This post is aimed at business Information Security professionals, Heads of department, business owners and anyone who wants to understand Cyber Security and reduce the risk of being attacked.
Cyber. It’s everywhere. Attacks are increasing in severity and prevalence. I wrote a piece on how the effects of the Solarwinds Attack could (and should) have been mitigated with some essential best practice. The latest breach of MSP tool Kaseya VSA has followed a similar path. As device management agents are trusted sources, endpoints implicitly trust them and carry out any command they are requested to execute – including deployment of ransomware, backdoors or any other malicious payload. The traditional doctrine in Information Security is risk management. You can’t defeat all risks, but you can manage them. The problem with this approach is that risk acceptance is a valid risk management activity, and I have seen too many risks accepted or not understood in organisations when in reality, they leave gaping holes in security. On this basis then, risk management in Information Security no longer has any relevance; we need a new way of approaching Information Security, as the traditional way of thinking is no longer ‘enough security’. To set the scene – let’s look a little more at what set off this train of thought.
What is an RMM tool?
RMM tools are remote monitoring and management agents installed on PC’s, servers and laptops to allow management of those devices over a network. They are very popular amongst outsourced IT service providers, or MSP’s as they are commonly known. It’s one of the key ways an MSP will provide service to remote customers. Typically in a modern MSP customer environment, the RMM tool will work no matter where the device is, as it talks back to either a shared cloud environment or an environment hosted by an MSP.
Why target RMM tools?
As the RMM tool often has complete unfettered control over the endpoint device it is installed on, it can be used to deploy software and system updates. But – like many legitimate tools – it can be weaponised to deploy malicious software – either by opening a back door control like the Solarwinds attack or by installing ransomware – as is the case in the Kaseya breach. The hard part about this is that there are many other RMM vendors in use across the world. It’s a rich opportunity for attackers, so I doubt this is the last attack we will see.
What has this got to do with risk management?
Many organisations manage their information security risk well. Most implicitly accept risks that they don’t know they have. I audited an organisation a few years back that had a valid, recently audited ISO27001 certified ISMS (Information Security Management System) from a reputable UKAS registered authentication body. In short – they looked like they were taking things seriously. Here is the thing: ISO27001 is a risk-based standard. Valid risk management behaviour includes risk acceptance by ‘top management.’ OK – no problem. Well, actually – MASSIVE problem. In this case, the organisation didn’t have a perimeter firewall due to cost, and the CEO had accepted the risk here. Ummm, what? Control #1 in Cyber Essentials is perimeter firewalls. This organisation, despite having ISO27001 – didn’t have one. So – if your supplier management approach is to check for a valid ISO certificate – be warned – trust, but verify, I believe, is the appropriate phrase. So – following on from a conversation I had with the UK Cyber Security council last week about how to ‘fix’ cybersecurity in the UK, I had two thoughts. They are not conventional Information Security thinking, though.
Information security risk management is no longer an appropriate way of managing IT/technical/cybersecurity. We need a wholesale change in thinking. You know what, though – a solution to how to approach this already exists – we just need to be bold in how we apply it. It’s called Murphy’s Law. Taken in this context, if there is a way for security to fail, it will. Designing failure out is clearly not possible, but mitigating against it is. OK – you got me – mitigation is a valid risk management approach. In our new security first world, risk acceptance is not a valid risk management approach. We need to shift our thinking towards a new priority order and strike accepting risk off the list. New risk management criteria
- Don’t do the risky thing.
- Need to do the thing that has some risk? OK. But not before maximum mitigation has been applied. It’s like finding the weakest point and attacking with the maximum amount of force. You might also refer to this approach is overkill. That sledgehammer isn’t needed to crack a nut – but you know what – it was cracked all the same. Actually, not the same – no questions – it’s cracked. Every time. The end.
- If you can’t avoid the activity or appropriately mitigate the risk, transfer it to someone who can do those things. And then back that up with a financial guarantee.
There has been plenty of scrutiny on insurance companies paying up when ransomware strikes. They are getting bad press for it as well. This brings me to the second thought: regulation. GDPR has been good for data privacy, if not all-conquering – but a definitive step in the right direction. With all the focus on privacy – the technical security requirements of that legislation have been overlooked. To summarise – it says something along the lines of ‘Taking into account risk, state of the art and cost, the organisation will implement appropriate technical controls.’ Hmmm. Risk? Yeah – not adequate anymore, given the nature and number of attacks we are facing. State of the art? Plenty of that in terms of available technical controls and solutions. Not enough people know about them, and undoubtedly many we talk to, particularly in-house IT, can’t or don’t want to get the buy-in for change. Cost? Well, this is a total irrelevance in my book with regards to security now. Why? It doesn’t have to be expensive. Spending more than the asset you are protecting is worth is not commercially viable, but how do you value your business? In the £millions? £billions? If you are a proper SME – in the £ 10’s or £ 100’s of thousands? We are most definitely talking about protecting your entire business, personal reputation, the reputations of your staff and in many cases, the lives, reputations and personal information of your customers and their customers. Still, think the cost is a factor? It isn’t. Invest and sleep well.
How to fix cybersecurity
Whilst insurers have been getting bad press – they also hold the answer. With ever more regulation on cybersecurity and a reactive approach to enforcement of current legislation (GDPR, NIS) – we need a new paradigm to encourage businesses to take cyber seriously. This one is straightforward in concept. In the UK, business is required to have public liability insurance to trade. A small change in legislation is all that is needed to require, by law, all businesses, charities, schools etc., to have Cyber insurance to trade. No cyber insurance? No trading. But cyber insurers will just put massive premiums in place, won’t they? Here is the second half of this new approach. Insurance companies are already regulated. To issue cyber insurance, many already ask lots of questions about the approach to security organisations take. The change here is this: We regulate the insurers to a minimum required standard of validating security controls before issuing insurance. This minimum standard will make it much more difficult for attackers and reduce the occurrence of cyber-attacks. Ergo – premiums should be kept affordable. Don’t regulate all business in the UK – that is impractical. Adding regulation to an already heavily regulated industry with a governing body in place – that sounds achievable. Get that group of entities to enforce best practices amongst their customers. If they don’t, no insurance, no trading. Much like chasing down most criminals – following the money is the thought process behind this idea. Controversial? Push back? Issues? Time-consuming? What standards do we enforce? Capacity at the FCA? Punitive on small business? Maybe all of the above and more. But it doesn’t have to be impossible. The tools, technologies and partners are out there to deliver this – we just need to have the will to get it done. Yes, it will cost us all some money – but what is the cost of going out of business or letting your customers down? And what of the cost of stress and anxiety a cyber attack would cause? All much more than the cost of doing something about it. So lets’ do something about it. With the pragmatic approach and range of services we offer at Optimising IT, we can always highlight and reduce your cyber risks. Our services are crafted to suit your individual business needs. Contact us or call us on 0330 403 0011 to see how we can help.