Interview with Kevin Mitnick on SMB security

by Nic (Spiceworks) on Jul 31, 2012 at 10:21 AM

kevin mintickWhen Stu Sjouwerman from KnowB4 announced their partnership with Kevin Mitnick, famed computer hacker turned security consultant, I thought this would be a great opportunity to interview Kevin about his security work and get his insights on SMB security. I got question suggestions from the spicy peppersand spoke with Kevin by phone to get his thoughts on what is important for an SMB IT pro:

Tell us a bit about yourself and the work you are doing with Stu and Knowbe4

I used to be a hacker, but I did it for the challenge of it rather than the money. I wrote a book about it called the Art of Deception that covered a hacking technique called social engineering. This is a methodology to break into systems by fooling people into giving up passwords and sensitive information. I now work in security consulting teaching people how to defend against hackers.

Stu approached me a year ago to join forces with him and develop a product to help businesses defend themselves against social engineering. The goal was to develop a training program to educate employees on what to look for – teach them how to identify suspicious circumstances so they can know how to defend against them. We spent eight months developing our video training program. It’s a holistic program to train users how to identify and respond to phishing emails, messages, IMs, Google chats, Facebook links, etc. We want to help them identify what types of red flags exist in these requests to open an attachment or click on a link.

There are three areas of security we focus on: people, processes and technology. There are a lot of good technology solutions out there, but what we found is most lacking is the people aspect. We’ve discovered it is really hard to distinguish the good from the bad. Hackers can make bad links and emails look quite legitimate. How do you ask good questions to ferret out the truth, and reduce the risk? The technique isn’t 100% effective, but it raises the bar a significant percentage. It’s important to invest some budget in the people area; this 90-second video can help you get that budget.

What’s the best piece of advice that you can give to an SMB IT pro?

I know this is a shameless plug since that is what I do for a living, but they should hire a consultant to help. A lot of small businesses don’t have the internal resources to manage security properly. A security consultant can help them decide what they need, and if necessary, help them install it and set it up. The best thing for an SMB IT pro is to outsource this aspect.

As part of that security consultation, they should get a security audit. Any type of website, backend database or server – anything with an IP address – should be reviewed by a skilled auditor. It’s important to find a company that you trust and whose auditors are well trained. Due to high demand for security consulting, we’ve seen some penetration test companies pop up that don’t have the skills and training. For instance, one of my clients had a less experienced company do a security audit, and then we came in and found a bunch of things that the previous company didn’t.

Vet them well to make sure they know what they are doing. Talk to them, get a sample report, read their proposal, and spend some time shopping around. It’s like when you go shopping for a car – don’t just look at the body design. Dig deeper to make sure you are getting a vehicle that runs well.

How about the things they can do on their own?

For a business of any size, there is the no-brainer stuff: firewall, antivirus, and good patch management. Patch management is critical; businesses are often afraid to update because it could possibly break something. They might turn off updates, but those updates are essential to keeping systems safe.

Password management is important. A lot of times during audits I find that people use the same password everywhere. If you can phish them to a site, then you can steal their re-used password. For instance if they like car racing, create a fake car racing site and advertise it on Facebook. Lure them to your site and get them to create a profile. Now you have the password that they use everywhere else. The best way to avoid this is to use a password vault. You can use a hosted one, like LastPass or a locally stored one like KeePass. These allow you to manage all your passwords by having one master password and storing all the rest in an encrypted database.

Educate your users about good password management as well. A lot of people toggle between two passwords when forced to change them every 60 or 90 days. If they like the Detroit Tigers or the LA Dodgers, then they might use that as their password and just add a 1, 2 or 3 at the end each time they change their password. When I do audits I can pick up on those patterns quickly and easily.

What are other key security practices?

Access controls are important. Only give people access to information assets they need for their job. In many small businesses, employees have access to everything, which is not a good practice.

Make sure you audit your network, including all servers that are exposed to the Internet, to make sure they are secure. Audit those systems through penetration testing, which is what my company does. For example, Citibank had an application that was Internet facing and had a security flaw. There hadn’t been any security assessment on this application and 200,000 customer accounts ended up being compromised.

Use software to monitor what is being sent off your network, so if you are compromised you’ll catch them sending it out. This is a key part of a layered security strategy.

Segment your network so it isn’t flat. All the sensitive data should be contained on one network segment, so you have layered defenses.

Have a response plan. What should people do when there is an attack? Who are they going to call? Who is first point contact? Is it the IT person? Is it their security company?

If you were in your teens today do you think it would be easier or harder to do what you did?

It would be easier today because the tools available are so much better. Back in my day we wrote our own scripts. In today’s world you can download hacking tools and there are many books on penetration testing. You have all this information and a hacking community at your fingertips. On the other hand, back then there was less security awareness. These days companies are starting to deploy better security process in their environments. But overall it is easier today, especially because you have a target-rich environment. This is true especially with mobile devices like tablets and smartphones. Mobile devices are the next biggest target.

Are hosted services more or less secure than doing it in house for SMB?

Some hosted companies have terrible security and some have their act together. I was with one hosting company where my website got hacked three times. I finally moved to a company that focused on security: FireHost. Since it has been hosted by them there have been distributed denial of service (DDOS) attacks, but no actually hacking into my site like before. I recommend FireHost as a web hosting provider.

When evaluating a hosting company, go with a hosting provider that requires VPN access, that has intrusion detections systems, and that has constant monitoring for malicious traffic. You need to make sure they have a good perimeter defense.

If you are using a hosted service, do your own penetration testing on your own website or other service. Get the hosting company’s permission first, and then have a penetration test done by an independent company. I’m doing pen testing for a large company right now who has a hosted e-commerce site. We had to get special permission from the ISP and the hosting company. They set parameters that we had to comply with during the test.

Bring Your Own Device (BYOD) is popular these days – what security issues do you see around that?

BYOD definitely increases risk. If I’m an attacker, I attack the weakest environment. Attack their home network first and compromise their home machine. Then when they take the machine back to the office they are infected with a rootkit. There are solutions on the market to identify infected machines, but I don’t think those tools are effective enough yet. Typical BYOD security software usually just runs an AV scan when you connect to the network. There is a need for more maturity in this security space, as right now it isn’t too difficult to bypass those controls.

What is your favorite brand of peanut butter? (note: Kevin chuckled heartily at this question, so thanks to RobWJPR for the suggestion :)

Reese’s peanut butter cups. I like my peanut butter surrounded by chocolate.

Thanks, Kevin, for taking the time to share your knowledge and experience with us.

If you liked this interview, check out other ones we’ve done here. We’ll be doing more interviews like this one, so please let us know if there are other notable folks in the IT field that you’d like us to talk to.

After reading Kevin’s recommendations, what’s your biggest “aha” moment? What are you immediately going to go change about your security setup?