As we’ve seen over the past week, cyberattacks within the US government are still unfolding. The news headlines paint a dark picture of serious nation-state attackers compromising national systems and underscoring the most serious attack yet seen. They point fingers to newer more sophisticated attacks as being the culprit. The Department of Homeland Security called attacks on major infrastructure imminent and unavoidable.
Assessing or quantitating the damage stemming from these attacks at this point are incomparable, especially since we are yet to see the extent of the damage across all government entities.
Assessing the aftermath of these cyberattacks will likely take many months and reveal thousands of departments and business impacted.
The regular upgrade to software systems was found to be the culprit in this specific attack. And even if Russian intelligence agencies were the responsible parties, many experts are warning that the damage will go far beyond that of mere espionage. Rather, assume access led to altering or monetizing the data within the systems compromised.
Many are singling out IT companies like SolarWinds as the culprit (I will not judge here the extent of their involvement). The attack last week was deemed highly sophisticated. The shear fact that a nation-state attack was imminent underscored how unavoidably complex the attack would be.
Thousands of IT teams flummoxed by the advanced stealthy moves of experienced and highly trained attackers. It is much easier to shift blame on our own insecurity to “advanced” or “sophisticated” attackers. But the truth is even the smartest or brightest attacker is NOT looking for the hardest way in.
Every single attack stems from simple gaps in network security. These “bad” actors are exploiting weaknesses in our systems that we collectively tolerate. The recent commentary on the SolarWinds attacks makes it sound like there was nothing the government could have done.
That is simply not true. The SolarWinds attack happened because gaps in security were tolerated or accepted.
Attacks on MSPs or clients are no different.
They happen because we tolerate the gaps.
I know you might say that these cyberattacks are stemming from user-related phishing attacks.
Yes. This might be part of the problem. But aren’t there other more systemic problems going on that exceed the mistakes of one user? Can you really point a finger at one individual click as the cause of a network-wide ransomware attack or data breach?
I’ve been asked to testify in many cases involving phishing attacks that have led to serious network failures or substantial financial loss. I can tell you that in no single case have I seen a data breach problem as simply as the sole fault of a duped user who clicked on an email attachment or link.
We, as a community, are accepting the idea that the user is to blame but are avoiding our collective tolerance for other gaps on our networks.
Of course, there are specific qualities of an attack that are undeniably sophisticated. The attackers—especially those stemming from highly trained nation state actors—have finesse and demonstrate their acute skills very well in how they approach the problem of breaking in.
But in all cases that I have seen, these attacks are delivered by exploiting some basic security lapse. When all the SolarWinds attack is finally audited with a fine comb, it is reasonable to surmise that it will have stemmed from a well-known vulnerability (one we all should have fixed by the point the attackers exploited it).
The truth is that for far too long IT support has sustained too many significant weaknesses on our networks. We have limited visibility by our clients to understand whether systems are secure. And we have limited ability ourselves to understand our own security.
Is it that surprising that hostile attackers are getting onto our networks?
As MSP-focused attacks have increased over the past 2 years, should it really be that surprising? Were these events completely unpredictable? Unpreventable?
I’m sure deep down you know that every single one of the MSP-centered attacks was avoidable. That no one attack was the result of one user’s click.
The predictability of these events is only becoming more crystal clear.
How can we confront these growing predictable attacks?
Some say regulation will completely solve the problem. Slap fines or enact laws requiring “better” security standards.
But when do laws in and of themselves completely solve the problem?
I know I bring this up nearly every single time I speak, but speeding is a great demonstration of where laws fall short in actually protecting us against road safety issues.
When I ask a crowd who speeds, nearly every hand raises.
When I ask who has received a ticket, I likewise see every hand remain in the air.
When I ask my final question, who still speeds, all hands remain risen.
While emphasizing on increasing basic standards may help inform how we run our networks, having new standards enacted in and of itself will do nothing to help much.
I sincerely believe that as MSP owners and operators, we all care deeply about delivering a quality service to our clients. We are looking to improve, grow and gain a following of raving fans.
You are not knowingly neglecting your client networks—I sincerely believe this.
I completely believe that if given a set of security standards to help us make sure we avoid cyberattacks, we’d gladly take on the position of enacting and differentiating our business’ unique selling proposition on the fact that we are security-centric and care about our clients’ well-being.
Then what are we missing?
Every single audit I’ve performed, I see MSP owners that sincerely care about and want to improve their security posture (or at least want to have a good posture).
Visibility is one of the biggest problems in our industry right now.
How can you be certain that a technician or a late-night project didn’t open the door to one of these attacks? Even if you are a serious believer in keeping your networks secure, mistakes happen.
None of the incidents I’ve been asked to evaluate stemmed from a business that wanted to do the wrong things. What they needed was visibility into the problems and some guidance forward.
