Protecting Data, Emerging Threats Hot Topics at Channel Partners Virtual

Among the topics were securing data in motion, opportunities for MSPs and more.

Edward Gately, Senior News Editor

March 5, 2021

12 Min Read
Cybersecurity Roundup, security roundup
Shutterstock

Protecting data was a big topic at this week’s Channel Partners Virtual, with numerous sessions focusing on the latest threats and solutions.

Among the highlights were our latest Cybersecurity Thunderdome, as well as sessions focusing on protecting data in motion and 2021 predictions.

Cerrone-Joe_Webroot.jpg

Webroot’s Joe Cerrone

In his session, Joe Cerrone, MSP account manager at Webroot, highlighted the many challenges to protecting data in 2021. The predictions were chilling, but also good news for MSPs.

“The cybersecurity skills gap is going to continue to widen, meaning businesses will continue to struggle to stay resilient against cyberattacks,” he said. “This will force them to increase their cybersecurity spend. They’re going to reallocate budget to secure the new hybrid workforce, creating a massive opportunity for MSPs to sell their services.”

To manage the skills gap, managed endpoint detection and response (EDR) supported by artificial intelligence (AI) will replace the traditional security operations center (SOC), Cerrone said.

Regarding the threat landscape, Emotet is very prevalent and Webroot expects it will remain the most active botnet, he said. It will continue to serve as a malware distribution service.

“And business email compromise will have yet another record year,” Cerrone said. “It accounted for over $2 billion [in losses] in the United States alone in 2020.”

Deepfakes will be increasingly easier to create, making misinformation a leading threat that companies must defend against, he said. In addition, phishing pages will primarily use HTTPS. It’s not as secure as originally thought.

And the most unsettling stat?

“We’re going to see a single ransomware victim may over $50 million to restore their data,” Cerrone said. “And as we know for a lot of businesses, that is a death sentence. And we’re also going to see cybercriminals expanding their ransomware targeting from government, education and health care organizations to manufacturing and supply chains.”

DesRosiers-Chris_Tech-Data.jpg

Tech Data’s Chris DeRosiers

Vishwanathan-Kumar_Privafy.jpg

Privafy’s Kumar Vishwanathan

Another session focused on securing data in motion. Kumar Vishwanathan, Privafy’s executive vice president and CTO, and Chris DesRosiers, Tech Data’s director of security solutions business development, addressed the issue.

Data in motion is when computers talk to each other and transmit data across a network to get it from a user to a system, or between systems.

Examples of threats associated with data in motion include identity hijacking and distributed denial of service (DDoS) attacks, Vishwanathan said.

Another attack type is USB thumb drives and USB plug-in drives, DesRosiers said.

“There’s also something a little more exotic, like a man in the middle attack,” So if you think about taking your laptop
to Starbucks Wi-Fi, you see a guy over in the corner, he’s got a backpack [that] runs an access point off a battery.
And that access point says Starbucks Wi-Fi. In that sense, he becomes the man in the middle intercepting data in the air as you are transmitting back to the office.”

If you don’t have a VPN encrypting that data, that man in the middle can potentially intercept those transmissions and
record them to a hard drive, DesRosiers said.

Vishwanathan and DesRosiers also provided steps for protecting data in motion.

“The first thing to look at is to really drive some data hygiene into your workforce,” Vishwanathan said. “And what I mean by that is who is accessing what.”

Many times, Organizations lose data hygiene as they grow, he said.

“So start putting some data hygiene in place and then build up the rest of your security stack,” Vishwanathan said. “Make sure you have effective firewalls in place and effective remote access solutions in place. “

And if budget permits, start investing in anomaly detection, he said.

For partners, risk assessment is the beginning of the conversation, DesRosiers said.

“And risk assessments cover a lot of different areas, from multifactor authentication (MFA) to perimeter security, etc.,” he said. “But as it comes to the data itself, this is about the assessments that identify the data location, classify it, categorize it and figure out who has access. But to take it a step further, you want to be able to offer other elements. Some basic steps are encrypting that data, and that can include encryption at rest or in transit. And you might want to consider as you evolve your data in motion security posture the idea of data obfuscation or data masking. This…

…is where you only show certain parts of the data and you sort of anonymize it, or maybe even metadata, which is data about data … so it can only be viewed in a one-step removed component.”

Weddle-Lynn_RedLegg.jpg

RedLegg’s Lynn Weddle

Palmer-Mark_Granite.jpg

Granite’s Mark Palmer

McDonald-Kevin-B_Alvaka.jpg

Alvaka’s Kevin B. McDonald

Kevin McDonald, COO and CISO of Alvaka Networks, moderated the cybersecurity thunderdome. The competitors were:

  • Mark Palmer, Granite’s vice president of managed services.

  • Lynn Weddle, founder and co-partner of RedLegg.

  • Nadir Merchant, IT Glue’s general manager and CTO.

  • Andrew Harris: Lumen’s senior director of cybersecurity and strategic solutions.

The contenders shared what providers should be most focused on over the next two years. Palmer said subscription-based services are the key to everything now.

“There’s ransomware-as-a-service,” he said. “You look at those things and it’s not getting easier to defend, it’s getting harder to defend. And that’s the key, it’s prevention. Prevention is what people should be thinking about and … when something happens, what do you do and what can you do?”

Harris-Andrew_Lumen.jpg

Lumen’s Andrew Harris

Merchant-Nadir_IT-Glue.jpg

IT Glue’s Nadir Merchant

Harris said he’s seen a “huge uptick” in DDoS attacks.

“It’s really easy for anybody to go out and DDoS somebody,” he said. “I mean, I’ve been on calls with customers, schools, and a student isn’t prepared for finals. So they Google DDoS for hire and pay somebody $50 and take the school network down and finals are postponed. And health care, it’s life and death if their network’s down. I mean it’s very critical.”

Providers need to implement today’s best practices, Merchant said.

“Forget about future and new threats,” he said. “There’s so many companies and people that haven’t rolled out multifactor authentication (MFA) and they haven’t rolled out just the basics of having backup in place. We have to get that solved going forward.”

In addition, automation in security was a hot topic during the thunderdome.

“We can’t operate at the speed of machines,” McDonald said. “We’re being attacked by machines and by automation, so we all better be prepared to respond in kind. I do believe that if we look at security like the old board and the holes in it, the more holes you close, the less likely the marble is to fall through one of the holes. It’s very important that we all work together.”

Huntress Discover Microsoft Exchange Server 0-day exploits

This week, Microsoft reported multiple 0-day exploits being used to attack the on-premises version of Microsoft Exchange Server.

These attacks allowed access to email accounts and installation of malware to increase hackers’ dwell time. Microsoft has since released emergency patches.

Microsoft attributes this campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China.

Huntress‘ team was the first to report via an MSP partner that these 0-day vulnerabilities were first detected as early as Feb. 27. And hundreds of customers are affected.

Huntress discovered more than 100 webshells across roughly 1,500 vulnerable servers (with AV/EDR installed) and expect this number to keep rising. The team is seeing organizations of all shapes and sizes affected. Those include electricity companies, local/county governments, health care providers and banks/financial institutions.

The team is also seeing small hotels, multiple senior citizen communities and other midmarket businesses affected.

Hammond-John_Huntress.jpg

Huntress’ John Hammond

John Hammond is senior security researcher at Huntress.

“These intrusions left behind certain artifacts or breadcrumbs due to the nature of the attack,” he said. “The threat actors can gain remote code execution by leaving a publicly accessible webshell on a victim Exchange server.”

This attack chain grants the bad actor with remote code execution, Hammond said. That means they have control over the target server.

“While they land on an Exchange server, which is likely joined to a domain, the threat actors have a lot of access,” he said. “They can add or remove domain accounts or administrators, dump credentials or hashes from memory, move laterally throughout the network or continue their operations. Truthfully, we haven’t yet seen the fallout from this. What is next? Will they just exfiltrate data, or drop ransomware or mine cryptocurrency? We are still analyzing and hunting.”

The threat is still there and organizations remain vulnerable, Hammond said.

“It is apparent these threat actors are simply scanning the internet in a spray-and-pray fashion, looking for any publicly accessible host that might be vulnerable,” he said. “Organizations are certainly still vulnerable. Huntress is…

…seeing new partners onboarded and giving us visibility to more and more Exchange servers, currently over 3000. From our data, at the time of writing only 900 have successfully patched. Five hundred are visibly vulnerable, and we have record of 300 that are compromised.”

The hunt is not over, and Huntress is still analyzing and uncovering more and more information, but the attacks will not slow down, Hammond said.

Virginia Passes Legislation for Protecting Data

Virginia is officially the second state to pass consumer privacy legislation following the governor’s signature of the Consumer Data Protection Act (CDPA).

This legislation expands data privacy in the United States outside of just California. It should take effect Jan. 1, 2023.

Virginia residents can opt out of having their data collected and sold. In addition, they can see what data companies have collected about them, and correct or delete it.

The California Consumer Privacy Act (CCPA) went into effect in January 2020.

Ruchie-Mark_Entrust.jpg

Entrust’s Mark Ruchie

Mark Ruchie is CISO at Entrust.

“To better prepare for data protection regulations and compliance, today’s businesses must develop a security program based on a recognized conceptual framework such as the National Institute of Standards and Technology (NIST) or ISO 27001,” he said. “Once that’s in place, businesses can measure their program against new data protection regulations such as Virginia’s CDPA or California’s CCPA by mapping their security controls to the newly established standards.”

The good news is most global frameworks have many consistent components, such as being risk-based, Ruchie said. However, there likely will be initial confusion that businesses will need to work through. Being able to do a cross-mapping to a recognized framework will mitigate some of the confusion associated with these regulations.

“In general, most national legislation adheres to the General Data Protection Regulation (GDPR) framework with some minor differences,” he said. “For example, California is similar and other proposed state legislation regarding regulations in the U.S. look very similar to the CCPA. Luckily, there is a lot of guidance from law firms and industry associations in the privacy space that allows for quick and easy comparison between these laws and emerging frameworks.”

Cybersecurity Confidence Wavers Despite Major 2020 Investments

Nearly 80% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks despite increased IT security investments in 2020 to deal with distributed IT and work-from-home challenges.

That’s according to a new IDG Research Services survey commissioned by Insight Enterprises. More than 200 C-level IT and IT security executives in organizations with an average of 21,300 employees across a wide range of industries responded to the survey.

Among the findings:

  • Ninety-six percent increased cybersecurity spending last year. However, 78% believe their organizations still lack sufficient protection against cyberattacks.

  • The need to focus on closing security gaps related to remote work delayed other pressing projects last year. That contributed to the widespread lack of confidence in security.

  • Ninety-one percent are again increasing their cybersecurity spending this year to try to further harden their defenses against cyberattackers.

  • Some 55% rank lack of automation as the No. 1 challenge in security operations and management.

  • Only 27% expanded security staff in 2020.

  • Just 57% conducted a data security risk assessment in 2020.

Sprunger-Mike_Insight-Enterprises.jpg

Insight Enterprises’ Mike Sprunger

Mike Sprunger is Insight Enterprises‘ senior manager of cloud and network security.

“Not too many surprises other than the overwhelming number of organizations that had reduced confidence in their overall security posture and had doubts about their security strategy,” he said. “This indicates changes are happening much faster than organizations are able to pivot to address them. This lack of agility can be based on any number of reasons.”

The lack of trained and capable security personnel is driving opportunities for MSSPs, Sprunger said. But the need is far greater than simply event monitoring and reporting.

MSSPs can provide operational help in incident triage, resolution and forensics, as well as vulnerability management.

“Progress is being made, but technology put in place just five years ago may need refresh due to the change in threat landscape and capabilities of the adversaries,” he said. “Also, the adversaries are banding together to build an entire market for compromise, exploitation and extortion. It’s hard for an individual organization to fight this on their own.”

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like