It‘s easier for hackers to target MSPs and then move along to their customers than it is to target Bank of America, and the bad guys know it. MSPs adopting a zero-trust security posture are better armed against external threats, according to ThreatLocker CEO Danny Jenkins.
Hackers have realized they don’t have to go after Bank of America. Instead, they can make a million dollars from an MSP and spread out to its business customers in the process, according to cybersecurity company ThreatLocker co-founder and CEO Danny Jenkins.
“Something changed in the last decade where these hackers realized … [MSPs] don’t have nearly the security that Bank of America or the Department of Defense does,” Jenkins said. “With a little bit of planning, I can figure out what security software they use, figure out what their staff is like, figure out who they do business with, and now, I can send them direct emails.”
MSPs are in the crosshairs, and there are many ways hackers are gaining access. One popular way is for hackers to figure out what security tools an MSP is using. “Attackers can use exiting tools against you–and they are–to get into your systems,” Jenkins told an audience of MSPs and solution providers at CRN parent The Channel Company’s NexGen+ 2021 conference Tuesday.
Once inside an MSP’s organization, it’s easier for the hacker to “live off the land”–that is, go after the rest of the company’s customers, he said.
Adopting a zero-trust framework of never trust, always verify, can help MSPs take control of their own environment, Jenkins said.
“We ourselves are seeing a lot of various attempts to breach our security,” said David Liu, founder and CEO of solution provider Deltapath, who was in attendance during Jenkins’ keynote.
The San Jose, Calif.-based company focuses on unified communications and securing VoIP for its customers. Deltapath is no stranger to being a target of hackers looking to breach a solution provider organization, Liu said.
In one case, a Deltapath customer was hacked and a legitimate-appearing email was sent to Deltapath that made it through the company’s layers of security. “The email looked really authentic, but was luring us to make a document download, which could start an attack. Luckily, the last layer of defense is human and we had enough training to notice something looked fishy,” Liu said.
A zero-trust security approach has some limitations, but it’s a really important strategy, he said.
Removing unnecessary privileges and whitelisting– which allows everyday applications to have access to things they don‘t need like PowerShell being able to talk to Microsoft Office–is how MSPs can establish a zero-trust security posture, ThreatLocker’s Jenkins said.
“The only thing QuickBooks needs access to is the QuickBooks folder. … SolarWinds didn’t need to go out to anything on the internet except SolarWinds. They don’t need [access], so take it away,“ he said. “Just checking that box should take away a huge surface area of attack from your system.”
Only if access is blocked by default, storage is locked down at the application level and privileges are removed will MSPs be able to get themselves ahead of unavoidable threats, Jenkins said.
“We want to be more secure than our neighbors because no one’s robbing the house with a big dog, cameras and a gun sign,” he said. “It’s easier to go next door.”