+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

The MSP Threat Report and Take-Aways

Posted by Patrick Townsend on Oct 26, 2021 2:51:26 PM

I’ve been reading the 2021 MSP Threat Report from Perch (a ConnectWise company). It has a great review of the evolving threats to MSPs and their customers from ransomware attackers this last year. What I like about this report that it puts a number of relevant factors into perspective. Why are MSPs a target? What do the attacks look like? Who are some of the groups that are behind these attacks? What do they want (doh)? How are MSPs responding, and how effective are these responses? And, of course, what should MSPs be doing to counter the ransomware threats.

You can find the report here:

https://www.connectwise.com/resources/ebook-2021-msp-threat-report

Here are a few of the take-aways that I found interesting:

MSPs represent a valuable target. Why is that? Well, it turns out that MSPs are theVMware Cloud Providers & MSPs - Win New Business gateway to a lot of end customers. They call this the “Buffalo Jump”. If an attacker can compromise an MSP they can get downstream access to all of the MSP’s customers. Based on some industry averages Perch estimates that an MSP an its customers represent a $2 BILLION opportunity. Yeah, that’s Billion with a “B”. The attacker expects to collect a ransom payment from the MSP and from each of the MSP’s end customers. The financial incentives to attack and MSP are huge.

As we know from recent experience the MSPs who have been attacked were surprised by the event. In many cases the MSP systems were not compromised, but the software they used to manage their business became the path to the compromise. A so-called “supply chain” attack. However, the supply chain attack does not cover all of the MSPs who encountered problems – many experienced routine phishing attacks and credential compromises. But the multiplier effects of the supply chain attacks stretched the resources of many MSPs.

The characteristics of a ransomware attack are pretty well known now. The common sequence of events of a ransomware attack are:

  • Infiltration – access to the MSP and their end customer.
  • Planting malware on breached systems.
  • Exfiltration – steal copies of the data to the attacker’s server
  • Poisonous Encryption – deny you access to your data and systems using a secret key.
  • Extort the ransom – usually through cryptocurrency payments.
  • Release of the hostage – decryption of your hostage data (if you are lucky).

While theft of data is common in traditional data breaches, the Exfiltration step is relatively new in ransomware attacks, and this is where many ransomware defenses fail. The MSP and the end customer may be able to restore systems from backups, but that won’t stop the extortion attempt. The ransomware attacker now has your sensitive data and threatens to release publicly it if the ransom payment is not made. The release of sensitive information can be devastating to MSPs and to their end customers. The threat is real and substantial. You need a backup and restore strategy, but it won’t protect you from the threat of the release of sensitive data.

What can you do?

The Perch Threat Report does not discuss this, but you do have tools to protect against Exfiltration. You have the ability to encrypt your data before the attacker with your own secret key. And that is what I call “Defensive Encryption”. You must encrypt your sensitive data first. The attacker can’t use the Exfiltrated data against you if they can’t read it. This is where encryption becomes you friend. Defensive Encryption renders Exfiltration useless by denying the attacker the ability to extort the MSP and the end customer. You still have to restore from backup, but you are in a much stronger position to defeat the extortion attempt.

There is a lot to like about the 2021 Perch Threat Report. It is concise but at the same time covers a lot of ground. I think this is an excellent report to share with upper management in your company. If you are an MSP you can share this with your end customers to help get them motivated.

MSP Note:

If you want to move forward with Defensive Encryption we have a solution you are going to love. Proper encryption key management is crucial to an encryption defense, but MSPs can be put off by the cost of key management systems. We’ve solved that problem. More here:

https://info.townsendsecurity.com/msp

PatrickEncryption Key Management for VMware Cloud Providers

Topics: Encryption, Partner, Ransomware, MSP

IT's OFFICIAL - ENCRYPTION FOR RANSOMWARE PROTECTION

Posted by Patrick Townsend on Jun 15, 2021 3:22:26 PM

If you’ve been following this blog recently you know that I’ve been advocating for the use of encryption to help prevent ransomware attacks. Ransomware attackers have been adapting to the new reality that a lot of companies have deployed good backup strategies to recover their files. Without that leverage the attackers can’t extort payments for recovery of your systems.

So, what are they doing now? They are exfiltrating your sensitive data and using that as additional leverage. 

Encryption Strategies for VMware EnvironmentsOh, you have backups and you don’t want to pay? OK, we took your sensitive data and we are going to publish it. Do you have secret intellectual property or business plans? Do you have sensitive medical information on your patients? Do you have sensitive information about children in your care? 

Under this kind of pressure many ransomware victims decide to pay the ransom. 

That’s why it is important to encrypt your data before a ransomware attack. If the attacker can’t read your data because it is encrypted they can’t threaten to release it.

It has been frustrating to me that most security recommendations on how to protect yourself from a ransomware attack omit the step of encrypting your data first.

But that has now changed! And it is long overdue.

Here is what President Biden’s new executive order recommends (emphasis added):

What we urge you to do now:

Implement the five best practices from the President’s Executive Order:President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack. 

And  more ...

And this:

For Federal Agencies:

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Encryption is not the only thing you need to do, but it is a critical part of a ransomware protection strategy. It is heartening to see this being recognized.

There is some good news: Encryption is fast, easy and affordable. If you are a small or midsize organization you will be glad to know that there is an affordable solution for your encryption strategy. Encryption and encryption key management are no longer the headaches they once were. You or your IT Support organization can address your encryption needs in a rapid manner. 

If you are an IT Support Provider or Managed Service Provider trying to help your customers with security, you are going to love our MSP Partner program. Affordable key management for VMware and the cloud, usage-based billing, and no upfront fees. You will be profitable from the first customer. More information here: 

https://townsendsecurity.com/msp

Ransomware attacks can be devastating to an organization, but you have tools to protect yourself. Give us a call.

Patrick

References:

https://image.connect.hhs.gov/lib/fe3915707564047b761078/m/1/8eeab615-15a3-4bc8-8054-81bc23a181a4.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

Encryption & Key Management for VMware Cloud Providers

Topics: Alliance Key Manager, Encryption, Encryption Key Management, VMware, Ransomware, MSP

Colonial Pipeline, ransomware and encryption – what to do right now

Posted by Patrick Townsend on Jun 8, 2021 11:21:40 AM

The Colonial Pipeline ransomware attack and resulting crisis that affected millions of people was shocking because of its scale and impact. Shocking, but it was not surprising. We have been watching an increase in the number of ransomware attacks over the last few months. No organization, large or small, has been immune from the attacks. Hospitals, schools, local governments, national agencies – even police departments and courts – have suffered from debilitating ransomware infections. Colonial Pipeline was the first publicly known attack on critical energy infrastructure, but it won’t be the last.

Most modern ransomware attacks have two components:

  • Encryption of your systems to deny you operational access, and
  • Theft of unencrypted sensitive data.

The attackers encrypt your data with a secret key and then promise to restore it when you pay the ransom. This is the well-known part of a ransomware attack. You typically must pay the ransom to a secret Bitcoin account controlled by the attackers. After payment, if you are lucky, the attackers will give you the secret key to unlock your data.

Case Study: Concensus TechnologiesThere is another, less well-known aspect of ransomware attacks. And that is that the attackers often steal sensitive data before they encrypt it. Why do they do this? Well, if you are able to restore your systems without paying the ransom, they can then use the threat of releasing that data to extort the payment from you. And it is very effective. More on protecting yourself from this aspect of ransomware below.

There is good guidance from security groups and governmental agencies on how to protect yourself from a ransomware attack. Having good backups that are not connected to the network is an important part of that guidance. You should also deploy other security measures like active monitoring for anomalous behavior, appropriate segmentation of users, proper network controls, and so forth. And, never forget that training users in good security hygiene is absolutely essential.

I think a number of organizations have gotten reasonably good at this part of ransomware protection. There are still big gaps, of course. And smaller to midsize organizations are lagging in the deployment of these basic protections. But what to do is no longer the question. Getting it done and doing it right is the challenge.

But what about the second part of the ransomware attack? What happens when the attackers steal your unencrypted sensitive data?

We have to give credit where it is due. Cybercriminals who deploy ransomware are very good at what they do. They’ve learned to adapt to a changing landscape. As you got better at doing backups and recovering your data in a timely fashion, they added another technique to extort a payment – They are taking your very sensitive data. If you refuse to pay the ransom they threaten to release the data. To prove their point they will often release a very small amount of your data.

Imagine your shock when you see highly sensitive medical information showing up on the attacker websites. Or sensitive information about students, or sensitive court records. Suddenly the urgency is much greater, and many pay the ransom when this happens.

Having a good backup is not going to help you now. So, what can you do? It is time to add another tool to your defenses – encryption of your own sensitive data.

You should encrypt your sensitive data to deprive the attackers of access to it. If the attacker steals your data in an encrypted state, it is not usable. Encryption is the security control that you need to add to your ransomware strategy. I know, you’ve been putting implementing this important security control. But the stakes are higher now. If Sony or Equifax had encrypted their data, we would not still be talking about the massive loss of data and the disruption they experienced.

Here are some basics to keep in mind as you deploy encryption:

  • Create a map of your sensitive data, and a plan. You should encrypt the most sensitive data first.
  • Encryption key management is critical to your security. Use a professional key management system to store keys away from the data. Never store encryption keys on the same server that hosts the data.
  • Restrict access to the databases with sensitive data. Only those people in your organization who have a need to access sensitive data should be able to do so. Your DBA will know how to do this.
  • Monitor user access to your sensitive data and take immediate action for unautorized access. Use a professional SIEM solution to do this.
  • Monitor access to your encryption key management solution. Your KMS is a critical part of your encryption strategy.
  • Take advantage of database and storage vendor support for encryption and key management. Using VMware for your infrastructure? Implement encryption of VMs and vSAN. Using Microsoft SQL Server? Implement Transparent Data Encryption with an external KMS for the keys. It is fast and easy, and supported by the database vendor.

There are a lot of reasons why organizations are lagging in terms of encrypting their sensitive data. Fears about performance, fears about lost encryption keys, fears about the cost of key management systems, and so forth. All of these challenges have been overcome in recent years. Put your fears aside and protect your data.

Here is a hint:

Don’t let the PERFECT be the enemy of the GOOD. For example, you don’t have to encrypt everything at one time. Tackle the most sensitive data first, and tackle the easy projects first in order to build experience. Then tackle the remaining projects as quickly as you can. Also, don’t be afraid to deploy key management solutions from different vendors. KMS systems are so easy to manage now that having more than one system rarely increases administrative costs. Find the best, most cost effective KMS solution for your database and use it!

Encryption is your friend when you control it. It can provide protection from cybercriminals who attempt to steal your data in order to extort a payment. You can get encryption done quickly and at a reasonable cost. You don’t have to pay exorbitant licensing fees for a good key management system. If you have cost concerns, give us a call.

If you are a managed service provider trying to help protect your customers, you might like to know about our MSP Partner program. Give us a shout to learn more.

Patrick

Download Alliance Key Manager

Topics: Encryption, Key Management, Defense-in-Depth, Security News, Ransomware

Ransomware and Encryption - I Was Wrong

Posted by Patrick Townsend on Jan 2, 2020 8:48:08 AM

I might as well start the New Year with an admission and an apology. Let’s clear the slate.

eBook: Definitive Guide to Encryption Key ManagementIn the past I’ve minimized the use of encryption as a specific way to deter Ransomware attacks. My thinking was that encryption would not really help you if your systems are compromised by Ransomeware. After all, my thinking was, the data is still on your servers it just isn’t accessible because it is now encrypted with a key that you don’t have. Of course, you can pay the ransom to unlock your data. There are lots of good reasons to encrypt sensitive data, but I was not seeing encryption as a specific way to specifically minimize the risks associated with Ransomware.

I believed that your best defense against ransomware was to have good backups and be prepared to restore systems quickly from those backups. A lot of our customers had become lax in their backup strategy, and this left them exposed to Ransomware attacks. They just weren’t able to quickly restore from backups, or those backups did not exist, or they were not current enough.

I failed to understand the evolving nature of Ransomware threats. It simply did not occur to me that a cybercriminal would BOTH lock your data AND steal the data and threaten to release it if the ransom payment was not made. That is exactly what is happening now. 

It is now clear to me that encrypting your sensitive data is an important part of your defense against Ransomware attacks. If the attacker cannot access the data, they can’t threaten its release to put pressure on you. So it is time to revisit your security strategy around Ransomware:

  • Backups are still important. They are a first line defense against Ransomware.
  • Your backup strategy is not complete until you fully test the restore process. You will always find glitches during the test of the restore operation. You don’t want to be finding these glitches during a Ransomware recovery process.
  • Encrypt all sensitive data to deny its use by attackers.
  • Use proper encryption key management as a part of your encryption strategy. Locally stored encryption keys (SQL Server, MongoDB, MySQL, and so forth) are easy to recover. If you are not protecting the encryption keys you don’t have an encryption strategy.

There is much more that you need to do to protect against Ransomware, but these items are crucial to your strategy. 

Encryption has many other benefits including helping you meet compliance regulations (California CPA, etc.), helping you minimize reputational damage, helping you protect digital assets and business secrets, and much more. It is time to review your encryption strategy and plug any holes.

If you are a small organization you don’t have to feel left out in the cold. Here at Townsend Security we help small organizations get encryption and key management right. You are NOT priced out of the market. If you are a small organization ask us about our SMB plan.

Patrick

eBook: Definitive Guide to Encryption Key Management

 

Topics: Encryption, Ransomware

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all