MSPs are an Attack Vector

Analytics/ Analysis

As an MSP many of you are providing your customers cybersecurity, and have a mission of staying ahead of the bad guys (easier said than done).  With all of the current threats that have presented themselves over the years,  Kaseya (2018), ConnectWise (2019), Webroot (2019), Ninja (2019), and SolarWinds many MSPs are wondering what is next. 

Although we can’t say what is next there are a couple things you can be doing today to protect yourself and your clients.  First you need to start with knowing and understanding your vulnerabilities, and what needs to be done, to maintain and secure them.  Next in a security world if you're thinking security first, it is trust but verify and it is constantly reverifying the trust, not an implicit trust that's always there.  Watch and learn as Dave Sobel shares what you should do to protect yourself and your clients. 

Dave S July 2021

 

Video Transcription

Harry Brelsford  0:05 

Hey, Nation Nation, Harry here back with Dave Sobel and Dave, I look, first of all, how you doing welcome back.

Dave Sobel  0:13 

Thanks for having me, always fun to chat.

Harry Brelsford  0:16 

I always look to you in a changing industry and will on all sorts of levels, but you're able to provide the landscape and the context. So we're talking cybersecurity hacks against MSPs. The flavor of the day, What's the story? You're saying? Let's say the first rodeo and people are thinking the sky is falling here?

Dave Sobel  0:36 

Yeah, I mean, obviously, we've been talking recently now about Kaseya. Right. And, and I mean, like, I always, always say, like, I feel I feel for everyone involved. You never you, these are criminals that are attacking people. Let's start with that. Right. What I've been digging into, though, is putting that aside, and we want to handle that set of issues, I want to put this into some kind of context, because the, this is a big deal, right? They obviously have a shutdown. But I want to look at the history a little bit and go, I can understand why everyone is so surprised when I look at the history here. Right? So CSIA, the CSIA was was the group that gives us warnings, they warned on October 3 2018, about active attacks against managed services providers using the toolkits that that managed services providers use 2018 was three years ago, pro publica did and also did a deep dive on this and put out like literally the warning of like how this will all happen and how it will all go down. Oh, and by the way, this isn't the first one Kaseya had a breach in 2018. Then ConnectWise had problems with with with our software in 2019 Connectwise had a breach in September 2019 Oh, and one in November 2019. Oh, and Webroot had one in June 2019 Oh, and by the way, MSPs were used, you know, like Ninja was used, that was not a supply chain attack. But Ninja was used as an entry point to deploy ransomware when, you know, July 2019. Oh, and by the way, I don't know Solarwinds, anybody? Like, like, you kind of have to smile and go. I get it. I understand the pain. But I don't entirely understand the surprise. The it is this. Oh, it couldn't happen to me style surprise. Well, it's happening to you. And by the way, it's this thread is been going on for a while now maybe we haven't been talking about it enough. But to act like you It hasn't been talked about. I'm not quite I'm not willing to cede that ground here. So So to put it into context, I get it. I get that people are now reevaluating this, but don't don't think this is new.

Harry Brelsford  2:56 

Yeah, yeah. My take and again, at the high level is what's been occurring the last several months is it brings back actually some trauma. You're aware, I grew up in Alaska, and I finally moved to Seattle in the late 80s, after working on the Exxon Valdez project, so I had a little pocket change to put myself in business and move. But boy, howdy, that was a corkscrew from a PR point of view and and a disaster point of view. And this, this mirrors some of the trauma. Yeah, that I felt in that era. You know, you have these big companies that get ahead the shift in the crisis communications, it happens. I'm kind of with you. I don't think you should capitalize someone's misery.

Dave Sobel  3:45 

Nope. Not even.  I get I should be talking about what we should be talking about what's next. Right? And we want to and and I always say like, Look, look, I'm not worried about the vendors. They're fine. They have giant  Pocket Books, and they will figure out what they need to do. What I like to talk about is is what does a small to midsize provider need to think about? And I really think they need to be to two major things. The first is is that they really need to be re examining their philosophy of the way that they engage with with vendors, right? They are inclined to always trust that has been the way that they go and they have they've purchased tools and and products that take that they use that they just trust. Well, in a security world if you're thinking security First, it is trust but verify and it is constantly reverifying the trust, not an implicit trust that's always there. You're putting these tools with godlike power into your customer bases. And then just assuming it'll all be fine. Like I that's the decision you the provider are making It's not a blame on the vendor, it's a decision you are making good  point. I think about that. And by the way, think about the downside of this, you're putting a tool with godlike powers into all your customers that combines all of your customers into a single entry point of which an attacker can get in on, by the way, in a roll up world, you're combining yourself with all of the other MSPs that also use that tool. Yeah. Like, let's, that is a statement of fact, now you may make a choice that it is worth running your business, taking that risk using those tools. But don't think that there's no downside to this. And you've got to have designed, what is my mitigation strategy to deal with all of my vendors, I'm not just picking on one, I'm saying you're making decisions about this. And that leads to my second thinking, I really do believe that the core business value of these of small mid sized providers is helping small companies with their technology. embedded in that statement is nothing about must use an RMM must use a PSA must deliver, you really should be thinking about what value you want to blend bring to your customers. Because I don't really want people to be clinging to a 10 or 20 year old value. Let's let's talk about patching for a quick second. patch management is really different thing and 2021 than it was in 2001, or even 2011. These aren't these risky patch things. patches just happen. In fact, what's interesting to me is when we dig in the UK is National Cybersecurity Center has actually come out there, our technical director has explicitly said, Oh, just turn on automatic patching. Like, just turn it on, just automatically patch, don't worry about it. That's what you should do now. And there's a ton of providers now that are cringing, like, Oh my god, I can't possibly install it. If your story about like the blue screen of death on a patch dates back to Windows NT four. Maybe your data is a little out of date, maybe that's not quite how it works anymore. And you know, and I say that from a from a place of I want everyone in this community to thrive, don't cling to a 20 year old principle, because technology has well moved beyond that. And so I really want people to take a take a look at their own core value, decide what really is important and how they're going to do that. leveraging that second idea.

Harry Brelsford  7:56 

I like it. Well, hey, I'm gonna have to end on that. But we'll uh, I want to double click into that rethinking how work works for the MSP. So I'm going to make a side note. Next time we circle back to you. Well, we'll we'll pick it up from there. But thanks for the the overall perspective of the MSPs is an attack vector by the bad guys. All right, keep it safe out there.

Dave Sobel  8:22 

Stay safe out there. All right.