Early and Quick Thoughts on Kaseya Lessons Learned

From the perspective of MSPs and their SMB clients, the Kaseya compromise was not about cyber security hygiene.  Even companies with a good security program, including up-to-date patching, could have been compromised.  That’s why so many in the industry recommend a “breach mentality”.  The “breach mentality” poses the question,

“What will you do WHEN you are compromised?”.  Notice it’s WHEN, not IF.

When we assume compromise, then the importance of “respond” and “recover” become paramount.  The simply reality is some threats are unavoidable.  We need to anticipate this possibility and be ready to respond.

We need an incident response (IR) plan that covers all aspects of our business.  Not just how we’ll address the IT/cyber incident itself, but who is on the response team?  How do we communicate with our clients, investigators, the press, our employees? 

Do we know how to decide whether to pay the ransom?  Did we test our data recovery plan?  And so many other issues.  Notice a key element of the above questions…. It’s about so much more than IT.  It’s HR.  It’s PR. It’s legal.  It’s leadership.  It’s about people and process, more than technology.

Many will criticize Kaseya, perhaps some deserved. But one thing is clear from observing their response to this incident.  They clearly had an incident response plan.  Their response has been deliberate with pre-planning and significant communication.  This very likely reduced the impact dramatically by helping some MSPs take immediate action before they were breached. 

A second lesson is more fundamental.  Every company needs a deliberate understanding of their specific business and data risks.  This is not one-size-fits-all. Some businesses will prioritize availability, while others confidentiality, or integrity. We need to prioritize to address the highest impact threats.  We need to make deliberate decisions on the capabilities and software in our “stack”, as each one has implications for our attack surface and our vulnerabilities.  In short, if you haven’t done a risk assessment, you need to do one now.  We can help with our “Essential Risk Assessment” for SMBs.

A sophisticated attack like the Kaseya breach garners lots of attention.  We see that even the most prepared and diligent companies can be affected.  Let’s hope the many MSPs and SMBs who haven’t done basic cyber security hygiene are watching and motivated to act.

Have your clients asked for help with a data security addendum or questionnaire?

Question 1 from our recent article “5 Cyber Security Questions MSPs Should Ask Their Clients”. 1. MSP to Client: “Have your prospects or clients started requiring a data security addendum, a security questionnaire or included security as an RFP requirement?”

Cascading compliance requirements are among the biggest drivers of rigorous cyber security planning. More companies are focusing on vendor risk management. They want to ensure their suppliers don’t put them at risk. (Hint: The recent SolarWinds supply chain attack will play big in this area.)
Information security compliance regulations are coming your way, sooner or later.

Asking for help with a data security addendum is an indication the companies and their clients are concerned about cyber security.

What other information security compliance questions should clients and MSPs discuss?

Small and medium businesses are quickly ramping into the information security compliance pool. Publicity around security breaches captures the attention of both their enterprise clients and regulators. As a result, a data security addendum becomes a routine part of evaluating potential suppliers. Typically, a company’s first response is to ask their Managed Service Provider (MSP) or IT team for help. This is an opportunity for the MSP to open a broader security discussion. And a security discussion leads to more business for the MSP.

A good security conversation is more about business issues than products or services. There are major implications of a security breach or responding poorly to security questions. These have a direct impact on the company’s brand, reputation and revenue. Helping your clients can help them win the deal. When the underlying IT security products and services tie directly to business issues, the Return-on-Investment (ROI) is clear.

Find out more security questions to ask clients and start the discussion.

“I’m too small to be a cyber security target….”

We hear this all the time.  Consider, why would hackers target a small or medium-sized business (SMB)? 

#1.  Because They Can

Like many crimes, cyber attacks are often a crime of opportunity.  SMB’s are often a “soft target”, having employed less preventative and restorative controls than their enterprise counterparts.  Bad actors often cast a wide net, looking for the easy target; a company that has not patched their software, changed default configurations, or trained their employees to counter social engineering attacks. If you haven’t identified your cyber vulnerabilities and taken action to remediate them, you might get caught in the net.   Once the attacker identifies and exploits a vulnerability, it’s just a question of whether it’s worth their time to hold you for ransom, defraud you, or simply vandalize you.

#2.  Because Your Customers Are a Target, and YOU May be THIER Vulnerability

In more sophisticated attacks, the criminals look for a path to penetrate larger players… and you may be it.  We see examples of supply chain attacks often, where a supplier is either deliberately or opportunistically targeted as a path to the larger target.  And if we put testimonials or client case studies in the public domain, we may even help the bad guys identify our connection to the ultimate target.

Though few of us fit into the scale of the SolarWinds attack, it’s a real-time example of a supply chain attack using a vendor to penetrate the ultimate target. In the SolarWinds case, the target being the US Government and 18,000 other (likely enterprise-level) clients.

How Real Is The Threat? 

That’s an important question and one that we always evaluate in a formal risk assessment. Here’s just a couple stats from late 2019.  It’s not gotten better in 2020.

  • Forty-three percent of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves, according to Accenture.
  • Cyber security incidents cost businesses of all sizes $200,000 on average, according to insurance carrier Hiscox.
  • Sixty percent of these companies go out of business within six months of being victimized.
  • More than half of all small businesses suffered a breach within the last year.

What can you do?

Start with the basics.  Ask your IT team or Managed Service Provider (MSP) about your security vulnerabilities and what is currently in place on your behalf.  Here’s a great set of questions to start with. https://cisomag-eccouncil-org.cdn.ampproject.org/c/s/cisomag.eccouncil.org/21-questions-managed-service-providers/amp/

Don’t forget to take a look at the “low hanging fruit” you can do yourself.  You can find our “5 cyber security tips for small businesses” on the Arizona Commerce Authority website. https://www.azcommerce.com/small-business-boot-camp/week-24/top-5-cybersecurity-practices-for-small-businesses/

What Else Should SMBs be Considering?

First, anticipate that more cyber security regulation is heading your way.  It may be private regulation, as your larger clients implement their own Vender Vulnerability Management plans to ensure you don’t put them at risk.  Have you seen cyber security questionnaires coming your way in RFPs or in the sales process?   You will.

Second, if you do business with the government, watch for the regulation to come faster and more formally.  The best current example, beyond the familiar HIPAA regulations for healthcare, is the Cybersecurity Maturity Model Certification (CMMC) for defense contractors.  This Department of Defense (DoD) security regulation is rolling out now to all DoD prime and subcontractors.  With the recent successful breaches on federal agencies, such as the Treasury and Energy Department, regulations are likely to expand quickly beyond the DoD.  States will not be far behind. Our best guess is CMMC will be a key part of these broader regulations.

Finally, consider a third-party security assessment from a company such as ourselves, Cosant.  The scale could be anything from a vulnerability scan to a full Risk Management and Business Continuity Plan.  In addition to the tactical vulnerabilities, we’ll help you identify what regulations are headed your way and when, and build you a roadmap.  We can also share how to ensure security questionnaires don’t slow your sales process down with our executive report, “Data Security Requirements for Winning RFPs, https://cosant.com/top-5-data-security-requirements-for-winning-rfps/.

Stay safe out there.

MSPs as a Cyber Security Risk

Is your MSP a security risk? If your an MSP, do you have cyber security vulnerabilities that put your clients at risk?

It seems like a strange question, right?   We think of the Managed Service Provider (MSP) as part of our cyber security solution, not part of the problem.  And, indeed MSPs are part of your security solution.  But that doesn’t mean we can ignore the cyber security risks of these service providers.  In fact, your MSP may be among the most important suppliers to analyze risk and ensure they are not a vulnerability.  They manage your network.  They have unique IT privileges and access.  If they have a cyber security incident, how does that translate into your cyber security?  

This is increasingly important, as bad actors know that breaching an MSP may be a path into dozens of their clients. Strike once, ransom many. To keep you and your data safe, MSPs need to employ the same or more cyber security plans as you.

A key part of a cyber security plan is the vendor risk management program.  In this program, we assess the vulnerability of our key suppliers to minimize the risk of them being the source of a cyber security breach.  Just as we increasingly see security questionnaires as part of our RFPs, it’s time we apply the same rigor to our MSP.  

Here’s an interesting article that advances 21 questions you should be asking your MSP. Below is the summary questions, though the full article goes into more detail on each.

  1. Is the security program based on a publicly vetted framework?

2. Is an internal Information Security Officer designated?

3. Request a copy of the information security plan (under NDA).

4. How are clients’ compliance requirements supported?

5. Is work subcontracted?  How are contractors bound?

6. What background checks are conducted?

7. If you have export control requirements, are all staff US Persons?

8. Do employees have cybersecurity credentials such as CISSP or CISM?

9. What security technologies are employed on internal systems and infrastructure?

10. How is risk assessed and managed?

11. Where is client data stored – examine network diagrams, configurations, and knowledge base articles.

12. Are regular vulnerability scans of its environment done?

13. How are configuration changes managed?

14. How do they manage access to your environment?

Review infrastructure, location, responsibilities, vendor relationships, access controls and data segmentation among clients.

15. What are practices for managing privileged account credentials, private keys, and other secrets?

16. Are access logs of remote connections to their clients’ networks retained?

17. Is a security operations center (SOC) maintained or sub-contracted?

18. What are the backup and recovery strategies, not just for your business, but for THIERs?

19. Are security controls routinely tested (e.g., penetration testing, red teaming, security controls validation)?

20. Are they prepared to respond to security incidents with a deliberate, written and tested plan? Request details of the incident response plan.

21. Are third-party services retained to respond to a breach of its own systems or client systems?

Manufacturing equipment cyber attacks

Why is manufacturing equipment particularly vulnerable to cyber attacks?

The CISA (Cyber Security & Infrastructure Security Agency) issued an ICS Alert November 17th, calling out a particular vulnerability in critical manufacturing equipment.  Industrial Control Systems (ICS) are a too-often overlooked cyber security vulnerability in manufacturing.  You can see the alert here for the technical details.

Our immediate interest is in highlighting the broad-based tendency for increased security vulnerability in manufacturing equipment.  For those industries directly involved in critical infrastructure, cyber security is a given.  However, the vulnerability spans much wider than critical infrastructure, such as power plants or transportation.  Common manufacturing equipment, such a CNC machines, are increasingly targets of cyber attacks.  That’s because they are unusually vulnerable. 

Manufacturing equipment often has a lifespan significantly longer than the underlying computing equipment that controls it.  We hear too often about manufacturing equipment running on outdated Windows XP computers.  And therein lies the problem.  Old operating systems are not updated (patched) to keep pace with current cyber threats.  This could be due to expensive software licenses tied to the manufacturing equipment, or simple oversight of this vulnerability.  This, coupled with the tendency to connect everything to the network and/or Internet creates the unique vulnerability for manufacturers.

What does this mean for manufacturers and their IT partners? 

You and your IT team (internal or your Managed Service Provider (MSP)) need to pay particular attention to these vulnerabilities.  If your operating systems are outdated, or other hardware has vulnerabilities, this can not only be a threat to the availability of the manufacturing equipment (denial of service attacks), but can also expose a path into your broader network and associated data. 

Ideally, your manufacturing equipment is patched and updated on a similar cadence as your computing equipment.  However, if you can’t achieve that for expense or other reasons, you can plan other remediation, such as isolating the equipment from the network and particularly from the Internet. 

For more information on manufacturing vulnerabilities, including evolving CMMC requirements, we invite you to reach out for a discussion.  Contact us here.