PiChris - Fotolia

IT security alert for MSPs: Beware of stupid

MSP companies must keep an eye on the role of human error and mistakes -- as well as targeted attacks -- as they formulate their security strategies.

IT security is often discussed as a technology struggle, but data breaches often boil down to user bumbling.

human behavior as a source of security pain has been frequently documented, with accidental disclosures affecting groups ranging from the National Guard to world leaders attending the G20 summit. So, while user-generated breaches are nothing new, speakers at the Automation Nation conference this week reminded managed services provider (MSP) attendees to consider the human condition as the key contributor to many an IT security alert.

In a keynote address, Kevin Mitnick, an IT security consultant who once made the FBI's Most Wanted list after a series of computer break-ins, broke it down for the MSPs in the audience.

"We can't download a patch for stupidity," he said. "The real problem is actually the users."

Mitnick cited an informal study revealing nine out of 10 office workers approached outside of London's Waterloo Station would volunteer their passwords in exchange for an inexpensive pen. He noted that a subsequent study -- this time, using chocolate eggs as the lure -- again found the majority of the subjects would turn over their passwords.

We can't download a patch for stupidity.
Kevin MitnickIT security consultant

Those types of results, Mitnick suggested, encourage social engineering attacks in which perpetrators use manipulation or deception to get others to provide the information they seek. He said such attacks offer a low-cost approach that doesn't leave behind a log that would indicate a compromise.

Social engineering attackers may harvest information about their intended targets via social networking platforms, such as LinkedIn, Facebook and Twitter. Information gleaned from such sites can paint a picture of the target's circle of trust, Mitnick said, adding that attackers can use that insight to craft a phishing assault that mimics the target's customers or suppliers, for example.

Bradley Gross, managing partner of a law practice that bears his name, said mistakes, such as falling prey to a phishing expedition, are one of the most typical sources of data breaches. Gross, who works with MSPs, value-added resellers and other channel partners, noted that dumb moves -- leaving a laptop in a car, for example -- also rank toward the top of the list of breach triggers.

His warning for Automation Nation attendees: "Stupidity is out there, and it is robust."

Gross said channel partners also have to contend with more sinister security breach sources, such as intentional hacks and mischief-minded employees. Service providers, he added, can take steps to put themselves on better security footing, however. Those include conducting a security audit, tightening their master services agreement, establishing a data breach policy, looking into cybersecurity insurance and considering annual penetration testing.

David Bellini, president and managing director of ConnectWise International, based in Tampa, Fla., said the onus is on channel partners to hone their security skills -- for their own well-being and their customers.

"Our customers' customers are small businesses ... and their job is to make sure they are securing their customers networks, systems and databases," he said.

Next Steps

Read about Menlo Security's distribution strategy

Find out about a CompTIA report on IT security and the channel

Gain more insight into Kevin Mitnick's views on social engineering

Dig Deeper on Cybersecurity risk assessment and management