Security vulnerabilities and ransomware attacks seem to be making headlines more and more frequently.
Recently, a remote monitoring and management (RMM) tool created by Kaseya, used by technology service providers to manage their clients, was exploited. The Kaseya team had been working with a Dutch firm to cure the vulnerability, but it was found by a ransomware group, REvil. A vulnerability is a security flaw in existing software, and all software providers provide patches to cure flaws, but unfortunately, Kaseya ran out of time. The attackers took control of about 50 RMM platforms of the 32,000 Kaseya partner servers worldwide. REvil then leveraged the Kaseya RMM to encrypt over 1,500 small businesses.
While many in the media threw stones at Kaseya's vulnerability, hundreds of major software providers and Kaseya's competitors came out in support of the company because they have all had similar events. In my past columns, I've discussed the topic of application whitelisting, which identifies and allows only authorized programs and scripts used by a company to run on their computers. App whitelisting is the exact opposite of traditional antivirus and antimalware tools that seek to identify possible threats and then quarantine or stop them altogether. While traditional security is necessary because millions of threats are known, it cannot stop the barrage of over 700,000 new variants of malware created every day.
A new computer with Microsoft Office suite, Adobe and other common programs has about 4,800 applications, scripts and libraries. It is far easier to trust 4,800 programs than it is to defeat an endless assault of new attacks in a world that is more connected than ever. If a technology provider used Kaseya and had an application whitelisting tool in place for its clients, the ransomware scripts would not have been able to execute. Unfortunately, many companies in today's world still do not take security serious or their budgets do not allow them to spend the approximately $10 per month to protect their systems in this manner. By comparison, the REvil group was seeking a ransom of $72 million to provide decryption keys to the affected companies, which equates to about $48,000 per small business affected.
Does it make sense to spend $10 per month per computer to prevent a zero-day exploit versus a ransom of almost $50,000? Plus, if you do pay the ransom, you have no guarantee that another criminal group will not attack you tomorrow and request an additional ransom. Each business has to perform its own cost-benefit analysis, but in all honesty, many small to medium companies look at an additional security cost in a similar manner to how a healthy 23-year-old single person looks at life insurance; they just don't see a catastrophic event happening and forgo the expense.
Microsoft was also in the news with its own zero-day exploit called PrintNightmare. This vulnerability was created by a Microsoft patch that a allowed a remote attacker to elevate itself to administrator levels on PCs and servers to launch ransomware attacks. While Microsoft was working on a proper patch, it released a work-around "fix." As an IT service provider, we have to make a decision to either apply the temporary and untested fix using our own RMM tool or knowingly leave our clients exposed to a potential ransomware attack, thereby creating a "damned if we do, damned if we don't" scenario. We chose to use our RMM tool to deploy the "fix" to about 3,000 systems globally. Within the first two hours, it became evident the Microsoft "fix" was not ready for primetime because it broke about 200 printers across our client base. We discussed it with the client, and they chose to take the risk of getting attacked versus having its own workflow processes halted. Fortunately, Microsoft had a real patch about eight days later, and we pushed it to our clients successfully.
As long as imperfect human beings keep creating computer software and the computers are used by imperfect users, then we will have imperfect computer security. Risk mitigation will never amount to risk elimination, so take all the precautions you can afford to protect yourself, have multiple pathways to recovery, purchase cyber insurance for your company, and continually test and assess.
For more information, visit www.omnipotech.com or call (281) 768-4308.
