibility to phishing attacks trends downward."

Belani discusses why he thinks training that features social engineering penetration testing can be effective, and explains why he isn't afraid to debate the naysayers. He also describes how organizations can properly introduce anti-social engineering training without creating a rift between the IT security team and other employees.

More on Security Awareness Training and Internal Threats-Information

  • canderson

    Insider threat prevention may demand more spending

    VIDEO - Video: Randy Trzeciak of Carnegie Mellon University suggests preventing insider threats may require more spending because they pose a greater risk than most external threats.
  • canderson

    Non-malicious insiders: The biggest insider threat of all?

    VIDEO - Video: Insider threats expert Randy Trzeciak explains why non-malicious insiders, particularly developers, pose as much risk to an enterprise as intentionally malicious insiders.
  • canderson

    Insider threat prevention controls to thwart data breach incidents

    VIDEO - deo: Randy Trzeciak reviews recent data breach incidents and details the insider threat prevention controls that may have thwarted those attacks.
  • social engineering

    Definition - Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
  • Despite skeptics, security awareness training for employees is booming

    News - Employee security awareness training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have.

    ( Nov 04, 2014 )

  • Google dork

    Definition - A Google dork is an employee who unknowingly exposes sensitive corporate information on the Internet. The word dork is slang for a slow-witted or in-ept person.
  • Insider security threats: Negligence is a data loss double bogey

    News - News roundup: Pro golfer Rory McIlroy inadvertently revealed his passcode on live TV, highlighting how easy it is to inadvertently reveal sensitive information. Plus: BlackBerry and Google issue updates, and Gartner hit with Magic Quadrant lawsuit.

    ( Aug 15, 2014 )

  • Developing a compliance awareness training program

    Tip - Developing a compliance awareness training program is key to preventing accidental internal compliance breaches. Expert Mike Chapple explains the steps to follow when starting such a program.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: