Common Entry Points #1 – ITaaS (IT as a service) Part 1

According to SonicWall’s 2022 Cyber Threat Report, nearly every category of cyberattack has increased in volume last year. The numbers point to an undeniable conclusion. SMB networks are under siege. In fact, let’s call it what it is. It’s a war out there. And while cyberattacks may not consist of traditional armies on the field of battle, the influential strategy text, “Art of War” by the ancient Chinese military general, Sun Tzu, still rings true: 

Attacking the opponent’s weak points is a much more effective and efficient use of the nation’s resources. . . the key is knowing where the weaknesses are and when to release the attack.

 Attacking the Weakest Link 

It really is that simple. Attack the enemy at its weakest point of position. For enterprises today, the inevitable question is: Where is the weakest link in your businesses? For many organizations, the answer may be unexpected. Your reliable IT service provider. IT service providers have provided businesses with IT services and resources that many SMBs never had access to. But being digitally connected to service providers and business partners opens us up to their risk exposure as well. Sun Tzu emphasized the importance of knowing your enemy. For SMBs today, the question may be, how well do you know your IT-as-a-Service (ITaaS) provider? Are they dealing with the same organizational struggles that threaten the cyber resiliency of so many firms today?  

A Common Tale of Exploitation 

We frequently witness the exploitation of weak links at CYREBRO. Recently we investigated a case involving three insurance firms that utilized the same IT provider. When external threat actors gained access to one of the firms because of a ransomware attack, they quickly moved onto the IT providers’ management server to gain access to their other customers. This proved ridiculously easy as the provider was using an 11-year-old operating system and a portfolio of obsolete and outdated software that was rampant with vulnerabilities. Through this single management server, the attackers were able to gain access to the networks of multiple companies with ease. Unfortunately, stories like this are all too common. 

Leveling out the playing field with IT-as-a-Service 

There are great reasons why so many organizations look to third-party providers for various IT services. SMBs often lack the expertise and funding that is required to acquire and maintain the level of IT innovation and infrastructure that is necessary today to compete in a digitally transformed world. They also lack the necessary tools and skillset to sufficiently protect themselves from cyberattacks which is a problem because SMBs are a prime target for hackers.  

As a result, many SMBs are turning to ITaaS models in which an IT provider delivers IT as a commodity, customizing packages that bundle a desired array of hardware, software, and support for a subscription fee. Besides the advantage of predictable OPEX budgeting, minimal upfront investment costs, and tax advantages, subscribers get access to expert technical support, regular software upgrades and hardware refresh cycles, and continuous monitoring.  

Zero-trust includes your IT Provider  

Cybersecurity specialists are now encouraging IT managers to adopt a zero-trust framework for today’s networks. This requires a “never trust, always verify” mindset regarding your all connection requests, even if those that originate from within the network itself. Zero implicit trust includes your IT providers as well, especially those who provide the components and services that permeate throughout your network. Just because your IT provider may be an authority to you, doesn’t mean that they aren’t taking shortcuts that may expose your company to unnecessary risks.   

Segmenting your IT Provider  

IT service providers are high on the target list for hackers. That’s because once compromised, the attackers can then infiltrate their clients. This is made easier when an IT provider centrally manages all their clients’ networks through a single server, giving attackers great leveraging power.  

 For instance, a large orthopedic clinic in the Southeast United States recently agreed to a $1.5 million settlement for a breach that occurred four years earlier. They were just one of three health organizations that hackers were able to breach thanks to the poor cybersecurity practices of a certain IT provider the three contracted with. In this case, the provider connected to their clients using an identical password from a single server using a VPN connection. Other more famous examples include the SolarWinds supply chain attack in 2021 and the Kaseya compromise later that year.  

One of the reasons for the increasing number of supply chain attacks in recent years is a lack of monitoring. Without proper visibility, one can never know what is truly occurring within the various sectors of your network operations.  

 Bootleg Software  

One of the main reasons why SMBs contact ITaaS providers is the investment and maintenance costs of purchased software and hardware. Of course, your IT provider must incur these costs as well, which makes it tempting to utilize less expensive software that doesn’t offer the same features and capabilities as more popular solutions.   

 In some cases, bootlegged software may be used, a practice in which software is installed on unlicensed machines. For example, the software purchased for one customer is installed on the machines of other clients as well. According to the Business Software Alliance, most countries still have unlicensed software rates of 50% or higher. Those who knowingly or unknowingly use bootlegged software don’t receive licensed benefits such as technical support, software updates, and complimentary upgrades. Even more important, pirated software constitutes a violation of copyright law. Violators can be fined up to $150,000 for each instance.  

 Outdated Software  

Would you believe that more than 12% of the computers in service today across the globe are still using Windows 7? Microsoft stopped supporting Windows 7 back in January of 2020. That is the last time Microsoft released security updates for the OS that was released back in 2009. Deprecated operating systems have a larger attack surface, giving threat actors a well-documented list of vulnerabilities that they can exploit.  

 A classic example was the WannaCry attack that propagated itself across the globe in 2017, taking advantage of a well-known exploit in Windows XP, which had reached its EOL (end-of-life) by then. Upgrading the OS of a company’s PC fleet is a time-consuming venture and one that is easy to put off until that “someday” never seems to arrive. It’s imperative to ensure that your business users have the most up-to-date software on their systems, not just for security reasons, but for the innovative features that are perpetually released today.  

 The Need to Verify  

Chances are that your IT provider is doing a fine job and delivering IT services that meet stringent cybersecurity standards. But in a zero-trust world, the need to verify that delivery of service is crucial to ensure that your IT providers are not creating the weak links that hackers can use to sneak into your own network. The need to eliminate weakness, to your enemy, is as important today as it was in the day of Sun Tzu. That is why proper monitoring by an additional party should be a part of every cybersecurity strategy today.  

Sign Up for Updates