Ensuring your cybersecurity is nimble enough to deflect cyberattacks that change by the day is a difficult task for SMBs today, and a challenge before every IT managed service provider (MSP).
Island hopping – the practice of leveraging one company’s compromised network to take advantage of or jump to another target company – now occurs in half of all cyberattacks. MSPs have become a desirable target for criminals, in no small part because of their enhanced access to other networks.
Essentially, an MSP is a target because of its customers.
That’s why it’s so critical MSPs take the same steps to lock down their networks as they do for their customers. Previously, we covered how MSPs should implement a layered security strategy to create a comprehensive defense against cyberattacks, and steps for ensuring the environment is as secure as possible. Additionally, there are some ongoing efforts MSPs can practice daily in service to their own security. Some are a “set it and forget it” effort, but others require continued attention over time. None will happen spontaneously.
Disable Known Malware Extensions
Any attacker bent on infecting an endpoint needs to run code that will help install malware. So, it makes sense to block any filetypes that are both a) frequently used with ill intent and b) rarely or never used without ill intent. To block these malicious extensions, some form of endpoint protection is required (or, in the case of executables, application white/black listing). Group Policy even has simple functionality that allows those files you want to run, and blocks those you don’t.
The following is a non-exhaustive list of common malware extensions that can be blocked through application white/blacklisting:
- Executables – Users shouldn’t need to launch an application that doesn’t pertain to their work. Files with extensions such as EXE, COM, BAT, and MSI are usually not essential.
- Scripts – Users should seldom, if ever, need to run scripts of any kind. Files with CMD, VB, VBS, JS, HAR, PS, and other scripting files can be safely blocked.
- Shortcuts – While not malicious per se, shortcuts can easily link to malicious payloads. File types include LNK, INF, and SCF files.
- Self-Extracting Archives – These files hide their contents, while allowing malware payloads to run once extracted. Include files with SFX extensions in this category.
- Web Application Files – Malicious HTML applications can hide within files displaying HTML, HTM, and HTA extensions.
Secure Remote Access/Remote Desktop Services
Beyond email-based phishing attacks, unsecure remote desktop access is increasingly being exploited via Microsoft’s Remote Desktop Protocol (RDP) running on machines connected to the internet. Searching the internet for commonly used RDP ports (the default port of TCP 3389, for example) is all a cybercriminal need do to gain access to unsecured endpoints. Unpatched Windows endpoints may still be operating on default security settings that allow unlimited login attempts without being locked after an excessive amount of failures. It’s only a matter of time before a machine with this gaping security hole is exploited.
Steps for addressing unsecure RDP ports include:
- Using a firewall to eliminate RDP access from outside your network
- Requiring the use of two-factor authentication
- Configuring endpoint password policies that limit the number of login attempts before locking the account
- Using a remote access solution that relies on a less common port
Given the continuous and concerted use of RDP to compromise MSP networks, it would be wise to eliminate all use of RDP in favor of a more secure commercial alternative.
You should also consider monitoring for network intrusions, looking for multiple failed logon attempts in event logs, which is capable in Windows 10.
Update Outdated Technologies
Cybercriminals today are still invested in the time-tested strategy of exploiting older technologies that are nowhere near as secure as their updated counterparts. There are still many instances of unpatched Windows XP plugging away without hope of a new patch coming along (support for XP was discontinued in 2014). Malware leverages older, unsecure communication protocols such as server message block (SMB) v1 to move laterally across networks to expand its scope of attack. WannaCry ransomware, for example, did this to the detriment of millions of endpoints.
Updating operating systems, applications, and protocols is critical to ensuring gaps in your security are closed. In the case of SMBv1 specifically, there are some simple steps to disable it.
ML and AI Threat Intel is Here to Help
Many MSPs simply don’t have the time to keep up with every threat, every attack type, and every remediation necessary to keep a network secure.
But, even with the realization that cybersecurity is moving too fast for any one business to keep up and provide a service that customers are willing to shell out for, all hope is not lost. The good guys are innovating, too.
Seek out solutions that use threat intelligence, machine learning, and artificial intelligence to stay ahead of tomorrow’s threats. You need something watching daily (and it can’t be you), so why not shift the responsibility to solutions that will do a far better job protecting your network and detecting potential attacks, should they occur?
Lock It Down Daily
The goal is for your environment to be continually in a secure state, despite the shifts in threats and tactics over time. With MSPs being targeted, it’s essential they implement proper security controls.
Except for RDP, each of these steps involves an adversary whose face changes daily. So it’s critical that you follow these four steps above, so that you find your network’s security to be current and ready to face tomorrow’s new threats.
What now?
Check out our latest video Lockdown Lessons Episode 3: Closing Security Gaps to learn more on how to implement network security best practices.
I encourage you to start a free Webroot protection trial and see for yourself how our solutions can help you prevent threats and maximize growth: Endpoint Protection | DNS Protection | Security Awareness Training.
Guest blog courtesy of Webroot. Read more Webroot blogs here.
