Cybersecurity Advice for MSPs: Keep the Car Doors Locked

My neighbor is a police chief in a nearby town, and he’s always chiding me about leaving my car unlocked. He tells me there are two types of car thieves: one, those working for organized rings that target specific vehicle types with sophisticated techniques, and two, individuals walking through parking lots and attempting to open every car door in anticipation that someone like me left their car unlocked. Which attack methodology do you think accounts for the most stolen cars?

Hollywood would have you believe it’s the sophisticated crime ring, but I think we all know that’s not the case.

How are MSP Customers Actually Attacked?

Similarly, the popular news media’s coverage of cybercrime would imply it’s most often the work of nation-state actors like Russia, Iran, China, or South Korea. And indeed, many high-profile breaches are littered with the fingerprints of highly trained and organized, state-sponsored (or at least tacitly approved) groups that engage in specific targeting, surveillance, and highly patient attack methodologies. But those high-profile attacks represent a small fraction of successful breaches overall, and almost none of the attacks launched against the SMB customers of many MSPs.

State-sponsored criminals aren’t  interested in a $75,000 ransomware attack against the local General Motors dealership, but there are countless individual cyber criminals that are, and the tools needed to secure that ransom are readily available for sale to them on the dark web (or even free elsewhere). And they find their victim organizations the same way the car thief walking through the parking lot does: trial and error.

Automated Tools Spread their Venom

Cyber criminals leverage automated scanning tools readily available to literally scan the entire public internet in minutes, searching for open ports running services with vulnerabilities that can be exploited, again, using off-the-shelf software (exploits). Or they shower a set of random network email addresses with phishing emails, all in an attempt to find one or two unlocked parked cars. These attacks are not only automated, but they’re impersonal, so when you hear that a local animal hospital was the victim of a ransomware attack, it wasn’t because the attacker specifically targeted the animal hospital (or doesn’t like cats), it was because the animal hospital’s network happened to have a vulnerability on their network that was found randomly by an automated scan, or an employee clicked on a phishing email attachment, one of tens of thousands sent by the attackers to SMBs all over the world.

98% of Firewalls Face High-Risk Threats

How prevalent are these automated scans? In its August 2021 threat-blocking report for SMB firewalls through its MSP partners, Dark Cubed found that, 98% of the firewalls had high-risk threats probing their networks from known malicious IP addresses. Thus, for SMBs, it’s not a matter of if, but when, their network will be scanned by bad actors for vulnerabilities.

Moreover, phishing attacks are remarkably successful because the bad guys only need to be right once. Phishing training can reduce errant clicks by employees, but no level of training can eliminate them. Patching vulnerabilities sounds good on paper, but any IT professional will tell you that patching is time-consuming, resource-intensive, and risky (newly installed software often breaks the software around it), and the sheer number of vulnerabilities and updates is overwhelming, even to the best-staffed IT departments. It’s pretty much mission impossible to SMBs with scarce resources.

Bad Guys Have Vulnerabilities Too

The good news is that these automated, spray-and-pray attacks on the SMB community have an Achilles heel: they’re launched and controlled very often from known-compromised infrastructure. That is, when the bad guys are using a specific server or device to mount their attacks against SMB targets, word spreads rapidly among threat intelligence sources that those devices are compromised, giving the defenders of SMB organizations an advantage.

Automated scans launched from high-risk IPs can be blocked, such that any network vulnerabilities aren’t exposed. If an employee clicks on a phishing email, establishing a foothold on an SMB network from which an attack can be executed, the device controlling that attack can be quickly blocked, effectively shutting down the attack before data can be encrypted or other damage inflicted.

The cybersecurity community is filled with very smart, highly technical people, and that’s typically a good thing, since the bad guys are also smart and often technical. But the converse argument is that we over-complicate cybersecurity, especially for those in the SMB community that simply want to protect themselves and their customers. So, when it comes to defending the SMB market, just making sure that car doors are locked can go a long way to preventing the vast majority of successful attacks.