It’s easy to miss Borger, Texas. The small Panhandle city of 13,000 is about 30 miles from the nearest interstate and there’s not much to attract visitors outside of a movie theater and a county museum. Its claim to fame might be the fact that it got more snow one winter than any Texas town in history (58.2 inches in 1982-83).
But last August 16, Borger was surprised by another—very different—kind of storm. City employees that morning discovered that they couldn’t access birth and death certificates and were unable to accept utility and other payments. Their systems were frozen. And they weren’t alone. One by one, small communities across Texas contacted the state’s Department of Information Resources with similar, grim news—they’d all been the target of a coordinated ransomware attack by unknown perpetrators.
When the dust settled, 22 Texas governmental entities had been attacked. Local, state and federal authorities converged to investigate, their first goal to find a common vulnerability. Surely there was something to connect them that allowed the perpetrator(s) to attack so many towns—some hundreds of miles away from each other. Ultimately, they discovered the common thread—a managed service provider, more specifically a remote access tool used by the MSP that the criminals used as an entry point into the communities’ networks.
MSPs as a Gateway to Chaos
The Texas attack was not an isolated incident. Increasingly, MSPs and solution providers have become a primary target for ransomware attacks. MSPs might count dozens, maybe hundreds, of small businesses and organizations as customers at any given time. That’s a lucrative door for cybercriminals to try to unlock, according to Robert McFarlane, managed services lead at Sirius Computer Solutions and co-chair of CompTIA’s Channel Advisory Board.
Sirius, based in San Antonio, knows the threat all too well. The company successfully defends itself from cyberattacks “every day, every which way,” McFarlane said. “Anybody that has access into multiple clients is going to be a target. The MSP model by nature is a target,” he said.
So far this year, more than 140 ransomware attacks have targeted state and local governments and health care providers. Add in attacks against businesses, small and large, and the number increases exponentially. When those attacks are exploited through an MSP, hired by customers to be a trusted IT and business partner, it can mean a black eye for everyone in the channel, said Jonathan Blakey, CTO of The 20, a Plano, Texas-based MSP and member of CompTIA’s Channel Advisory Board.
“MSPs are the white whale of data because they have a key to multiple clients and so much of their work is remote,” Blakey said.
In the blink of an eye, ransomware attacks through MSPs can undo all the value and benefits that customers recognize, putting MSPs on the defense—even if they haven’t been breached themselves, said, Juan Fernandez, vice president of managed IT services at ImageNet Consulting, an Oklahoma City-based MSP, and member of the Channel Advisory Board.
“Many IT companies haven’t invested in security best practices. Unfortunately, it’s a conversation we’ve had many times,” Fernandez said.
Evolution of Ransomware Targets
Historically, cybercriminals have targeted large enterprises because they’re bigger and house more data, potentially making them more attractive to attackers. That’s changed because the collective value of an MSP’s customers can equate and even surpass that of a large company, Fernandez said. If even a few pay the ransomware, it’s worth the effort.
“Data is the new gold rush. All of a sudden, there are a lot of SMBs with important data and they’re not as protected,” Fernandez said. “The bad guys think ‘forget those big guys, I’m going to get a bunch of small ones and make some money. Who cares about a denial-of-service attack on an enterprise when I can get lots of SMBs to pay me because I locked them out of their computers.’”
Many MSPs started as traditional product resellers and transitioned to managed services because that’s where the market moved them. But those companies never truly transformed their business and could be ill-equipped to handle complex security issues, said Fernandez.
“A lot of guys are ‘I just fix computers’ but sell themselves as MSPs. They don’t have a well-thought-out delivery model,” Fernandez said. “The good news is they’re educating the market by showing customers that proper security is necessary. The bad news is a lot of companies have to learn a hard lesson.”
Expect Cyberattacks, Any Day, Every Day
A solid cyber strategy requires time and investment. One way that MSPs can protect themselves and their customers is to partner with a company that specializes in cybersecurity, Fernandez said. Build your own cyber skills but leverage a partner until you get there.
“I know I can stand behind my work because I’ve found partners that have the right industry certifications. That allows me to offer services now vs. trying to build it all on my own,” Fernandez said. “If you can’t pass a risk assessment yourself, you should not be offering security services.”
Another absolute for any MSP is to integrate a multi-layer, multi-factor authentication process with clients, McFarlane said. As a large company, Sirius has its own security operations center with 100+ employees, but the organization also relies on a third party to monitor and audit its systems for compliance and safety. “It makes good sense to have an external organization hold us accountable to reduce the risk of being hacked,” McFarlane said.
Customer data is only as secure as the other companies you do business with, especially in the cloud era. Don’t take for granted that a large technology partner is secure because of its size. “You don’t have visibility of your workload on someone else’s network. Some companies are generally concerned about security, some are not,” McFarlane said. “Maybe they tried but couldn’t get budget. Unfortunately, it takes companies getting hurt before they take it seriously.”
Security Is an Investment, Not a Cost
Solution providers—any company, really—should implement a process framework to ensure data protection, whether it’s ISO, NIST or something else, McFarlane said.
“It doesn’t matter which platform, just as long as it’s well documented and scoped out to give you full visibility of an environment. MSPs are often run by technologists but you can’t buy your way into a solution. It needs to be an operational game plan,” he said.
It’s also important to budget appropriate headcount to support cybersecurity systems and map the environment to identify potential risks, both internal and external. “Your risk appetite has to be above your clients and based on what your core target verticals are. If your customer needs HIPAA compliance, you should be above that,” McFarlane said.
The 20’s Blakey concurs about the need for a multi-layered approach. The more layers, the less likely damage can occur, he said.
“We’ve had incidents where perhaps an open port was overlooked but then a potential attack hits the next level of an IP address or country restriction and gets no further,” Blakey said. “Once past that, to access the next thing, an attack would have to crack or phish a password. If they happened to get through that, multi-factor authentication requirement from a physical token would stop the attack. If for some reason, the attack made it to the endpoint, next-gen antivirus would identify any malware and kill on file copy or script execution.”
Meanwhile, potential footholds are being scanned for, he added. If all else failed and ransomware succeeded in encrypting data, a backup/disaster recovery system should be present to restore data to a same day recovery point.
“Layers—they’re always present and always upgrading the technology to prevent against the next thing,” Blakey said.
‘Protecting Is Better than Fixing’
Blakey estimates that 80% of breaches he’s seen are due to compromised passwords. In many cases, it’s because multi-factor authentication isn’t a requirement—or even an option—on a lot of tools and software-as-a-service products in the market.
“Many of these recent headline attacks could have been stopped by simply implementing multi-factor authentication. It’s a deadbolt on the door of your systems,” he said.
In the Texas attacks, it took a week for all 22 government entities just to be cleared for remediation and recovery. The state’s Department of Information Resources wouldn’t comment on the attack, citing an ongoing investigation that now includes more than a dozen agencies including the Department of Homeland Security and Federal Bureau of Investigation. Small business clients might not be so lucky if their MSP isn’t prepared, said McFarlane. “You have to understand that it’s better to spend to protect an environment than spend to fix an environment,” he said.
MSPs simply can’t afford to take an “it can’t happen here” attitude toward cybersecurity. It’s not fair to customers and it’s not fair to other MSPs investing to protect themselves, Blakey said.
“Being vigilant to new, emerging threats means an MSP can be quick to implement new prevention methods that can thwart attacks in the future,” he said.
After all, anything is possible. Like getting 58.2 inches of snow in Texas.
How can the CompTIA Information Sharing and Analysis Organization (ISAO) help you better protect your clients?
Get involved in the cybersecurity conversation. Join CompTIA’s IT Security Community today.