The 20 | Cybersecurity Archives

The Friendly Face of Cybercrime

The recent MGM breach serves as a wake-up call for businesses of all sizes – especially MSPs – emphasizing the urgent need to defend against social engineering threats.

As an MSP owner, you’re no stranger to the cyber threat landscape – how it’s constantly evolving and shifting as cybercriminals find new ways to make honest, hardworking citizens’ lives a living nightmare. But one truth remains, and it’s a truth we’re revisiting in this blog post:

Cyberattacks are not always launched by an act of technical wizardry or digital deception. Oftentimes, they begin with a simple phone call, and wear a friendly face – and that’s what makes them truly scary.

The Friendly Face of Cybercrime

For most people, the word “hacker” conjures an image of a guy typing furiously in a dark basement, pausing only to rub his palms together and cackle like a movie villain.

But the truth is, cyberattacks often wear a much friendlier face – and that’s what makes them so effective.

Take the recent attack on MGM – a devastating breach that has cost the casino giant $52 million in lost revenue (and counting). Plus, think about the reputational damage!

It started with a 10-minute phone call. The threat actor – purportedly part of the ransomware gang ALPHV – found an MGM employee on LinkedIn, called the help desk pretending to be that employee, and asked for a password reset.

And just like that, this cybercriminal gained access to MGM’s network.

Social Engineering – The Biggest Threat to Your MSP

The threat actors responsible for the MGM breach used “social engineering” (a fancy term for tricking people).

Social engineering doesn’t rely on technology; it relies on human nature – on how much trouble we have saying “no” to someone who is polite, convincing, friendly.

It turns out we have A LOT of trouble with this, which explains why 98% of cyberattacks use some form of social engineering!

And when 43% of all cyberattacks are on small to medium-sized businesses (SMBs), having a robust defense against social engineering isn’t just a good idea; it’s a necessity.

ID 20/20 – Your Solution Against Social Engineering

You can’t change human nature, but you can give your MSP a tool that stops social engineering attempts in their tracks.

Our patented ID 20/20 software is purpose-built for MSPs, delivering a user-friendly, cost-effective, and supremely effective defense against social engineering threats. We understand that MSPs require robust tools not only to protect their own sensitive data but that of the businesses they serve, and failure to do so could lead to catastrophic breaches with far-reaching consequences. You are in effect a gateway to a whole network of organizations and a veritable treasure trove of sensitive information.

How does it work?

ID 20/20 enlists MFA (multi-factor authentication) to verify a live caller’s identity.

When “John” calls your MSP’s help desk, how do you know it’s really John?

If you have ID 20/20 software, a code is sent to so-called John’s email or cell phone. If “John” can’t verify the code, there’s a good chance he’s not really John.

The whole thing takes less than a minute, requires zero downloads, and will protect your MSP – and your clients – against the most common type of cyberattack. We’re confident that if MGM had implemented a solution like ID 20/20, they could have sniffed out the threat actor right away and saved themselves millions.

We’ve made ID 20/20 cost-effective for small and mid-sized MSPs, convenient for your end clients, and the last thing hackers want to encounter when they come for your business.

Click here to discover why ID 20/20 is quickly becoming the go-to live caller verification tool for SMBs across the country, and a popular choice for MSPs of all sizes. If you’re interested in using ID 20/20 at your MSP business, you can schedule a call and we’ll go from there!

Do we hope your organization decides to use ID 20/20 as a defense against social engineering attacks? Of course! We’re proud of the tool and know it makes MSPs and the businesses they serve immeasurably more secure.

But whatever you decide to do, please – PLEASE – don’t do nothing. Social engineering attempts are rampant and they’re wreaking havoc in both public and private sectors. Make today the day you took a stand.

In this digital age, your company’s website is a crucial part of your business. You want it to look professional, as well as be easily navigable and highly engaging. But you don’t just want a website that looks nice and has an intuitive user interface (UI) — you also want a website that’s secure.

Website security, despite being a vital part of your overall cybersecurity posture, is far too often overlooked by small and medium-sized business (SMB) owners. As with many aspects of cybersecurity, there is an enduring belief that hackers don’t come after ‘the little guy.’ And so, SMB owners put ‘improve website security’ at the bottom of their to-do lists, thinking it can wait.

But the truth is, the ‘we’re too small’ justification for neglecting website security is paper thin; we’re seeing threat actors target smaller companies more and more. A recent study revealed that 61% of SMBs have experienced a cyberattack over the past year. Cyberattacks on SMBs aren’t rare, they’re rampant, and beefing up your website’s security isn’t preparing for a possibility, but bracing for an inevitability.

So, let’s talk about website security. Here are our Top 5 Website Security Tips for Small Business Owners …

Tip #1: Practice Good Password Hygiene

Your company’s passwords are a critical line of defense against cyberattacks. Unfortunately, poor ‘password hygiene’ is practically an epidemic, even in this dangerous digital era. The UK’s National Cyber Security Centre recently discovered that over 23 million user accounts worldwide still use the password “123456”! Statistics like this make IT experts cringe, because weak passwords make your business a sitting duck for threat actors.

Bottom line, get serious about practicing good password hygiene at your business. Set up password complexity requirements on your company’s website(s), train your staff on what makes a strong password, enlist a password manager so employees don’t have to rely on memory or sticky notes, and bolster your passwords with multi-factor authentication (MFA). Doing these things might seem like a hassle, but the inconvenience pales in comparison to the devastating effects of a serious data breach.

Tip #2: Make the Move from HTTP to HTTPS

The difference between “HTTP” and “HTTPS” might be just one letter, but what a difference that one letter makes! But what are these acronyms?

Well, any website you visit will begin with either “HTTP’ or “HTTPS.” “HTTP” stands for “Hypertext Transfer Protocol,” and the “S” stands for “Secure.” A website that begins with “HTTPS” will also display a padlock symbol in the address bar to the left of the URL. But what’s the difference?

An HTTPS site is vastly more secure than an HTTP site because it enlists an SSL (Secure Sockets Layer) certificate to create an encrypted connection between the server and the browser. In plain English: the

data that flows to and from an HTTPS site — credit card information, passwords, etc. — is scrambled, so even if a hacker manages to intercept it, it will be unintelligible — i.e., pure nonsense.

Having an HTTPS site is utterly essential if you accept sensitive information through your website, but even if you don’t, it’s still a good idea to enlist an SSL certificate for that added layer of protection against malware, viruses, and the like. Moreover, HTTPS sites receive an SEO bump from Google, which makes the adoption of HTTPS even more of a no-brainer.

So, if you haven’t already, make the move from HTTP to HTTPS — and get in the habit of avoiding websites that don’t display the reassuring padlock. Here’s a good article outlining the steps required to make the switch.

Tip #3: Keep Up with Updates

Creating a website for your small business has never been easier. Content management systems like WordPress, Joomla, and Drupal simplify the process so that even the least tech-savvy business owners can create a website with relative ease.

But as easy as it is to make your company website, you can’t just create your website and then expect it to take care of itself. Like any piece of property, your patch of digital land requires maintenance. More to the point, you have to keep up with software and plugin update requests.

Now, these might seem like a hassle, and you might not think it’s a big deal if your organization operates without the latest WordPress update for a day or day — or a whole week even. After all, you’ve ignored cell phone updates before and it’s not like your whole life came crashing down …

Stop right there! Updates are not optional enhancements; they’re necessary adaptations to an ever-evolving threat landscape. And if you’re casual about updates, you’re putting your entire organization at risk. So keep up with updates, and work with your IT provider to streamline and automate updates as much as possible, or you can expect to join the 30,000 websites hacked each day!

Tip #4: Backup, Backup, and Backup Some More!

Like updates, data backup is a security fundamental business owners can’t afford to neglect. No matter how careful you are, things happen — cyberattacks, natural disasters, simple employee errors — and data gets lost. But when the data you lose is backed up — i.e., when there’s a copy of it — it’s not truly lost. You swap in the copy and you’re back on your feet.

Of course, things are more complicated than that. If hackers get their hands on your customers’ credit card info, it won’t matter much that the data is backed up. That said, data backup does protect businesses from numerous cyber risks, and is a critical component of a sound disaster recovery plan.

But how often should you be backing up your data? Does your backup need a backup? Is it important to have a backup offsite? Can the cloud provide a sensible backup solution for small businesses? To answer these in order — it depends on the nature of your business (and your RTO/RPO), most likely it does, yes, and yes.

Creating the ideal backup strategy for your business isn’t something you should undertake on your own. Work with in-house IT staff or your IT provider/managed service provider to come up with a backup solution that fits your business’s needs and automates as much as possible.

Tip #5: Train Your Staff

The importance of employee training cannot be overstated. Your people are your most valuable asset — this isn’t just true as a general adage, but as a principle of cybersecurity! If there is one thing any business can do to immediately bolster its website security, it’s implement regular staff training. An informed workforce is an empowered one, and considering that 82% of data breaches in 2021 involved human error, it’s safe to say that businesses across the board aren’t investing enough time and resources in employee cyber risk training.

Don’t be afraid to get creative and inject some fun into your staff training. Cybersecurity is a deadly serious topic, but that doesn’t mean cyber training has to be dull and dry or all ‘doom and gloom.’ Try ‘gamifying’ some of the training. Serve cake at in-person training sessions. Send out fake phishing emails and reward employees who spot them and report them according to company protocol.

Whatever training regimen you come up with, stick with it. Cyber risk training should be ongoing and regular. And if part of your workforce is remote, make sure to train them on the cyber risks associated with working-from-home (WFH) before you let them leave the office. Remember, cybercrime has skyrocketed since the start of the COVID-19 pandemic, largely due to the rise in remote work. So don’t let your commitment to cybersecurity end at the walls of your physical office.

Final Thoughts

Protecting your growing business means protecting its website. And while following the above five tips won’t guarantee your website’s total security — sadly, no such guarantees exist — they will go a long way toward protecting your organizational and customer data, and keeping hackers off your digital land.

Don’t let website security and other IT issues overwhelm you! If you’re struggling to stay on top of IT at your business, reach out to a trusted MSP in your area for help. A good MSP will take care of your website — and your entire IT infrastructure — for a single predictable monthly fee.

Written by: Tim Conkle, CEO of The 20

Full Forbes article here

The Human Element

Threat actors target human laziness and human fallibility for their most effective attacks. Social engineering cannot exist without both being present. To shore up the human element, you need to prevent laziness and fallibility from being applicable. As you systematically eliminate both, you eliminate the chances for social engineering and phishing to work in the first place. Laziness and fallibility present their own threats, though.

Laziness

Laziness often stems from a lack of knowledge and a lack of transparency. How can you know what the organization’s stance is if no one tells you anything? There has to be clarity and transparency about what the policies are and why they exist; otherwise, it’s easy to ignore them. Can an employee follow them the first day they’re there? If they can’t, you need either a new set of rules or a new employee.

Policy gives people a checklist so they aren’t left to their own devices. It provides a self-enforcing metric on whether they have done what they’re supposed to or not. Even if their adherence causes an issue, if they followed the checklist, they did what they were supposed to. Send the message, “If you follow policy, you’re going to be OK, no matter what happens,” and stick to it. If the policy causes an issue, fix it.

Fallibility

Human fallibility is deeper than just mixing up similar characters. A person who is amazing might be 98% accurate, but that means they’ll screw up in some way 2 out of every 100 times. Even if you put in place a review process, you’ll still never push 100%. You can get close, but there’s still going to be that rare miss. You may block or train against 999,999 phishing or social engineering attempts, but that one in a million one is going to ruin you.

Social Engineering

Social engineering uses laziness and fallibility as its main tools, but social expectation plays an important role. The expectation of politeness and aversion to conflict in the workplace leads to a conflict between social expectation and work process. Without a uniform process being enforced, how can you reconcile the conflict between social expectation and work process?

A urinal is the riskiest and easiest place to pick a pocket. The average man will stare ahead to the point of absurdity due to the social expectation and unwritten urinal code. What happens when they are targeting more than a wallet and scan an RFID card? Laziness put the card where it could be accessed; human fallibility made the person miss the security threat. One feeds into the other. Social expectations were just the glue to make the attack possible.

Technology And Process

Technology is the flour; process is the oil, and enforcement is the heat. You have to have both the flour and oil to make a roux, but if you put them in a pan without heat, all you get is a mess. Too much heat, and all you get is a fire, though. The deployment of technology needs to be enforced, and the process needs to be followed, but there has to be a limit as well.

Make the process clear and understandable. Make the technology sane. People are going to slack off. They’re going to screw around, and they’re going to be inefficient. Know that they’ll do this, but curb it where it matters. The human element needs to be shored up, but it can’t be thrown out.

Selling Security

Security is a selling point. Ask any company if they don’t want security and see what they say. Not a single one will tell you they don’t want security. Now ask them if they’re willing to sacrifice convenience or efficiency for security and see where they stand. How many are left?

Sell security as a process toward efficiency. Backups aren’t just stopping ransomware; they’re stopping mistakes in the company from costing wasted time. Antivirus isn’t just stopping malware; it’s stopping downtime. Sell security as a way to make the business more profitable and more efficient.

Closing The Human Gap

The only way to close the human gap is to create a process both on the technological side and the human side. Combine the two in order to strengthen the technological side and reduce potential for abuse, and strengthen the human side to stop what makes it through. If you use a plain key, a lockpick can open the door, but what if you use the newest military-grade smart card? A person can still hold the door. Each side of the equation needs to be addressed or you don’t have a balance that means anything.

To close the human gap, you have to remember that people are going to be human. People need respect and understanding to function. Target the human element by removing the questions and omitting the uncertainty. People love to say, “I was just following orders,” because it gives them an excuse for what they do when it contradicts social standards. Give your users the chance to have a process that not only works with them but, most importantly, for them.

The MSP’s Essential Guide to Cybersecurity and Cyber Warfare in 2021

What You Need to Know in the Age of Nation-State Sponsored Hacking

Cyber warfare has been on the rise in recent years. The news has been inundated with ransomware attack after ransomware attack, and breach after breach hitting companies large and small. The amount of data any given company has is staggering, and combined with the fact many people reuse passwords (see here to learn how to really secure a password), a little access goes a long way. The move to working from home during the pandemic and hybrid environments have arguably exacerbated this (without better security mechanisms in place).

While in previous years we mainly saw individuals or small groups engaging in cyber warfare attacks, there’s been a serious growth in organization and backing as of late. The DHS has been raising alarms (PDF) about cyber-attacks for a decade. The DOD has been much more open about the state of affairs.

We’re at war digitally. The battle has grown from hackers of yore on an ideological crusade to nation-states looking to gain an advantage over enemies on a geopolitical chessboard. There are hacking groups involved, but more often than not they attack enemies (or perceived enemies) of their home nations. DarkSide, REvil, etc. focus on the United States and other Western powers while entirely eschewing the former Soviet Bloc. Whether any given breach is a deliberate act of warfare is arguable, but geopolitics play a role in these attacks. Either we’re dealing with state sponsored hacking or we’re dealing with privateers.

The news has been filled with recent attacks ranging from meat processing plants to pipelines to RMM products. Let’s break down some of these attacks to see what happened and how they impact smaller players such as MSPs.

Recent Attacks

The most recent major cyber warfare attack (as of writing) hit SolarWinds and Kaseya. JBS S.A., the world’s largest meat supplier, was hit about a month earlier. Less than a month before this major attack on JBS, Colonial Pipeline was hit as well causing a jump in gas prices due to a predicted shortage. SolarWinds has also been in and out of the news with various attacks since the end of last year. EA got hit as well but with a seemingly different motive. Large or small, businesses at all levels are vulnerable to cyber warfare attacks if they don’t stay secure at every layer from top to bottom.

These are the most major attacks, but there have been continuous breaches against all level of small, medium, and even large businesses with different bounties (from ransoms to intel) and levels of damage inflicted that haven’t made the news. The media is just continuously churning through various attacks and unable to address them all (I can’t even seem to get through editing this article before another attack occurs). These attacks are composed of a mix of ransomware and exfiltration which have caused waves in the economy.

RMM Hacks: SolarWinds and Kaseya

The SolarWinds hack from the end of 2020 (discussed below) has continued to have ramifications. Microsoft disclosed a new breach believed to be tied to Russia’s Foreign Intelligence Service which was linked to the SolarWinds hack. This attack hit the news right around the same time as the Kaseya hack which saw ransomware distributed through Kaseya’s VSA RMM by REvil (you’ll see them again with multiple attacks).

The SolarWinds hack is just the continuing fallout from the previous exploit, but the Kaseya hack involved new zero-day exploits (as well as older exploits as well). While this attack did not compromise The 20’s customers, it definitely had an impact waiting for the patch. These two attacks are differing types of supply chain attacks, leveraging a pieces of the pipeline in order to compromise someone further down the line.

The specifics aren’t entirely out for these attacks (though stay tuned for a postmortem on the VSA attack when the dust settles), but the message is clear: supply chain attacks, especially against MSPs, are on the rise and will continue to become more and more common. What is your organization doing to prevent your RMM tool from becoming your worst nightmare?

JBS S.A.

JBS had 9 of their beef plants in the US compromised. People were worried about meat prices skyrocketing like the earlier Colonial Pipeline hack did for gas prices in some areas. While the exact details of the attack haven’t been published (and probably won’t), it cost millions in ransomware money to get back to operating.

REvil is believed to be responsible per the FBI. While they’ve claimed they aren’t politically motivated, attacking JBS disrupts the food supply and isn’t the first high profile attack this year. If the attacks aren’t political, they are at least having political implications.

The exact details have not been released, but at the very least the downtime from this attack has been expensive. Backup systems were not affected which allowed faster recovery. There is a purported link between REvil and QBot for this specific attack.

Proper backups are what saved them from experiencing the same issues as Colonial Pipeline or other victims of ransomware. A cyber warfare attack is going to cost time and effort no matter what, but what are you doing for yourself and your clients to ensure it’s minimal? Remediation is one of the biggest deciding factors in how successful a ransomware attack is.

Colonial Pipeline

The Colonial Pipeline hack took place in early May, about a month before the JBS attack. This attack managed to cripple a major pipeline along the East Coast of the US using ransomware. A lot of these attacks rely on phishing or similar techniques to breach a network. The exact mechanism of its intrusion has not been released at present.

This attack was carried out by a ransomware group known as DarkSide which is most likely from Eastern Europe. DarkSide is a group suspected of ties with REvil.

Colonial Pipeline ended up paying around $4.4 million a day in Bitcoin to their attackers. The DOJ was able to recover about $2.3 million from DarkSide which disbanded shortly after the attack. The attack caused a flux in gasoline prices and created localized, artificial shortages from the fear-mongering of the media around this attack. DarkSide has claimed that this attack was not politically motivated, but it seems a bit coincidental with all of the infrastructure attacks we’ve seen. Even if the attack itself was not politically motivated, it had devastating geopolitical implications.

The cost of downtime is expensive, enough that a major company was willing to bleed a massive ransom to keep going. They could afford to do it, but what about your business or the businesses you support? What infrastructure supports your or your client’s business and what infrastructure do you impact?

SolarWinds

SolarWinds has been in and out of the news from the sheer fallout from the attacks. They got hacked, and they got hacked bad. Their Orion remote IT software suffered a software supply-chain compromise most likely, which allowed breaches into companies such as Microsoft and VMWare, and even into the federal government. The attack was so bad that the US is readying sanctions against Russia which has helped facilitate said attack.

The attack caused a massive amount of downtime, compromised certain companies’ data, and trojanized the general software platform. MSP attacks have gotten more and more prevalent in recent years. A single attack doesn’t just hurt one company, it allows ingress into a multitude of companies, more often than not with the equivalent of a rootkit on each agent (each RMM agent).

SolarWinds is an attractive target to nation-state level attacks and enemies of the US due to its access and its bounty. The more clients, the more attractive a specific MSP, service, or platform becomes. SolarWinds was a victim of their own success to the point that hackers were willing to take a slow, but extremely safe path to compromise the environment.

Electronic Arts

Hackers leveraged Slack in order to compromise EA Games. They managed to get the source code for FIFA 21 as well as the Frostbite engine. The tools and source code themselves are worth a lot, but so are the potential hacks built on them.

This attack leveraged technical social engineering. By finding a list of people at the company from a public source, crossing it with a stolen token into Slack, and using social engineering, hackers managed to breach EA and compromise it in a way which is going to convolute their process for years.

This breach was more focused on exfiltrating data to ransom (or even just sell depending). We really don’t know one way or another, but either way, the data has ended up on the market for sale. The attack cost the attackers around $10 for a stolen cookie (or set of cookies) and a lot of work and infiltration in order to pull off a social engineering attack.

The cost of the attack itself was trivial, the deciding factor was internal processes which allowed the attack to work. What are you doing to lock down your internal and external processes for your MSP and your clients’ businesses? All it takes is one weak link in the chain, human or technical to bring everything crashing down without the right safeguards. How are you verifying who you’re chatting with in an internal company chat? What are you doing to make sure people on the phone are who they say they are?

Nation-State Attacks

Hacking has grown into both a business and a way to damage a nation’s infrastructure and security. Nation-state level attacks are on the rise and they don’t need to hit government targets to do serious damage. Taking out a business can do as much damage (or even more) than taking out a government institution.

Malware has been getting more advanced. The arms race has gotten complex enough that individuals just can’t cut it. Individuals joined small teams which have grown into an entire ecosystem targeting different pieces of the attack pipeline. Teams can be the size of businesses and still work with multiple other teams to pull off an attack, or to create a way to profit from the spoils of a successful attack (e.g. fencing data).

These efforts finance the teams themselves via ransoms or paid hits (among other potential monetization pathways), but also serve nation-state aims and goals (like privateering). Groups like DarkSide and REvil do not target anyone in their own region. The government turns a blind eye to their actions, but also more than likely funds them or provides targets in some way. Patriotism can bleed into profiteering.

Russia, China, North Korea, etc. all continue to be digital threats to the United States and allies. The wargames are escalating and the stakes are getting higher and higher in the era of digital conflict. These nations have blurred the line between crime and war with the nature of their attacks. As the attacks become more profitable and tensions rise, the attacks are going to get more brutal and more surgical in their scope and their damage.

Business Implications

As an MSP, the business implications are dire. You are potentially a point of ingress into multiple networks for multiple businesses which means a single compromise can damage both you and your clients. An RMM like SolarWinds or ConnectWise can offer an easy way into systems with privileged access and limited oversight (depending on the methodology and administration of the tools available). Tricks like fileless malware can enable a simple script to compromise sites and elude security measures. Security isn’t just nice to have, it’s essential as the arms race takes off.

Downtime is expensive for you and your clients. Just because it isn’t your fault a client went down, doesn’t mean it won’t impact you economically if they crater. When you work in a B2B service, you are tied to your client. Their success is your success, and their failure can become your failure if you are not careful. What are you doing to prevent compromises and cyber warfare attacks?

A leaky API can become weaponized as easily as an errant password gotten from social engineering. The marriage of social engineering and novel technical exploits resulted in us developing our own patent pending security tool, ID 20/20.

As our lives become increasingly dependent and entwined with digital services and processes, our well-being becomes increasingly reliant on each link in the chain functioning optimally. Each minor fracturing of process ends up weaponized as a way to break a business. A breach in a service means an inability to function or a loss of control of intellectual property, even if the attack doesn’t necessarily spread to a full compromise. Vulnerability on this front can damage your reputation, dull your competitive edge, or worse.

Conclusion

As geopolitical relationships are strained and economies increasingly compete for limited resources, we’re going to see this is just the beginning for cyber warfare. Nation-state actors see cyber-attacks as not just a way to damage a country, but a way to destabilize industries and finance further operations. A bomb dropped is an act of war (and costly to boot), but a pipeline or meat packing plant breached is the result of bad actors until proven otherwise (with the bonus of sowing discontent and damaging infrastructure).

MSPs are going to become larger targets for cyber warfare as their value as an easier way into many companies becomes more attractive. RMM tools offer a near unlimited level of access to the machines they manage, all available in one attractive location. What are you doing to prevent your convenience from becoming a point of ingress for threat actors? How are you keeping your clients safe and mitigating politically motivated attacks which can destroy them?

We use and provide a layered approach to security to reduce the impact of any given action by a threat actor. No layer is perfect or anywhere close (anyone who tells you differently is lying), but the chances of getting in and doing damage decrease for each hurdle in the way. We combine that with alerting and smart solutions to prevent the spread of destruction or ingress to limit the damage done. We missed the latest round of attacks, and not just for luck. Add in backups and you can quickly roll with the punches. A nation-state actor that wants in will probably get in with enough resources, but you need to ensure that if (or when) they do, that they get as little as possible and that it is as inconvenient as possible.

Infrastructure matters. When your network or applications unexpectedly fail or crash, IT downtime can have a direct impact on your bottom line and ongoing business operations. In some extreme cases, data and monetary losses from unplanned outages can even cause a company to go out of business!

IT Downtime Factors

The industry average cost of IT downtime is dependent on a lot of areas. The monetary losses vary when you consider your revenue, industry, the actual duration of the outage, the number of people impacted, the time of day, etc. For example, losses are significantly higher per hour for businesses who are based on high-level data transactions, like banks and online retail sales. If you experience an unplanned outage during peak traffic time, obviously the damage will be more significant.

According to Gartner, the average cost of IT downtime is $5,600 per minute. Because there are so many differences in how businesses operate, downtime, at the low end, can be as much as $140,000 per hour, $300,000 per hour on average, and as much as $540,000 per hour at the higher end.

98% of organizations say a single hour of downtime costs over $100,000. 81% of respondents indicated that 60 minutes of downtime costs their business over $300,000. 33% of those enterprises reported that one hour of downtime costs their firms $1-5 million.

Indirect Costs of IT Downtime

But there are other costs that don’t often show up in dollar form. That’s the cost of interruptions, especially when IT professionals are interrupted from what might be more productive work.

Take, for example, the interruption that occurs when someone pops into your office to tell you that your email server is down. That interruption, of course, takes the time it takes, plus the time to fix the problem. But did you know, according to a study by UC Irvine, that it often takes an average of 23 minutes to refocus and get your head back in the game after an interruption?

As once reported in the Washington Post, interruptions consume, on average, 238 minutes per day. In addition, the time to get started back up after an interruption consumes another 84 minutes a day. The time lost to stress and fatigue steals another 50 minutes a day.

All that adds up to about 6.2 hours per day, or 31 hours per week lost to interruptions! Is it any wonder we’re spending most of our time treading water?

The truth is that no business is immune to the corrosive effects of downtime when it comes to customer — as well as employee — retention, productivity, and standing in the marketplace. Downtime is extremely expensive, and in ways that can make or break the success of your organization. At the same time, it’s essentially unavoidable, because technology architectures are becoming increasingly complex and unpredictable.

Downtime and Cybersecurity

Downtime is costly enough when it results from purely accidental failures in your technology. But when downtime is the result of nefarious behavior by hackers and other threat actors, the monetary consequences can start to skyrocket at an alarming, often business-ruining rate.

The statistics on this are sobering: A 2017 study found that SMBs spend, on average, approximately $117k dollars to recover from a cyberattack. And the SMBs that do recover are the lucky ones, as nearly two thirds of SMBs have to close up shop within six months of a hack or data breach, as reported by the National Cyber Security Alliance. And it’s not just the big companies who suffer from cybercrime, either. Verizon’s 2019 Investigations Report revealed that 60% of cyberattacks affected SMBs.

And now with more and more employees working from home, companies face an even tougher battle against cybercrime. Remote work has “contributed dramatically to the rise in successful ransomware attacks,” says Israel Barak, chief information security officer at Cybereason.

Downtime caused by threat actors comes with the usual costs of downtime — the costs of not being able to do business — plus a plethora of additional costs, such as the ransom payments that companies make to hackers after a ransomware attack. But perhaps the most insidious cost of a data breach is reputational damage. A survey put out by Security.org found that almost one in four Americans stop doing business with a company after it suffers a data breach.

Preparing for IT Downtime

So, what can you do? Are there any positives in all of this?

The best news — and what really matters — is that simply taking a few steps to prepare for an outage can make a huge difference. You can, for instance, take the time to define which services require the most prioritized response, have contingency plans in place, leverage post-mortems to improve processes, and conduct regular testing.

By taking the time to implement a plan for addressing inevitable downtime, your organization stands to realize thousands — or even millions — of dollars in quantifiable cost savings, as well as ensure the health of crucial qualitative factors such as employee morale, brand reputation, and customer loyalty.

What Makes A Good Password?

As more and more of our lives move online, we end up accumulating more and more accounts each of which has its own password. It feels like almost every site has its own policy, ranging from lax to inane. But, is 4$%nT;6**a really safer than Butterfly5Cat5WaffleIron? What really makes a good password?

A good password is a product of its entropy, which is affected by the complexity and length of the password. Password reuse reduces or even eliminates security. How do these things work together and what does 2FA do to the equation? Let’s also see how to make some easy to remember passwords.

Entropy

A password’s strength is governed by its bits of entropy. Each bit of entropy is equivalent to an exponential growth in possibilities for the password. What this boils down to is that the longer a password is, the more limited the set of characters used can be (within reason) without necessarily harming the security. The complexity and length each play a part and serve as dimension for security. We’ll hit the math in a bit.

Entropy is powerful because it gives you a way to tell how much more difficult a password is in a more digestable format, but it has its limitations. It is not a panacea to security. Password1! is not as real world secure as Meyapar or similar gibberish. A hacker can make certain assumptions in order to reduce the bits of entropy they test, and potentially succeed. Passwords security means nothing if the database is breached. You buy time with hashes.

Some companies still employ systems which employ plain-text passwords. This renders your password compromised the second the company is breached. A legacy version of Ruby on Rails, or any number of platforms mean that your password may be ripe for the taking. There’s far more than entropy to contend with in the real world.

Password Complexity and Length

The traditional view of password security was that the more complex the better, though this is just one small part of the picture. The length plays in as much as the complexity. An extremely complex password which is short is as bad as an extremely simple password which is longer. When you look at complexity, you also need to take into account several variables to determine how many practical bits of entropy you have.

A mixed case only password will have 52 possible characters, an alphanumeric password will have 62. You can begin to add more characters to get every ASCII character or go even further with Unicode. Some sites have a minimum length, and others have a maximum. The way to approach the balance is to look at the possibilities mathematically.

If we look at raw possibilities, we get that potential characters^{number of characters} will define our number of password possibilities. This is only the number of possibilities though, and not really a true measure of security yet. Possibilities can be reduced with either the right knowledge or the right gamble.

While a password composed of 2 words from a 40,000 word dictionary could be dozens of characters long easily (with 40,000² = 4e+08), it is about on par with a 6 character alphanumeric password in the grander scheme of things (52⁶ = 9e+08). All it takes is the attacker knowing, or guessing that your password is composed a certain way to more easily compromise it. Or, they can compromise the admin account for your service and have a take at the hashes.

Reusing Passwords

We all have a million accounts and it gets frustrating accounting for every password. While there are solutions which help with remembering passwords, they can be annoying. Sometimes you need to setup a password and don’t get the chance (or forget) to put it in your device. Other times, you just want to use the service.

Many people reuse passwords. It’s unfortunate, but it’s true. Reuse of a password compromises it in a way which bits of entropy can’t account for. How does the service store your password, and how many other services do you use which have the same username (or close enough), and the same password?

It’s fine to reuse passwords for burner services which have no bearing on your life, but once you reuse with a bank or similar, you run the risk of being fully compromised. Many people also forget to reset passwords after a breach, or they don’t even know it happened. There have been countless breaches in the past decade, how many have impacted you and how many do you know about?

Multi-Factor Authentication

Multi-factor authentication (MFA) is a technique to add an algorithmically generated password to logins. The logic goes that by adding a secondary password which is impossible to forget (though it can be lost), you can clamp down after fewer attempts. This means that a password with okay entropy might lead to a low entropy password which locks after 10 failed attempts and alerts the user.

This is the compromise security has made which ends up being substantially more secure. Since the code is random and cycles constantly, it is going to be near impossible to crack barring chance or a broken algorithm. Though there is the risk that some 2FA algorithms might be predictable, they are predicated on a secret key which shouldn’t be exposed. If you crack this far up the chain, you’ve cracked more than encryption can do anything about.

You have to have some degree of trust somewhere in the chain, and you have to assume that a physical and knowledge requirement should be enough for all but the most dedicated hackers. Where do you trade off practicality for security, and how do you stop your user from just writing the password down on their list on their computer? That 100 character requirement is now useless to stop anyone who walks in front of that computer.

What Holes Exist with MFA?

MFA at least ensures that the hacker needs the password and the phone or similar device. Users can still install an authenticator on their computer and write down the password, but you have taken as much care as you can. You can’t stop them, but now their security is entirely on them.

Your car may not drive with you buckled up, but you can always cut the belt and plug it in. If the belt has smart technology and similar, it’s still possible, but it’s probably just angering customers. Where does your responsibility end? You already implied your “do not drink” warning on the security bleach, why would you try and design a drink-proof bottle which will just enrage the other 99.99% of your customers who aren’t actively working against themselves?

MFA also doesn’t stop certain combined attacks. If someone is out to get you by stealing access to your phone and compromise multiple passwords (account password and phone keycode), they’re operating above the pay grade of your password solution. The attacker will just target the service instead, or use rubber hose cryptography at worst. You’re usually dealing with a movie scenario rather than reality at this point.

How This All Works Together

The complexity and length both make a password have higher bits of potential entropy, but predictable factors reduce those bits of entropy. If you’re using a long alphanumeric password, and it’s 2 words from a 40,000 word dictionary, you haven’t accomplished as much as you think you have from the math. This reduction does depend on the attacker knowing or at least gambling on the possibility.

This possibility of compromise gets higher as they target the system itself which means you should avoid reusing passwords, especially with similar usernames. You’re looking at 1 bit of entropy if the credentials are identical. MFA and 2FA can reduce this substantially, to the point you only really have to worry about this with spy film plot level events. They do happen, but most hackers just hit a different route.

The more unpredictability you can add into each password, the more likely you are to approach the higher end of the number of possibilities a computer has to go through. 00000000aA! is going to be cracked quicker on a system which iterates through each possibility with numbers at the start, the alphabet next, then symbols. While the password crackers I used back in the day used this method, newer ones use its evolution (if you want to take the gamble).

Crafting a Password

What are the known bits of entropy if they know what you did and what are the bits of entropy if they don’t? You want a balance without going too crazy. I like to use non-dictionary words with numbers and symbols to make easy to remember passwords.

A jumble of numbers, letters, and symbols is a pain, but something like $Tokyo7sutra%REVERE!!! is going to be much, much easier. While this password is easy to remember on its own, how do you keep track of it? I like to use something like a password algorithm to generate more complex passwords where possible. This doesn’t work for every account, but it helps cut down on a lot of them. You can always use a password app to circumvent this, but it’s good to have on hand.

To generate a secure password, you need to increase the complexity and length to raise the bits of entropy. You also need to take into account how many bits of entropy exist if someone gambles on guessing parts of your password. Your strategy can be as simple as a prefix and a suffix or a mix of affixes and interspersed characters. Mix in rules for casing and similar which are predictable, to you, and you can further increase the complexity.

Password Algorithms

If you use the password Password, you’re looking at virtually no bits of entropy from a modern dictionary based brute-force program. If you use this as a prefix and intersperse symbols, you greatly raise the complexity without making it harder for yourself. Password@google is substantially more secure but it also isn’t that easy if you don’t know the process. You can throw in a number at the beginning, the middle somewhere, or the end and make it even more difficult to guess. The bits of entropy won’t go up that much for knowing the algorithm though. How likely is your algorithm to be common enough to have rules for it?

The more arbitrary rules you use, the harder it will be for more dedicated hackers to see the pattern. At a certain point though, if you’re a target, you’ll need far more than a password to stay secure. Though quantum computing puts forward the promise to break modern cryptography, we still have a good while before it works out the details enough to actually do it. You’re far more likely to be compromised by social engineering, malware, a breach to the service itself, phishing, a break in the cryptography algorithm, etc. than a smash and grab password hack if you use a non-trivial, secure password.

Use an algorithm which is diverse enough that even knowing the basic rules isn’t enough to trivially compromise it. Have rules to make it easy to adjust and remember the password despite required changes. Split up services and use easier passwords for less important services and harder passwords for more important ones if nothing else. Make your financial sites each unique and don’t worry about some forum you got for a download and some site you signed up for coupons at. What the site contains affects how much security really needs to matter.

One concern often not touched with the move to work from home is how do you verify who you’re speaking to really is who they say they are? It’s easy to make a deepfake voice and it’s getting easier to use that for fraud. We live in a post-security world where you don’t only focus on preventing a breach, you accept it as an eventual inevitability and focus on limiting the impact. Credentials will be breached, but access doesn’t necessarily have to be.

A password used to be enough, but with shared password, simple passwords, weak encryption, or even just system breaches, getting a password compromised is easier than ever. I take many precautions and I’ve had it happen to me due to exploits with the provider. Passwords aren’t the only things you need to be worried about either.

You have the technical requirements to work from home, and you need to make sure you can keep it secure. If your encryption is broken, it doesn’t matter how complex the password is. Likewise, if your password is cracked, there’s no need to break the encryption. Each layer of complexity leads to a new potential attack surface. Security was 2D in the early 90’s, and now we’re at string theory. Social engineering isn’t just wearing a vest into a building anymore, it’s a mix of technology and human fallibility.

Why Should You Verify?

With changes in technology, and the number of ways security can be breached, if you can’t see the person, how do you know they are who they say they are? I might have talked to a client many times, but what identifying information do I really know about them? If you’re in a help desk or a large office, what do you actually know about Kenneth in accounting or Jane in marketing?

Most people know very little about their coworkers outside of their immediate coworkers (except at the smallest companies) and what they reveal at work. What does John in the next cube do in his free time? How many kids does he have, if any? Where did he grow up? You might know some of these, but not all of them, and that’s normal. While working from home, what happens if “John” calls you and needs a financial transfer? How can you tell if it’s him or just sounds like him?

When you become their IT provider, what do you do when you need to somehow verify that Sam in accounting needs to get access to John’s computer? How do you know it’s Sam working remotely and not a potential threat? You can’t reasonably learn every employee at every site or even a large subset, so what do you do?

Verifying Clients and Multi-Factor Authentication

You have to draw a line somewhere in order to trust someone. A password can be compromised, but 2 different passwords is less likely. This is the general principle behind 2FA and standard MFA solutions. 3 simple passwords can be substantially harder than 1 extremely difficult password. 3 challenges in sequence is harder to crack than 1 challenge.

When I write a login to something that’s going to be public facing, I like to add in a nice half second delay between all attempts. That includes going from the login to 2FA with legit credentials. It doesn’t matter if they’re using a super computer to brute force the login, they get at best 2 attempts a second.

2FA and MFA are great for logins, but what do you do when a person needs to speak to you to describe their problem or login issue? You need to figure out a way to do the equivalent without crossing ethical boundaries and without creating an imposition. You need to rely on a secret and make it scalable.

While this sounds like a daunting task, the trick is to be secure enough to make breaches have time to be verified rather than aiming for perfect security. Sending a code to a specific email or a cell phone can be more than enough combined with making the user provide that information. How likely is your hacker to get physical access to your client’s employee’s phone, their password to gain access, and their IT information?

Your hacker might have memorized every fact about John, but if he can’t pass the authentication, you don’t provide service. The real John at worst has to go home and get their phone or reach out through a controlled channel internally for further service.

Verification Solutions

Most verification solutions require you to install something or use some kind of 2FA application. The problem is, a lot of users don’t want to be inconvenienced. You can ask a company what they want, and they’ll tell you security until you ask what they’re willing to sacrifice.

Using a verified method of contact is what every major company does, but most private verification solutions still want you to use an application. Your client is all for security until it becomes hard. If the CEO or owner refuses, what’s the point of verifying anyone else at all at that point? Your site is compromised at the highest level easier than anywhere else.

A good verification solution needs to approach the technical challenges while making them as transparent as possible. Our ID 20/20 tool aims to do this. We operate under the basis of if they can get access to every communication method an employee has and can act as that employee, it’s past the point of sanely being contained. Obviously, there is special handling for user setups and similar though.

What Makes A Good Verification Strategy?

You don’t plan your company around information being leaked to moles at every level if you want to stay in business. A verification solution needs to take into account the human element for both security and usability. People hate to be inconvenienced even if it is for their own good. That extra few minutes going through obscure information, that extra application they need, etc. can all be points of dissension. The door that’s a huge pain to unlock usually gets left open or held during working hours.

You are only as strong as your weakest link. Raising the bar on social engineering to 2 times or 10 times the physical security or technical security doesn’t mean you’ve made it 2 to 10 times harder. You’ve just made it the less likely target. You are only as secure as the weakest link in your security stack. When everything is roughly equal, you have better security than having many strengths and many weaknesses for dedicated attacks.

Don’t neglect security, but don’t waste resources striving for a goal which makes no sense. Security almost always comes at a cost, and if you aren’t willing to pay it to shore up weakness, you’re vying for an impossible dream. Just because your company firewall is near bulletproof, doesn’t mean that Jim’s admin account password of “Firebird1” isn’t going to get cracked in 10 minutes. If you neglected the 2FA, anything else you did is statistically a complete wash.

Conclusion

Focus on your clients, focus on your users, and focus on security. Don’t throw the baby out with the bathwater while completely missing the point of what your security is supposed to accomplish. A help desk security measure is supposed to make it easy for a user to prove they are who they are, not leave them wondering how you know about their second aunt on their mother’s side’s blood type and the date it was tested.

The more security you throw at users, the harder they tend to fight back. You need to make security easy and trivial while keeping it secure. Can you contact them from a predetermined contact source? If so, you have the right person or a way, way bigger issue on your client’s hands. It’s good enough for your bank, your utilities, and pretty much any major service, why isn’t it good enough for you?

The Basics of Windows Virtual Desktop Infrastructure (VDI)

Virtual Desktop Infrastructure (VDI) is the natural evolution of terminal servers and cloud desktop environments. The overall commoditization of infrastructure has led to an explosion in the number of platforms and options for virtualization and cloud environments. VDI is the next iteration which turns a shared platform into a personal space embedded in a shared infrastructure.

Traditional terminal servers cannot scale without extra resources being added. Virtualized or cloud terminal servers might have some scaling, but a single user can impact the rest easily. With adaptive computing and all of the resources available to a VDI setup, a user can be provisioned where their work doesn’t impact other users or the overall cost of the solution (when provisioned and setup appropriately).

With all of these pros, you’d think that a VDI is the only way to go. But, like anything in technology, there are still reasons to use alternative methods depending on your client and their workflow. Some people view VDIs as a solution looking for a problem while others swear by them. To really assess whether a VDI is right or not for a client, we need to dig deeper into the limitations of VPNs, how they compare to terminal services, what they do well, what their limitations are, and what platforms work best.

Limitations of VPNs

Virtual Privatized Networks (VPNs) have their uses, but they also have limitations. A VPN can be a good solution when you have a good internet connection and don’t need to move things in and out of the network constantly. Past that, they break down for usefulness quickly.

A VPN also requires the user to furnish equipment which can handle their tasks, as well as getting licenses for software they need to do their job. While some programs will allow you to install on some number of devices for a given user, others don’t. There are plenty of other limitations and benefits of VPNs, but they’re way outside the scope of this document.

Terminal Servers Evolve Into Virtual Desktops

VDI is the evolution of the traditional idea of a cloud terminal server. Terminal servers originally set out to solve several problems: how can you enable users to access better computing resources, and how do you average those costs out? How do you get your users the best experience without it breaking the bank?

With a terminal server, licenses end up being cheaper for most applications. You can afford to use lower grade hardware to connect to the terminal server than you would need if you ran everything locally. Your user costs are averaged out by effectively buying computing resources “in bulk” and then divvying them up. Spikes in a single user’s session (theoretically) don’t impact other users either.

The first major jump for terminal servers was virtualization. Once they were virtualized, it got easier to provision resources on demand as necessary. Cloud hosting platforms took this model and some even add adaptive, on demand resource allocation and similar which can be charged for based on usage.

As virtualization got more and more prevalent, each cloud provider sought the holy grail of frictionless cloud computing. It got to be computationally cheap enough to just virtualize the whole operating system for every and any user based on a golden image. This grew into the modern concept of VDI.

VDI Versus Terminal Servers

History lesson aside, VDI is more efficient for users. It’s more configurable and more customizable, but heavier. Though computing has gotten cheaper, more traditional solutions still end up cheaper for many use cases. More traditional solutions win when there is a more standardized workflow and more shared resources or assets in use. They suffer in terms of security and for varied workflows.

Security suffers because you have multiple users accessing the same server. The old security adage goes that physical access is total access. While a hacker does not have access in terms of actual physical access to the hardware, one leaked set of credentials is as good as someone compromising the whole machine and sitting in front of it. The right tools and the right exploits mean root level access, or at the very least, ransomware across all the files the user has access to.

Terminal servers also suffer from a massive performance hit when you mix workflows, or have too computationally intense of a workflow. What happens when a single user pegs out 4 cores on the terminal server or 10 gigs of RAM? Most likely, your other users suffer. What happens when you have a bunch of different teams using the same platform? You need many different pieces of software which each have unpredictable workloads on the system. All of the advantages of a shared environment quickly become its inefficiencies.

The Benefits of VDI

VDI skirts around these because it is a whole virtualized desktop in the cloud. No one shares the individual desktop in this case. The user gets a customized workflow suited to their needs. When this is hosted on the right platform, all of the company’s data can be easily accessible by any virtual desktop as necessary.

Most VDI platforms offer either on demand resources, or can be over-provisioned. Traditional virtualization over-provisioning is a powerful technique, but there’s still a maximum cap. If your hypervisor has 12GB of RAM available to share between 4 VMs, each VM averages 3GB available to it, but you can easily have a VM use 9GB while the others are able to function on 1GB each with the right scenario. If you need 2 VMs to hit 6GB each though, you’re out of luck.

A VDI platform is going to have (near) infinite RAM for all intents and purposes. You don’t have a hard cap which requires modifying a server, you just need to pay more. Even then, you only pay more for a bit with most setups.

Virtual desktops also allow users to use them anywhere. Your user doesn’t need to worry about a VPN, an RDP setup, or any of the things which make terminal servers a bit more complex.

Another benefit is that a virtual desktop can be configured to entirely wipe the previous instance on each run. This isn’t a one-size fits all approach to a desktop environment, or even ideal for most, but it’s a value add for lab environments or certain workflows. If everything should be done off of a shared drive, who cares what happens to everything on the local OS between runs?

Limitations for VDI

One of the biggest slights against VDI is the overall cost. You end up paying more to do the same thing you could with a desktop with more expensive continued costs. You gain a lot of benefits and a lot of flexibility for this cost however.

Certain compliance situations necessitate the usage of on-premise data or access. VDI just plain doesn’t fit these models. You can roll your own solution or similar, but that’s a bit overkill except for large enterprises.

Like with any cloud technology, you’re also limited by your connection speed and latency. Speed is less of an issue with any modern connection, but latency can still hugely impact working in a cloud environment. When I hit a key, I expect to see the letter appear and the cursor move. Some solutions have certain workarounds for this, but they all have their own trade-offs.

Platforms for VDI

The 20 has partnered with multiple platforms in order to provide our customers with the best experience working with VDI solutions. There are a huge number of VDI platforms on the market. Microsoft has Azure, which Nerdio makes easier. Crayon also has their own offering with CloudJumper. There are a multitude of platforms each with their own features and their own limitations. No one platform is going to be right for every single business, but some platforms will be more universal than others.

What are your clients trying to do and how are they looking to do it? This is the most fundamental question which determines what you need out of a platform. Most popular platforms will be able to do what you want in some way, but the cost will vary wildly as will the complexity. One platform might be pennies on the dollar compared to another, but much more limited. Another might make everything easy but it costs twice as much as a platform which is harder to initially setup.

VDI is a powerful tool, but like any other platform or technology, it’s just another tool. It might be the right tool a lot of times, but you need to know what your clients need and why. Don’t just use VDI to fulfill buzzword bingo, use it because it’s the best tool to solve your problem.

The MSP’s Guide to Remote Access for Work From Home

As a technical professional, you have to weigh how you help your clients navigate the chaos of work from home. This is especially true in times of disaster like we are currently going through. One of the biggest hurdles is figuring out how to enable users to access their data and other internal resources. You usually have the choice between using a VPN and some kind of remote control solution (VDI, terminal servers, or software like Trugrid or TeamViewer).

While people may have a preference, none of these solutions is inherently better than the other. The biggest difference is in the use case for each solution. A VPN has advantages over remote control on some fronts, but remote control solutions are better for others. A VPN differs heavily from standard remote control solutions, but each has its own advantages. What all goes into determining which one is right for your business?

VPN vs. Remote Control Solutions

A VPN connects a machine to a network as if it were there, while a remote control solution allows you to control a machine as if you were in front of it. The difference is subtle, but substantial. A VPN offloads the computational load to your end user’s machine, while the remote control solution trades bandwidth for connectivity.

VPN stands for Virtualized Private Network. This basically boils down to the connection acting like a long ethernet cable spanning the internet from your user’s device into the network. Your user is also subject to the slowest bit of bandwidth between the sites, so if they have slow internet or the company has slow internet, the user has a slow connection.

Remote control solutions require more consistent bandwidth and better latency, but files don’t usually need to leave the network. When you remotely control the session, it’s like you’re there (except over the internet). A high latency connection with high bandwidth is just as miserable as a low bandwidth connection. You trade one issue for the other.

Remote control solutions also have many different types. You can go with a remote control via Virtual Desktop Infrastructure (VDI), (cloud) terminal servers, or software like TeamViewer or TruGrid. Each of these has its own pros and cons which we’ll get into in a bit.

Benefits of a VPN

Latency usually isn’t an issue with a VPN unless you rely heavily on localized resources for access. When your employees deal heavily in Office or similar, a VPN is usually more than enough. But, when the files get bigger, a VPN breaks down fast. As more employees connect in and transfer files, the process gets slower for everyone.

When you use a VPN, you need to connect into the network to do anything. If you want to read a file, you end up copying it over to view it. Moving a file between folders can be a huge pain. If you have huge files, this gets to be an issue. A film company isn’t going to want to use a VPN to access their data remotely unless they have a ridiculous connection (and few employees), or host everything in the cloud.

VPNs are usually the easiest solution to implement with any enterprise grade networking hardware. You don’t usually need a subscription or a platform to host it. You don’t need a separate server or anything either with most higher end routers. It’s the closest to a one size fits all approach you can get without taking a reductionist approach.

Benefits of a Remote Access Solution

Remote control solutions consume more bandwidth on average just to function, and have higher latency requirements, but they have many benefits over a VPN. A VPN relies on you needing access, but limits the throughput to your connection. If you have mediocre internet, you aren’t moving big files efficiently. A remote access solution allows you to do so, because you’re tied into the system itself.

When you have to move files, or have specialized software, remote access tends to beat a VPN. The other benefit is that remote access software or solutions come in a variety of forms. You have Virtual Desktop Infrastructure (VDI) which emulates a desktop in the cloud, cloud based and server based terminal servers, and software like TeamViewer or TruGrid to take over a machine. Each has its own specialty and use case.

A VDI setup is more per month than many solutions, but mitigates most local requirements in order to smooth out the costs. You don’t need to focus on local issues, you just focus on using the desktop. Terminal server environments basically pool and average the costs of your users using certain software and performing certain tasks. You consolidate data and functions on a single server and average out the spikes in workload.

Software like TruGrid or TeamViewer allows users to connect into their machines remotely. These solutions tend to use more bandwidth on average than many other solutions at idle, but make the user able to use anything on their work computer. It can also be done on an ad hoc basis with virtually no necessary prep work.

Bandwidth Considerations

The biggest thing which will make one type of setup more or less effective than another is the network connectivity. This doesn’t just mean the network at the office, but the network each employee uses. It may sound crazy, but there are people who still use DSL. There are also people working off of satellite internet.

You have to account for the raw bandwidth and latency of the connection on both ends. You also need to know what their use case is. If you have people moving large CAD files around, it’s probably going to work out more efficiently to enable some kind of remote access scenario for your users. You don’t need to worry about how long it takes to transfer the file outside of the network if it never has to leave. This does require the user to have a steady enough connection to use.

VPNs are best suited to places with small or limited file transfers, and more minor tasks like email and intranet site access. Email and many internally hosted sites have moved to the cloud already though. Another use case is when there is high latency for a user. VPNs work well when users are under BYOD policies and are used to their own system as well.

Making the Right Choice

No one choice is right for all use cases. Sometimes you may just need to implement multiple solutions. Provide remote access to the people working on CAD and a VPN to the finance people who just need Excel. This complicates the setup, but can optimize your bandwidth usage, reduce issues with certain people’s setups, and can work out cheaper.

You need to assess what your client does, what network resources they have, and what their employees are used to. You also need to take into account your client’s attitude towards technology. Each choice is completely conditional.

VPNs may be impractical or pointless for many cloud environments, but that doesn’t mean anything if your client uses on-premise applications. VDI may make the most sense, but the client may just plain not trust the technology or the cloud. Remote access may fit the company, but may not fit the employees. This is especially true in many rural areas. You need to understand your client’s needs to understand what is right for them.

by Sage Driskell

Interested in learning more about The 20? Contact us today!

An MSP’s Guide to Surviving Phishing in 2020

Phishing is a hot topic for security in 2020. Hackers are getting smarter and security services are struggling to keep up with some of the new, highly targeted campaigns. What do you do when the user overrides every protection in place falling prey to a highly targeted phishing campaign? What does their employee do when it’s supposedly the CEO calling?

A new trend making the news is deciding who holds the liability in the event of phishing. The core argument of the suit boils down to: “[T]he MSP didn’t provide the necessary service or training required to stop the crime.” How much is on the company and how much is on the Managed Service Provider (MSP)? This whole suit will set a precedent one way or another for MSPs.

Avoiding Liability

How do you plan your security stack to avoid phishing? Do you focus on only security or do you use training as well? Do you keep your clients fully up to date against new threats? Do you cut down on allowed software at the site? How you answer and understand each of these affects how the ruling on this case will affect you.

With new threats on the black market and the continued improvement in phishing and other targeted attack methods, where exactly does the line between corporate culture and best faith from the MSP lie? This case may determine that, but this is something which needs to be worked into a contract on signing. Where does your best faith effort and their negligence begin? This can help determine your liability in an event, if any.

Let’s move on to what you can do for best practices to avoid omitting your responsibility to your client.

Shoring Up Security

A machine is 100% efficient 95% of the time. The distinction between this just being 95% is important. An ideal person will be 95% efficient 100% of the time in an ideal position. This also works out to 95%. Despite the fact our numbers work out the same, the machine never makes mistakes on the same class of problem. It has problems it just can’t solve though.

A well placed employee will be the opposite of the machine in that they can solve any problem in their arena, but will make minor mistakes randomly. The goal is for these to be far and few between, but a real life person being right 90% of the time is amazing, 95% is almost unheard of. The magic comes from combining the two, you remove the chance of the low hanging fruit from being exploited, but use human efficiency on the harder problems. You won’t get 100%, but you’ll get 99% with a little bit of training and a good security setup.

Digging Into the Technical Side of Phishing

Target how phishing works. Target the human elements of cybersecurity first for assigning technology. Where do most phishing attempts originate? They come from email and websites.

Tools like OpenDNS or Vipre Mail provide a way to stop known phishing domains and suspicious emails. OpenDNS blocks questionable domains and provides the chance to put in custom error messages. Vipre Mail stops spam emails and provides reports to companies. Combine the tool with a way to address the human causes of these problems. A tool which doesn’t tell you what happened and why is useless.

Do you employ MFA to make sure that a compromised password is a minor concern? Do you know when a password is compromised without a mess ensuing? Do you monitor the dark web for compromised information? Make sure your client takes measures for themselves to reduce technical attacks.

Training Your Users

If the average user acted like the average power user, antivirus would almost be pointless. Spam and phishing would have to become significantly smarter or it would just disappear. It just takes one employee clicking the wrong link to compromise the entire company. Have you had the first painful conversation about the fact that not everything on the internet is true with the weakest links? It’s painful, but often necessary.

“An ounce of cure is worth a pound of cure,” rings truer than ever with modern phishing. I go months without spam hitting my inbox, but when it does, it’s usually extremely well done. IRS.com wants you to report your social security number and provide a good email to verify if you have been compromised or not. What do you do?

Do you inspect the certificate first or look at the form and see if there is some kind of redirect? Or do you see the domain first? The average user doesn’t care about the difference between TLD’s and why IRS.gov is more believable than IRS.info. How much pain do you save explaining that you shouldn’t fill in information for Bank of America when your company only uses Chase?

Better Verification

What do you do if someone calls asking your department to fulfill an invoice? What do your users do? If you hear a familiar voice on the other end, you’re probably going to comply. The problem is that now we have deepfakes which can emulate a person. Are they having a bad day or are they actually a computer? You won’t know until you comply (or don’t).

Most extremely large companies employ some kind of verification system. We built our own system to prevent these sorts of issues and make it more accessible for our clients. How do you make sure a user hasn’t been fired minutes ago and is calling to get access to what they shouldn’t have access to? You don’t unless you can check.

Moving Forward

While the lawsuit hasn’t quite taken it’s course as of writing, either way, you need to make sure you solve your client’s issues. Where do you draw the line? If John in finance is allowed to use “password123”, what do you do when they get hacked? Who’s fault is it?

You have to have a plan, and you have to have a way to address any of the client’s bad security practices. Do you support them regardless, address the problem, or refuse service? Support means the potential of liability, addressing the problem depends on the client, refusing service means losing money. What’s the right answer?

There really isn’t one… yet. The best you can do is take every step towards securing your client. Focus on technology and training as well as you can and you reduce the attack surface. No matter the ruling, you should be riding your client and pushing them towards success one way or another. Make your life and their’s easier with technology and tools like ID 20/20 along with training.

by Sage Driskell