By Haley Clark, Domain Computer Services
The complexity and sophistication of ransomware attacks continue to rise. We’ve seen a dramatic increase in people reaching out to us in the last few weeks because of attacks their current IT service provider couldn’t handle.
But even more dangerously, we’re hearing some hackers are aiming for bigger fish to fry. MSPs, among their peers, have begun to whisper about the increased vulnerability they face. The hackers have come for them.
It makes sense. Let's say you're a hacker, wanting to find the easiest and quickest way to cause mayhem and earn cash. You could discover a vulnerability in a single business and exploit it, or you could discover a vulnerability in their MSP and end up with a dozen other companies to wreck.
The result is a severe increase in the number of MSPs facing ransomware challenges. As the New Jersey Cybersecurity & Communications Integration Cell reports, a ransomware known as Sodinokibi has recently targeted MSPs that did not update a common software.
It's scary for everyone involved. Obviously, an MSP's clients are placing trust in their provider to be as secure as possible and protect them from incidents such as this. At the same time, an MPS’s livelihood as a business relies on its trusted reputation, leading to a widespread issue where they choose not to inform their clients about problems in the industry such as Sodinokibi.
We don't think it's useful to put our heads in the sand, whether internally or externally. Part of being an MSP is acknowledging your risk as a target so you can better plan for it. We are always evaluating our processes to stay on top of vulnerabilities as technology and cyber-attacks evolve. This is no different. While we plan with our team, we also want to inform you about what we're doing to keep our business (and clients!) secure.
Patching. Patching bugs and vulnerabilities remains one of the most significant ways to protect your business. Many hackers are working with exploits that have been discovered and fixed in an update. Regular patching and monitoring is a foundational part of any provider's mission to create a preventative IT strategy.
Removing old software. Look out for that extra program on your computer, lying dormant on the desktop. “Yes,” you might say, “I don’t ever use it. I haven’t opened it in months, maybe even years.” What you don't know is that software is a hacker's dream. If your computer is still connected to the internet (which obviously it is if you’re reading this article) or your internal networks, your device and network are at risk — even more so if it's older, unpatched, and unchecked.
Getting two-factor authentication (2FA) on all devices. Instead of simply using your password, use another form of authentication such as a code from a text message, approval from an app like Duo, or a physical dongle. While hackers can get clever — attempting to hijack your phone number so texts come to them, for example — 2FA remains one of the simplest ways to increase your security. And in today’s world, every provider should be using it.
Review admin rights. This is a big one. For MSPs, sometimes in order to solve an issue you have to set up admin credentials on a user’s device. What's dangerous is letting these credentials lurk around for longer than they need to. Doing a review of what admin rights are out there is absolutely imperative.
Secure admin account access. Sometimes admin access is necessary to maintain and manage the IT environment. This admin account privilege should be limited as much as possible. When possible all admin access, tools and consoles should be limited to internal networks and not exposed to the public internet.
Lockdown software. It's simple: Your software should only do the baseline of what it needs to function. Sometimes, software adds extraneous features that can offer opportunities for dangerous exploits. For example, the Sodinokibi ransomware took advantage of a remote management feature that was likely rarely even used by the impacted providers.
Password changes. One of our most common requests is to change a user’s password because they are locked out of their account. When those requests come in, it should always confirm your identity through an “out of band” communication. For example, you contact support via email, then the engineer who makes the change should confirm outbound via phone. It is completely possible for someone to hijack your email or simply call in pretending to be you and request the password change on your behalf.
These security measures can be cumbersome. Switching to 2FA for example is almost guaranteed to come with some grumbling as you reach for your phone. For our team, some of the things in this article make their jobs just a little more troublesome. They add another step. It can frustrate our users because they have to ask permission, etc. However, the slight drawbacks you or I face is offset by the increased security they provide.