The recent ransomware attacks in Texas, which saw 22 towns breached in one hit, have shaken the nation, the IT industry and the channel. The cleanup is underway, but the damage remains immeasurable at this time, and will likely be so for some time.
We know that MSPs were involved in the IT networks that were affected somewhere along the way, but we don't know to what extent the breach touched those MSPs, either before or after it hit the towns.
If the attacks themselves aren't enough to make you sit up, take notice and review your entire security posture, perhaps knowing that you might be held liable, both emotionally and legally, for such a breach will push you into responding proactively to the attacks.
But what exactly should you be doing? We spoke to MSPs across the nation to bring you the top five responses to the Texas attacks you should be engaged in right now.
1). Security stack/endpoint protection
It may seem an obvious requirement for MSPs to have their security stack in place and ready to implement at a moment's notice, but according to commentators, there are still plenty of MSPs out there going to market who don't have this.
After the events in Texas, those that don't have a set-up in place need to rethink their strategy and ensure that their stack is ready to go and that it contains certain elements, according to Charles Henson, managing partner of Nashville Computer in Tennessee.
"MSPs must now be sure to have their security stack ready to go to clients. Even if it's not complete, you should go to market, and that should include not just your RMM tools to push out updates, but also you should look at a SIEM product and advanced endpoint protection," he told CPI.
He added that the security stack is critical to ensuring identification of an infiltrated network so that MSPs can know well in advance of a ransomware attack if a hacker is already in the network. This could potentially prevent ransomware attacks like the one in Texas.
"Most networks, the hackers are in there between six and nine months before a ransomware attack is set off. They're pulling data out of the network and they're draining what they want out of it before they set off the ransomware - if they get the ransom, that's a bonus; they already got the data they want. And so MSPs now really have to open their toolboxes and add more tools so that they know when a hacker has breached the system."
Henson is not alone in his thoughts. Khaled Farhang, founder and CEO at Washington, D.C.-based MSP eGuard Tech Consulting Services, points out that after a ransomware attack like the one we saw in Texas, MSPs should be reviewing their security stack and abandoning ad hoc approaches to security.
"MSPs now need to ensure their security stack is fully enhanced to protect the endpoints. They should review and re-review their security stack, as I think there are a lot of MSPs that don't have a true stack. We create a stack by analyzing different software packages to meet different parts of the stack. I think a lot of MSPs are not doing that at all, they're just throwing stuff out there ad hoc, and now is the time to stop doing that."
MSPs should now be giving serious consideration to deploying an endpoint detection and response solution, which Curtis Fechner, principal consultant, threat management at Denver, CO-headquartered Optiv Security, describes as "highly desirable" and offering "significantly deeper insight into the activities occurring on workstations and servers".
2). Education of a different kind
Talk of educating customers about cybersecurity feels as old as the hills, yet still we find that so many companies aren't doing it.
Of course MSPs must step up their education of customers as a direct response to the Texas attacks, but this is not all. Commentators note that MSPs must now ensure that their own staff are fully educated on good security hygiene, as, ironically, this may well be an unaddressed area.
"We often preach to our clients that they need security and awareness training, but MSPs also need to have internal training," George Monroy, CEO of San Antonio, TX-based MSP Monroy IT Services, told CPI.
"I think that even though MSPs have technical people, they're not always very social. And one thing that we're seeing is that social engineering is a big piece of cybersecurity. I've seen many times where techs will sometimes click on something or talk to somebody and maybe share more than they should because they're caught off guard. So I think definitely training internally; and you have to stay vigilant, it has to be constant. We can't just tell our clients that they need security awareness training if we're not running through this stuff too."
Further educational outreach that MSPs should be making in light of the Texas attacks is around credit monitoring, according to Henson. He told CPI that in instances like the Texas attacks where towns and cities are breached, customers trying to pay utility bills, for example, will now have their name, address and social security number, along with perhaps credit card or bank account details, exposed.
"They have all these pieces, and even though this breach did not affect the MSP per se, the people that live in that city, they now have to have credit monitoring in place to know if their identity has been stolen so that they can take proactive measures in working ahead of the hackers to prevent them from using their social security numbers or opening credit cards in their name and things of that nature. So credit monitoring education is key in managing this."
MSPs should also now be implementing multi-factor authentication (MFA) in all their internal systems, Monroy told CPI. This is critical after numerous ransomware attacks that have seen hackers able to attack a high number of targets at once via their MSP, such as the Texas attack, Monroy said.
"Whether it's the place where all their passwords are stored or perhaps the tools that they use to connect to their clients, MFA is very important as a means to tackle this. Oftentimes, what we've seen is that that's been the main reason hackers have been able to get through and attack so many targets at once - because the MSPs didn't have MFA, which would have stopped pretty much all of those attacks. So that's really the number one thing that needs to happen: MSPs need to protect themselves first and foremost, because we are targets today."
Fechner adds that MSPs that are contracted to secure network perimeters should ensure services like this aren't exposed to the internet, and that any external authentication requires MFA. "In those cases, we highly recommend that MSPs configure computer systems to use randomized local administrator password credentials, as well as implementing other controls to limit the likelihood of credential attacks that facilitate lateral movement and remote code execution against additional hosts."
4). Dark web monitoring
Why? Why not? As we all know, when it comes to security, it's not a matter of "if" but "when", so MSPs wondering what they can do in response to the Texas attacks to ensure they're not the next ones to be caught up in such an incident can start monitoring the dark web for any of their or their clients' information that may appear on there.
"To me it's of the utmost importance to do dark web monitoring," Henson told CPI. "I'm not so much on changing your password every 90 days as I am on monitoring the dark web. And whatever services you choose to do this through, you should resell that service to your clients so they know when their software or when their clients' information has shown up on the dark web. It's better to know if somebody has duplicated your key prior to them inserting it into the lock opening the door."
This should be happening "100 percent across the board" at this point, Henson said, noting that MSPs have access to various companies offering the service, such as Password Boss and ID Agent.
5). Partner up
They say there's safety in numbers and it's a key action that MSPs should be taking in direct response to the Texas attacks. Farhang says that peer groups in particular "play a huge role" in today's total solution, much more so than they have done in the past.
"Security is simply changing so fast and one IT company can't keep track of everything. But if you have a group of 10 IT companies coming together on a quarterly basis, that peer group dialogue is key," he told CPI. "I have picked up at least three or four gold nuggets from my peers that I now know I need to install in my stack to be able to protect my clients."
Monroy agrees. He told CPI that for MSPs out there who feel that they're facing potential attacks like the Texas one alone, partnering can be the key to building security strength.
"You need to find someone else that's an MSP and partner up with them to get help. Because to be by yourself in this environment, it's very dangerous for you and it's very dangerous for your clients. You really just need to partner with other people that are going through what you're going through to solve challenges together and ensure you survive at this point. I think our numbers are shrinking, and part of that is because it's becoming tougher with all the hacks and everything. So you have to partner up with other people. You can't be alone anymore."
Some say performance, others say money but it may be systems and processes that carry the day
Microsoft and Accenture entity buys up €12m firm
This week is the deadline for the Channel Innovation Awards. So, why is it worth celebrating innovation in the market today?
NTT Security CEO on the rise of 'bad-guys-as-a-service', Orange's security M&A spree and NTT's integration roadmap
In part one of CPI's Security Summit series, editor Josh Budd sits down with NTT Security's CEO Matt Gyde