Black Hat 2012: Phishing and social engineering penetration testing

Robert Westervelt, News Director

LAS VEGAS -- Some of the most high-profile data breaches started with a standard spear phishing attack, leaving some experts to advocate for more hardened technical defenses, but Rohyt Belani, CEO and co-founder of PhishMe Inc., believes user awareness training should be part of nearly every enterprise information security program.

"Spear phishing is going to be the attack vector of choice for a long time," Belani said. "The email protocol is broken. Human beings are as susceptible as they were 15 years ago."

More from Black Hat 2012

Get all the news, analysis, commentary and video interviews from Las Vegas on's Black Hat 2012 special coverage page.

In an interview with conducted at the 2012 Black Hat Briefings, Belani, who is also a founder of boutique security firms Intrepidus Group Inc. and Mandiant Corp., said sustained anti-social engineering training can help heighten the security awareness of end users and ultimately stop most end users from blindly clicking on links and opening email attachments. Belani’s new firm, PhishMe, provides Web-based security awareness training tailored to specific roles within an organization.

"Awareness should lead to behavior modification," Belani said. "We have statistics to prove that over time the end-user susceptibility to phishing attacks trends downward."

Belani discusses why he thinks training that features social engineering penetration testing can be effective, and explains why he isn't afraid to debate the naysayers. He also describes how organizations can properly introduce anti-social engineering training without creating a rift between the IT security team and other employees.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.