The Kaseya ransomware attack is no doubt a cause of concern for many businesses. After all, ransomware attacks have a devastating impact on their victims; no company would like to go through the same thing. In this article, we discuss the security protocols that MSPs can apply to prevent and mitigate similar risks.
The Kaseya ransomware attack, which is still making headlines up to this point, has been another cautionary tale as to what can seriously go wrong when companies fail to respond promptly to known vulnerabilities.
We are no stranger to the news about the devastating impact of ransomware. It is estimated that over 2,000 companies were affected by the Kaseya attack, while 40 MSPs were hit. The incident resulted in hours of downtime and many of the victims had to shut down their operations for days.
With an attack of this scale, it's no surprise that businesses are worried about going through the same ordeal. Some clients have called us to know what security measures we have, to defend against a similar ransomware outbreak. We've encountered this question frequently ever since Kaseya made the news.
Here at Intelligent Technical Solutions, we deploy a wide variety of security solutions to maintain the integrity of our network. These solutions identify discrepancies in the network, should there be any, to perform immediate action on them.
We also enforce security policies that prevent compromises. We've been doing the same thing for our 368 clients over the past two decades.
This article breaks down the security protocols managed service providers typically implement to protect IT environments against cyber incidents. We'll also talk about the security technologies that we use to mitigate and prevent potential cyber risks. But before that, let’s delve into the Kaseya ransomware attack.
The Kaseya Ransomware Attack
To the uninformed, Kaseya, an IT solutions developer for MSPs, became the victim of a supply chain attack over the Independence Day weekend.
The source of the breach was the company's VSA (Virtual System Administrator) software, a remote computer management tool. An authentication bypass vulnerability in the software allowed attackers to compromise the tool and deliver the ransomware. Hackers were able to proliferate ransomware through automated, fake, and malicious software updates.
A non-profit security research group warned Kaseya of the weakness before the incident.
The threat actors responsible, the Russia-based REvil group, demanded a $70 million ransom to release a universal decryptor. Fortunately, Kaseya did not have to pay the ransom and received help from a third party to restore the environments of the impacted organizations.
MSPs are a perfect vehicle for ransomware as they have extensive access to their clients' networks. Kaseya's software is used by many MSPs, which makes it easy for attackers to distribute the malicious payload.
Seeing the potential impact of MSP (managed service provider) attacks, many hackers are getting busy finding their next targets. According to recent news, hackers are off in a race to look for similar weaknesses.
Why MSPs Are a Target of Cyber Attacks?
MSPs provide support for an array of IT-related services, from the remote management of end-user systems to back up their data. They are a valuable target for malicious actors as they have direct access to their customers' networks and data.
The business of MSPs has rapidly expanded during the Covid-19 pandemic due to the rise of remote work. Figures show that spending for managed services is expected to grow from $173 billion to $296 billion by 2023, translating to an estimated compound annual growth rate of 11%. This rate is higher than the rest of the IT market segments.
The growth pace was strong among MSPs as more small and medium businesses entrust their IT to them. An accelerated shift to cloud services is cited as a common reason for the increased need for MSPs.
The massive growth in the industry also presents some challenges to MSPs. Cybersecurity is a primary concern among 34% of MSPs.
As MSPs gain more clients, they are also opened up to higher security risks from vendors, customers, and partners. Supply chain and third-party vendor attacks are becoming all too common among MSPs, as the market is deemed lucrative for cybercriminals.
For instance, ransomware as a service (RaaS) operations like REvil, which have been advertised in dark web forums for some time, have earned $100 million in 2020. The highest ransom paid this year by a company for their data was $40 million.
4 Security Standards MSPs Have to Prevent Breaches
The Kaseya ransomware attack is indeed a wake-up call for the MSP market to proactively protect their IT infrastructure. "We are constantly evaluating what more we can do to become more secure and safeguard our clients," said ITS Operations Director Peter Swarowski.
Outlined below are the specific measures that managed service providers typically have in place to defend their network against similar cyber attacks:
1. Patch Management Policy
Like any other good MSP, ITS has a patching policy where it applies security updates to systems such as its remote management and monitoring (RMM) system on an ongoing basis. This helps protect us from known exploits from previous versions. Swarowski said they also check daily for any published news from the vendor about new patches and security fixes. "If a fix comes in for anything urgent, we will patch the system immediately," he said.
2. Cybersecurity Solutions
Like any other proactive MSP, Swarowski notes that ITS is always thinking about ways to help mitigate zero-day risks. He says they are investigating various products, including one that acts as a reverse proxy for the incoming agent traffic for our RMM. Another product is a web application firewall that would sit in front of the RMM application.
In addition, ITS deploys several security software within its infrastructure, most notably anti-breach and anti-foothold detection software. The company also uses endpoint detection and response (EDR) software.
The company is working to move to a zero-trust infrastructure in its methodology. It is one where all access to systems is verified, and no endpoints are considered secure. "We have this on all our internal machines where they must pass a health check before being allowed access to the virtual private network (VPN) or any corporate resources," Swarowski said.
3. Security Awareness Training
Like most MSPs, ITS conducts regular security awareness training internally. The company does internal phishing campaigns to ensure our staff is properly educated in identifying phishing emails and other cybersecurity best practices.
4. Security Information and Event Management (SIEM) Products
Finally, the company deploys a SIEM tool that sends device login information to Microsoft. Microsoft's solution looks for abnormal user behavior, such as when users access the network from a new IP or timeframe.
Bolster Your Defenses Against Cyber Attacks
Suffering a sophisticated cyber incident of the same magnitude as the Kaseya or WannaCry ransomware attack will be devastating for any business. Operations can shut down for weeks, and the financial implications of that may be challenging to bounce back from. Some companies may never even recover from an attack and close up shop.
At ITS, we have cybersecurity protocols and systems in place that ensure our IT infrastructure is protected from any compromise. We take the appropriate steps to protect our company's data security and privacy and our clients'. If you want to learn more about how we keep our network secure, including our clients, read this piece on how we identify potential security risks.
