IT Security: 3 Lessons from the Kaseya Ransomware Attack

IT security

IT Security: 3 Lessons from the Kaseya Ransomware Attack

Well, here we go again, another massive cybersecurity breach. Even bigger than the Colonial Pipeline incident, the recent Kaseya ransomware attack affected up to 1,500 businesses whose partners use Kaseya’s tools to manage IT infrastructures. The hackers found a flaw, exploited it, and then pushed their ransomware to servers connected to the internet.

This Kaseya incident is just one of many battles in the ongoing war against ransomware attacks. This attack on Kaseya aimed at the entire software supply chain, an approach that can have devastating — and oftentimes unpredictable — consequences.

The answers on how to prevent and cope with these types of subversions isn’t simple. Researchers and policy makers have their work cut out for them as they look tirelessly for solutions. In the meantime, though, it’s up to businesses to stay proactive and diligent about IT security. Here are three lessons in IT security that we can take away from this Kaseya ransomware attack.

Lesson #1: Enact a BCDR Plan

Business Continuity and Disaster Recovery (BCDR) plans help minimize business interruptions in the event of a cyber-attack or network outage. The goal is to minimize downtime and reduce data loss. The idea is to create a plan for handling server and network restoration and backup recovery.

So, how do you go about creating and enacting a BCDR plan? There are a few basic components:

  1. Take inventory of the workflows and file access
    Evaluate each department in your organization and how they communicate with one another. Are the channels they’re using still accessible if your network were to be compromised? How much of their job relies on the files within your network? Once you’ve identified the concerns, the BCDR documentation helps you set a plan for accessing necessary files in the event of an attack and filling in any gaps in your current workflows to prevent downtime.
     
  2. Automate your backups
    If a ransomware attack happens, you’ll need to restore all your devices to the most recent backup. If you don’t automate those backups to happen on a regular basis, you may be caught off guard. Have your tech team set up an automation schedule that makes sense for your business. Keep backup strategy best practices in mind. Two of the most important of those strategies are:
  • The 3-2-1 rule: Keep three copies of your data, two that are locally stored on different media types and one which is stored off-site.
  • Backup frequently, several times per day if possible. Intelligent backup technologies like BLI (block level incremental) backups may be something to look into to support this. They enable rapid backups of data by only updating the blocks of information that were changed as opposed to backing up the entire file. Work with your IT or tech partner to find out if this type of technology would suit your needs.

This visual shows how a BLI would work. Source: mspbackups.com


Lesson #2: Play Defense

Cybersecurity solution provider, Kaspersky, tracked the ransomware issues that Kaseya encountered and documented the information they uncovered. To mitigate ransomware attacks, they recommend some defensive moves:

  • Avoid exposing remote desktop services to public networks unless you absolutely must
  • Always use a strong password for your remote desktop services as an overall best practice
  • Keep software updated on all devices and install your commercial VPN patches ASAP
  • Focus your defense on detecting “lateral movements and data exfiltration to the internet”. Lateral movements are techniques that cyber attackers use to gain the initial access to your system and move deeper into your high-value assets. Data exfiltration happens when unauthorized data is transferred from a computer.
  • Educate your employees on ransomware attacks and data security best practices
  • Use an endpoint security solution that can roll back malicious actions and provide some defensive moves to thwart cyberattacks

 

Lesson #3: Go Zero Trust

A zero trust security model is also called “perimeterless security”. It’s a framework that requires users both inside and outside your network to authenticate, authorize, and continuously validate security configurations before they are granted access to data or applications they are trying to reach.

What makes zero trust different from traditional network security is that, instead of assuming everything is secure after a one-time validation, zero trust requires continuous monitoring and validation that the user and their device have the privileges to access the information. These types of initiatives can be put into action using multi factor authentication, identity and access management (IAM), endpoint security, and other solutions that verify identity and maintain continuous security.

To take zero trust further, you can extend that security with deeper initiatives for data encryption, secure emails and password protections, and web gateways that only approve secure website access – and that’s just scraping the surface. True zero trust security offers an even larger variety of preventative measures you can bring in, all of which will work together in multiple layers to secure your network and its data. It’s all about what works for you and your organization.