A former classmate told me his employer is making him take Kevin Mitnick’s security awareness training course. “Is he really the world’s most famous hacker?” he asked me. “And if he is, why should I trust a word he says?”
Those are excellent questions. I happen to have reviewed all of Kevin Mitnick’s various courses for a previous employer, so I’m familiar with them. And I had to take Kevin Mitnick Security Awareness Training this year myself. I don’t agree with the life decisions Kevin Mitnick made that landed him in prison, of course. But overall, I had only very minor objections to his training. Here’s why.
Kevin Mitnick: World’s most famous hacker
Some security professionals are a little uncomfortable with Kevin Mitnick’s “world’s most famous hacker” billing. It’s kind of like calling Harry Houdini a magician. Many people remember Harry Houdini as a magician, but he was really more of an escape artist. There’s a distinction. Kevin Mitnick can hack, but he was really more of a social engineer. I don’t like the phrase social engineer either. “Social engineering” is a word security professionals use because it sounds more technical than “manipulator” or “con man.” But that’s all social engineering is.
Many of Kevin Mitnick’s escapades were possible because he managed to convince people to let him in. Then again, many computer crimes happen exactly that way. It’s a lot easier to get into a network by sending someone a weaponized resume than it is to try to bust through someone’s firewall or web server.
Why should you trust a convicted felon?
Most people probably wouldn’t hire a convicted felon for an important job. I remember an old joke from when I was a kid.
Hiring manager: Where did you learn about banks?
Interviewee: In Yale.
Hiring manager: Yale? How impressive. You’re hired. What did you say your name was again?
Interviewee: Yohn Yones.
So why listen to a convicted felon for something as important as security awareness training?
Part of security is knowing how to think like a bad guy. That way you know how to stop him. When I went on the radio a couple of years ago to talk security, I got a few wide-eyed looks from the intern that suggested she wondered why I wasn’t in jail.
I’ll admit, I didn’t like Mitnick’s style much of the time. But that’s subjective. When I give talks about security, not everyone likes my style either. Computer security is an uncomfortable subject and sometimes we come off like we know a little too much, or enjoy it too much.
But it’s the message that matters, not the style. The takeaways from Mitnick’s training are that you shouldn’t open unexpected e-mail attachments, especially unexpected e-mail attachments from strangers, and if you find a USB drive in the parking lot, don’t plug it in to your computer. That’s all perfectly good security advice.
Any competent and reasonable security professional will agree with well over 90 percent of what Kevin Mitnick says. We’ll all find things to nitpick about, something he says that we disagree with. But that’s not the point. The point is whether your company would be better off if everyone followed the advice Kevin Mitnick dispensed in the training.
And the answer to that is yes. Which is why a security professional like me has to take Kevin Mitnick Security Awareness training every year just like you.
Why not do your own security awareness training?
Some companies do their own training. I’ve interviewed for those types of positions before. The thing is, there are better things to have me do. I’m more valuable doing vulnerability management or risk assessment or even incident response. There’s no point in paying me a vulnerability management salary to produce something perhaps marginally better than Mitnick’s video when you can just buy Mitnick’s training for a lot less money.
I think I’d enjoy doing security awareness training, but I admit, the economics don’t make sense. Just buy off-the-shelf training.
What’s special about Mitnick? He’s a name. Security awareness training is a hard sell without a name to attach to it.
When I evaluated Mitnick’s training, if I’d gone back to management and told them I could do better, they might have let me try. We had video production equipment and a competent producer in house. But there’s no guarantee they would have agreed I was better. Once I remembered I was part of a three-person security department, that urge left pretty fast.
Mitnick’s advice is good enough, and settling for good-enough security awareness training allows you to excel in other areas. I concluded in 2015 that was the right decision, and if I’m ever called to make the decision again, I’ll probably repeat myself.