Seguridad

“I love it when a plan comes together”—the questions to ask your customers before the next software vulnerability

I’m probably dating myself, but I used to love the television show The A-Team when I was little. Every week, the team would be put into the middle of a problem and work together to overcome some challenge. Plus, they had Mr. T and a really cool van. George Peppard ended most episodes with the tag line, “I love it when a plan comes together.”

That is exactly what I said to myself as our team ensured N‑able, and our customers, were protected after the Apache Log4j vulnerability “set the internet on fire.

We all, whether we realize it or not, are constantly assessing risk. When you pull onto a street, you pay attention to how much space there is between yourself and the car that’s approaching. Then you rapidly determine how risky it is to pull out and when to do so based on that mental calculation. You do this without really thinking about it because you’re conditioned to do this when driving. In my adult life working in cybersecurity, which is not nearly as cool as what TV portrays, it’s our job to make sure we have plans in place for when the unexpected happens. To know what to plan, or how to prioritize, we start with assessing risks to the business.

Planning your response

I’m not going to do an in-depth analysis on the vulnerability; there have already been a ton of posts about that, and more are sure to come. Instead, I’d rather talk about our risk-analysis approach to determining the N‑able response.

You see, using my example above, Log4j was that car that was already on the highway, and we were trying to determine if we were going to get into an accident. So, what happened at N‑able? Well, for starters, I was woken up—early. I must admit, it was kind of nice to have the emergency at 5 a.m. on a Friday, instead of 5 p.m., when they normally happen. Our engineering, DevOps, and security teams were already looking into the vulnerability, clarifying its impact, and working to determine what the risk was to N‑able and our partners.

We weren’t figuring this out on the fly; we had a plan in place, and the team knew what to do. It sounds simple, but planning our coordinated response across the organization is far more difficult than you’d think. We based our response on a past risk assessment that we used to prepare for this type of scenario, as well on processes we’ve put in place to ensure the right team is working on the right pieces, so we can mobilize and act quickly. One of the risks we reviewed was how to respond to a critical vulnerability that could affect our product.

Related Product

N‑sight RMM

Comience a trabajar con rapidez con un RMM diseñado para departamentos de TI y MSP pequeños.

What are you trying to protect?

As I mentioned in my last blog post, I usually ask a really simple question when I start a new role: “What makes us money?” When I started here seven months ago, I asked the same thing. What’s interesting is that, depending on who you ask, the answer is different. For any business, you can easily determine what’s in scope for your risk based on the answer to the question above. Once you review what makes you money, both directly and indirectly, it’s a matter of determining what systems or devices are critical to operating a successful business. From there, taking the time to understand the type of attacks that could affect those devices and systems, and the likelihood of those attacks, helps you understand how much risk your business is willing to accept.

MSPs are perfectly positioned to help advise their customers on how to evaluate their business risks and direct them in effectively reducing those risks. As an MSP, you understand your customer, their assets, and how their business functions. You should be able to discuss with that customer how those specific assets make them money, and the role you play in protecting their business. Further, explain to a customer how they could be targeted, as well as the cost, should one of their critical functions go offline. Finding ways to ensure their business is resilient is critical. Then, work to develop a plan to prioritize their risks and work to mitigate them.

Analyzing your risk

For ease, we can break focus areas down into some high-level categories and questions you could ask for each risk area:

  • Network and endpoint protection
    • How quickly are you patching vulnerabilities on the systems that support this business process?
    • Do you have advanced AV or EDR protection on those devices?
    • Are you using web or DNS filtering?
    • Do you have network segmentation configured for critical systems?
    • Are you running any end-of-life operating systems?
  • Employee/identity protections
    • Do you have multifactor authentication set up for your critical applications (on-prem, cloud, and SAAS)?
    • Do you have privileged accounts stored in a vault?
    • Do you have protections against phishing?
    • Are you delivering security awareness training to employees?
  • Backup/Recovery
    • Are you performing regular backups of all critical systems?
    • Are those backups stored locally, remotely, or in the cloud?
    • Are you verifying those backups are successful?
    • Are you testing the restore of backups?
  • Cloud
    • Are you measuring the security of your critical cloud environments?
    • What benchmarks are you measuring them against?
    • How are you measuring changes over time?

There are obviously other areas that you could dive into, based on the specific business that your partner is in. For example, if your customers are in the dental field, understanding where their medical data is stored and how it’s protected is critical. If they’re in manufacturing, and use machines with embedded operating systems, how are they being patched/updated?

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

The shifting cybersecurity mindset

If you look at how cybersecurity has changed in the last five years, it’s evolved from a nice-to-have to a must-have. As an MSP, I know not all your customers have shifted their mindset. That’s partly because they think a cyberattack will never happen to them. I’ve always believed a cybersecurity incident is never an if, it’s a when. All organizations have incidents, some larger than others, and having an effective plan in place is critical. Typically, that lax mentality changes when a major security event hits the news.

Once you have the buy-in from your customers and the answers to the above questions, you can begin planning the process of implementing  proper protections as well as planning to ensure that when an event happens, both you and your customers are prepared.  I’ll cover that in my next blog.

Dave MacKinnon is chief security officer at N‑able. You can connect with Dave on linkedIn here.

© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.

Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.

N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.