Kaseya had a bad July. The vendor, who sells solutions to Managed Services Providers (MSPs), learned over the July 4th holiday weekend that some servers running their software were taken over and distributing ransomware to the clients that were being managed. Kaseya has two offerings, on-premises (server-based) and cloud-based. Usually, MSPs who have the resources to run their own data centers employ server-based solutions. So that means the clients will be of high value to bad actors, which was precisely the case.
As I wrote in an email shortly after the attack became public knowledge, Heliotropic Systems does not use any Kaseya products (server- or cloud-based). We use products from ConnectWise for monitoring your computers and remotely accessing them. These are both cloud-based offerings, and ConnectWise has been very transparent in letting partners know what flaws have been identified and when they are corrected.
No software is exempt from bugs. After all, people code the programs and do not necessarily consider everything when designing and developing those programs. Yes, there are Quality Assurance teams that are supposed to test the programs — but they are only as good as the instructions they receive in terms of what the test cases should be. And not all possibilities are (or can be) tested.
The news is now filled with stories that malicious actors are targeting more and more small businesses because they think the “work from home” population is getting lax with their security consciousness. There is a movement within my industry to implement what’s called the “Zero Trust Initiative.” (Note, Marvel fans, this is not another Avengers movie). Zero Trust is not a product but a concept, and what it means is this: Every object in a network is identified, and every person with access to anything is identified. Then, rules are established to define what access level each person has to those objects — and when those rules are to be invoked.
Here is a simple example. Madeline and Roland are employees at Total Prepared Foods. She is an inside salesperson who is responsible for calling on existing clients. Her computer accesses the cloud-based Customer Relationship Management (CRM) system to perform her daily tasks. He is an accountant who works with the payroll system and handles the firm’s online banking.
In a Zero Trust environment, the hours that both employees work are known. The CRM software Madeline accesses has rules regarding what aspects of the program she’s allowed to see (e.g., client information but not payroll). Roland can access the payroll system but has no access to the CRM system. The network knows who logs in to which computer. It also knows which external Internet address is supposed to be used when she remotely connects from home. If someone — or something — tries to access her computer in hours when she is not authorized to use it, an alert is sent. More importantly, because Madeline’s computer requires two-factor authentication, a bad actor would not have access to the token on that device. Similarly, Roland does not have access to the payroll system except from his office computer, which is not authorized for remote access.
Previously, most believed that protecting a business had to occur from the outside in. Now, it is becoming evident that companies must be protected from the inside out. I am going to take two actions before the end of September to begin a journey toward zero trust. The first will be to ensure that no computer user at any client site has administrator privileges (meaning they can install programs). The second will be to add a new product to the SPF+ and SHADE subscriptions. This new product is a browser extension that should stop anyone from getting to a fake website if someone inadvertently clicks on a link in a phishing email. Combining a limited user desktop experience and a program to thwart potential problems, will make you much safer.