In October 2018, and again in December of 2018, the Department of Homeland Security and the FBI posted alerts about ongoing cyber-attacks against managed IT service providers. Since then, hundreds of businesses, hospitals, and governments have been temporarily shut down, paralyzed, and forced to pay hundreds of thousands of dollars in ransom.
How are these two seemingly unrelated situations related? It was the Managed Service Providers (MSPs) who inadvertently allowed these infections and resulting ransoms to occur due to a combination of lax security standards, lack of process and procedure, and reliance on low-cost, ineffective security solutions that don’t look for modern threats. Most recently, a Colorado-based MSP with a focus on dental practices mistakenly exposed 100 of its clients to ransomware, due to its lack of proper security measures.
The reality is that Managed Service Providers hold the keys to the kingdom: passwords, remote access, management, and security are generally provided by the MSP – and this makes the MSP a high value target for malicious actors. MSPs rely on third party vendors to provide security and remote management solutions, and mistakenly believe that these solutions are “set it and forget it” tools. They’re also focused on solutions that fit within a prescribed budget, whether those tools are the best solution or not. Even when they do have the right tools in place – many MSPs fail to dedicate the necessary time to train their team on best practices, proper management, and to stay aware of the latest threats and adapt accordingly.
Malicious actors take the path of least resistance, and when they identify an MSP or end user who hasn’t enabled two-factor authentication, uses simple passwords, uses unsupported or unpatched versions of Windows, or has exploited vulnerabilities such as RDP open to the world – they go to town looking for a way in. Highly targeted email phishing campaigns are very effective when cloud based email solutions (Office 365, Gmail) do not have proper alerting and suspicious login tracking enabled.
The hacks referenced above were the result of malicious actors taking advantage of a combination of failures: lack of two-factor authentication, lack of login auditing and alerting, and no documented procedures for proper security management. Adding to these failures is the irony that in many cases, it was the antivirus solution that acted as the vector for the malware to infect the end clients.
The question that everyone has to ask their current IT vendor is: how are they securing their network and systems to prevent this from happening to you (their client)? At Ashton, we’ve employed two factor authentication on critical systems for almost a decade. We also deploy synchronized security solutions from Sophos, which provide active monitoring of firewalls, endpoints, and email, and proactively alert and block malicious communications that lead to ransomware infections. We have invested in the time and training of our entire team to identify security risks, mitigate them, and follow process and procedure that helps reduce threats for us, and our clients. Critically, Ashton underwent a third party security assessment (penetration testing) throughout 2019 to ensure that we are operating with a security focused mindset and are following best practices.
All of Ashton’s clients receive the same endpoint security solution: Sophos Endpoint with Intercept X. This ensures odd behaviors are monitored and caught, malicious traffic gets blocked, and ransomware infections are stopped dead. None of this is inexpensive, but it’s in our DNA to do what’s right to ensure our clients are protected.
