Hacker To Continuum MSPs: Simulate Attacks Against Your Clients To Prepare Them For Bad Guys

High-profile hacker Kevin Mitnick said solution providers should conduct mock attacks against their own end users to ensure employees aren't being tempted by nefarious schemes.

"You need to educate, train and inoculate your users," Mitnick said Monday during Navigate 2017 by Continuum. "Actually attack your users with phishing and other types of tradecraft that the bad guys do, and it becomes a very teachable moment."

If customers don't wish to be subjected to faux phishing emails, Mitnick said MSPs should still test how employees handle attempts to have them give up compromising information over the phone. Customers should be notified that the IT service provider will be testing their security defenses from time to time to avoid needless reductions in employee morale, Mitnick said.

[RELATED: CRN Exclusive: Continuum Unleashes Robust Managed Security Bundle to Help MSPs Keep Clients Safe]

These efforts should help inoculate customers against legitimate bad actors who attempt to pull off attacks that are similar to the simulations, according to Mitnick. Plus, employees who are entrapped by the practice attack can be offered additional training, Mitnick said.

"The hacker is going to look for the weakest link in the security chain," Mitnick said. "And the weakest link has always been the people."

A key component in improving security education is having employers move away from information security manuals that "read like the Las Vegas penal code," Mitnick said. Instead, he said companies should develop brochures with lots of images and less text that delve into specific topics such as choosing a good password.

"If it's boring and disinterested, nobody's going to read it," Mitnick said.

These brochures should be simple and easy for end users to understand, Mitnick said, and businesses should ensure the information is presented in a relevant, informative and entertaining way so that workers actually read the material. The brochures can then refer staff back to the security manual for additional information, Mitnick said.

Mitnick also recommends that users avoid opening Microsoft Word or Adobe PDF attachments directly to their desktop since that could result in exposure to software flaws. Instead, he said customers should preview the documents in Google Quick View or in the cloud.

And businesses should design systems that automatically determine whether or not an individual has met the security threshold rather than leaving that decision up to human beings, Mitnick said. People typically find it harder to say "no" to a request, especially if the bad actor is impersonating a customer, supplier, vendor or colleague.

Many small and midsize businesses lack operational policies or procedures, Mitnick said, and too often just manage by doing. For those customers, Mitnick recommended that MSPs carry out a vulnerability assessment evaluating risk issues in the environment and brainstorm cost-effective security controls.

"Service providers actually have a great opportunity to provide security services to their clients, and help them manage it in a way where they're less likely to be victims," Mitnick said.

Small businesses can also be complacent when it comes to security risks, Mitnick said, since they feel like they're not big or important enough to be of interest to a hacker. But even if bad actors aren't looking to steal data, Mitnick said they can still use a small business to store information or as a launching platform to go after bigger fish.

Too many small clients focus on security only when it's in the headlines or if something bad happened to a business they work closely with, Mitnick said. And once that memory starts to fade, Mitnick said the complacency can set in again.

"A lot of SMBs are more concerned about where they have to comply, and not really focused on security," Mitnick said.

Lehman Wesley did a simulated attack for one of its clients and found that the company needed to simplify its systems and get workers away from sharing too much information over the phone, according to IT manager Adam Kendall.

"They may need a little bit of a scare," Kendall told CRN.

Like many others, this client had policies in its employee handbook that workers had never read. To address this issue, Kendall said the Lansing, Mich.-based solution provider encouraged the customer to post simple documents at the desk of each employee that they can reference whenever a call comes in.