Recent Ransomware Attacks – Part 2

As we look at the history of ransomware attacks, the primary attack vector has been through the reliance on end user activity and error.  Most of these attacks are carried out by the end user clicking on a malicious link in an email or on a web site and the subsequent installation of malicious code on the device.  Training and educating the end user has been a key defense in protecting organizations from this type of attack.  As our strategies for preventing these attacks evolves, so does the tactics used by the malicious actors.

Recently, two widely used software management platforms have fallen victim to targeted attacks.  In both instances, the attackers identified vulnerabilities in software used to monitor and manage IT environments to direct the attack.  The vulnerability allowed the attackers to distribute malicious code through the management platforms onto workstations.  Many Managed Service Providers (MSP) use these platforms to provide IT support to small and large clients.  This software is integral in ensuring that patches and software updates remain current.

If you are using an MSP there are a couple of regular tasks you should consider:

1. Understand the applications that are being used by the MSP to manage your environment. When an incident occurs, this will help you understand your potential exposure.
2. Understand the high-level architecture of the management platforms. In other words, are they cloud based on installed on-premises at the MSP? As the anatomy of a security incident unfolds, this information may be integral in understanding your exposure.
3. Ensure that your MSP has a comprehensive Security Incident Response plan in the event of a security event. Are they regularly testing their incident response?
4. Understand your commitments to your customers as it relates to exposure of information and incident response. Read your contracts thoroughly.
5. Perform downstream risk analyses on your technology providers. In most instances, your MSP is willing and happy to share their controls with you.
6. Ensure that your MSP is also performing downstream analysis and evaluation of their partners’ security risks.

As we have posted in previous briefings, the sophistication of the attacks continues to evolve.  These incidents remind us that we must always remain vigilant. It also reminds us that we must carefully monitor our downstream partners and evaluate their ability to protect our sensitive information.  While our lens tends to focus on the information that is stored in the cloud through our MSP, it has become more and more apparent that the devices in our office are also a target and we rely on our partners to protect them as well.