While high-profile ransomware attacks have dominated technology headlines primarily in the last 10 years, it might be surprising to learn that the first documented attack launched in an effort to extort money occurred in 1989.
Although computer worms have been around since the early 1970s, evolutionary biologist Joseph Popp garnered the distinction of creating the first for-profit attack with the AIDS Trojan. Disseminated through Popp’s postal mailing list and spread by a floppy disk, the Trojan horse replaced the AUTOEXEC.BAT file in computers. On the 90th boot following infection, the Trojan hid directories and encrypted the names of all files on the C drive, effectively paralyzing the computer. Users were then asked by PC Cyborg Corp. to renew their “software lease” via sending $189 to a post office box in Panama.
While Popp may have been the unofficial godfather of cybercriminals, the AIDS Trojan suffered from poor design—only the names, not the files, were scrambled—and could be easily removed. As for the eccentric Popp, he was arrested, declared mentally unfit to stand trial and deported to the United States (he passed away in 2007). The sad postscript is the manner in which he perpetrated the act: Popp claimed to have devised a questionnaire that would effectively determine patients’ risks of contracting the AIDS virus, and he mailed 20,000 copies of the disk to researchers in 90 countries.
Popp reportedly did not profit much from his nefarious scheme; scientists and researchers were not as gullible as he’d hoped—they were intelligent enough to discover the workaround. Had it been proliferated among the general population, particularly in the early days of the home computer, it likely would have ensnared many more victims. Even 30 years later, cybercriminals are still figuring out ways to lure unsuspecting employees into clicking on links and files that launch a world of problems for their employers.
Thus, dealers who supply security components among their IT offerings to protect servers, data centers, printers, network-connected and employee-introduced devices must also protect end-users from their own bad judgment. As part of the September State of the Industry report, we canvassed some of the industry’s top providers of security solutions to see how they establish their platforms and maintain competency standards to help protect clients from themselves.
When Impact Networking of Lake Forest, Illinois, made the decision to build out its own managed security practice, it studied a number of all-encompassing, out-of-the-box third-party solutions. But while several offerings boasted a variety of strong components within the overall package, there were usually other elements—such as antivirus and security awareness training—that left something to be desired, according to Patrick Layton, vice president of managed IT for Impact Networking. The dealer wanted its managed security practice to be on par with the level of service it provides across its product and service menu.
In looking at the marketplace and the solutions that were available to certain types of clients, we saw the same surge of problems popping up in the security industry.
– Jeff Leder, Impact
As a result, Impact Networking budgeted the necessary dollars and set up a one-year timeframe to develop its own competencies, which entail best-of-breed products across nine categories.
“In looking at the marketplace and the solutions that were available to certain types of clients, we saw the same surge of problems popping up in the security industry,” noted Jeff Leder, director of managed IT security services for Impact Networking. “So our goal was to define those problem categories and identify the solutions that would address them. Working out partnerships and determining how we can deliver that as a managed solution set for clients through a larger security program was a big part of it. Once we got that established, it was just a matter of engaging a process in which every time we work with a prospective client, the goal is to educate them on the problems they have and show the types of solutions that can address them.”
Home Grown
Security competency begins at home, and Impact Networking is certainly no exception. The dealer, which prior to the pandemic had rolled out two annual Optimize IT & Business Security Summits that drew upwards of 1,000 attendees, is its own customer as well, and educates employees in the same manner as clients. They’re trained on the secure use of their own network, data and tools, with extensive training and testing.
On the security side, a new cybersecurity engineer—tasked with performing vulnerability and penetration testing—will need credentials such as PenTest+ (CompTIA), CEH (certified ethical hacker) or OSCP (offensive security certified professional). Cybersecurity analysts require certifications that speak to defending and monitoring infrastructure.
On the account management side, a vCISO (virtual chief information security officer) should tout CISSP (certified information systems security professional) and certifications/education that enable them to communicate in a meaningful way to business owners and decision makers. Compliance certifications will help team members engaged with client verticals that have specific line-of-business requirements.
When it comes to ongoing training of staff and end-users, Impact Networking’s go-to solution is KnowBe4, one of the leaders in security awareness training. According to Layton, the dealer provides phishing tests for end-users, and client managers get detailed reports and notifications regarding employees who “take the bait.” Various education tools are used, and peer pressure (pointed notes from end-user managers) can also be effective in identifying and ensuring offenders do not repeat bad habits. BrainStorm, a learning management tool, also allows for custom content such as educational videos.
“There are some training and educational components that go along with certain regulatory compliance,” Leder added. “We have additional tools and resources that have been developed in-house, in addition to some of the managed solutions we offer, so that we can help client organizations educate users specifically in relation to those types of compliance as part of the managed compliance program.”
Earlier this summer, Gordon Flesch Company announced the creation of Elevity. This marriage of its managed IT division and recently acquired Information Technology Professionals supplies cloud, managed IT and cybersecurity for its Midwest client base. From a security standpoint, the Madison, Wisconsin-headquartered dealer provides managed competencies for patching/updates, security devices, networking components, advanced threat protection with 24/7/365 security operations center monitoring, advanced email protection, security training, backup solutions, disaster recovery and strategic advisory services.
Best of the Best
Paul Hager, director of solutions for Elevity, notes it can be challenging to sift through the many security offerings and vendors in the marketplace, so the dealer relies on bringing the best-in-class products into a complete solution. “We make sure all of our underlying solutions that we wrap into a bundled offering adhere to industry standards and meet compliance requirements,” he said.
According to Hager, Elevity regularly conducts customized assessments of its technical staff to ensure they meet both industry and company proficiency standards. It also uses the same tools it applies to clients for its own staff, including ongoing security testing and security awareness training.
Acknowledging the self-inflicted damage that end-users can unwittingly impart on the company, Elevity believes the “human firewall” is an essential component of security for clients and its own operation. As such, Elevity trains its own staff frequently through phishing tests, online learning modules and various other industry-leading tools.
“As a managed service provider, we are acutely aware that our staff not only serves as a human firewall for our business, but are also an integral part of our clients’ human firewalls as well,” Hager said. “In addition to training, we also follow other best practices, such as two-factor authentication.”
As a managed service provider, we are acutely aware that our staff not only serves as a human firewall for our business, but are also an integral part of our clients’ human firewalls as well.
– Paul Hager, Gordon Flesch Co
Delivering security to the end-user is wholly based around the risk reduction plan for Kelley Connect, headquartered in Kent, Washington. Scott Anderson, senior vice president of IT, notes any plan comes with the caveat that it’s impossible to guarantee that any end-user can be 100% secure, but the risk reduction plan enables the dealer and its clients to have ongoing conversations about the solutions and programs—which are wrapped around the NIST framework—that can be implemented to mitigate exposure to issues.
Kelley Connect has various baseline standards it seeks in all new hires, requiring various levels of flavors of certifications/accreditations. Many of its security programs are wrapped around licensed third-party resources.
We’re sending out phishing emails with the idea that if you click on one, you have just volunteered yourself for additional training.
– Scott Anderson, Kelley Connect
“We have a very strategic relationship with Continuum, who we partner with to provide a SOC on our behalf,” Anderson noted. “That relationship brings with it a lot of certified security personnel to the table, with the ability to dial up as needed.”
Security awareness training is a major component of the risk reduction plan. Anderson points out that too often, training is a once-a-year event that buys into the “set it and forget it” mentality. It’s really incumbent upon the end-user to create a culture of security within the organization, which Kelley Connect helps facilitate.
“If somebody clicks on a phishy email, their first reaction is to slide a little lower in their cube and hope nobody else knows they clicked on a bad link,” he observed. “We really preach that if you’re the one to click on a bad link, stand up in your cube and yell about it, so the next person doesn’t click on it.”
Fake or test phishing emails coordinated by Kelley Connect are a necessary evil. Anderson pointed out that 91% of vulnerabilities come via phishing expeditions by the so-called bad actors.
“We’re sending out phishing emails with the idea that if you click on one, you have just volunteered yourself for additional training,” he added.
Laying Groundwork
At the Les Olson Company, client engagement centers on the fundamentals of education, risk assessment and immediate issue resolution, according to Keith Adams, vice president of IT for the Salt Lake City-headquartered firm. It starts with a review of systems, followed by a patching process (including security patching) for known hardware/software issues to ensure systems are up to date. Antivirus products are installed and monitored for each system within the client’s environment.
Beyond the baseline, Les Olson Company determines the needs and business objectives of the customer, including applicable industry standards to which the client must adhere. “In every case, we ensure the customer is fully aware of their basic needs and the extended solutions that we can bring to enhance their environment,” Adams said. “Ensuring that all systems are monitored is of primary focus, as any system that is put into place is only as good as its ability to perform, combined with regular assessments of that performance.”
Depending on the needs and risk mitigation level sought by the client, Les Olson Company offers a full suite of next-generation products that can augment an environment’s defenses. Some examples:
- Email gateway defense, including attachment and URL sandboxing.
- Two-factor authentication for cloud or on-premise systems.
- SIEM (security information and event management) deployment with 24/7 SOC monitoring and anomaly notifications for remediation.
- SOC monitored and managed software to cover threat detection above and beyond traditional AV. This software includes patented AI algorithms that can help the endpoint self-defend and heal with the advantage of oversight from the SOC team 24/7 to ensure detections are appropriately managed, not simply left to AI.
Adams notes that additional software may be deployed to systems that monitor an oft-neglected area of security—the “undetected/new process”—that may lie dormant, awaiting a trigger. “With traditional antivirus and threat detection software systems, you are left with two primary areas covered: detection of the known threat (traditional signature-based AV), and software meant to detect abnormal activities such as spontaneous encryption (threat detection),” he said. “Our additional solution looks for any new foothold in the startup, login or process execution areas of systems and, when they are present, they are analyzed and categorized. Should a system produce a finding that is considered a threat, immediate notification to our team is sent along with a specific process to mitigate the potential actions of the detected threat.”
We also require our team members to train and certify on firewall products and their complementary systems prior to being able to work on or configure systems for customers.
– Keith Adams, Les Olson
In terms of security standards for staff, Les Olson Company has a full repository of customer-specific needs for security; approvers for work, settings and changes; along with ticketing for all requests. The dealer ensures standards are met on a customer-by-customer basis through regular training based around its policies, along with continuous reviews and updates of documentation and supervisor review of user work (ticket work audits). Team members may only use approved tools, including systems that are encrypted and protected via unique token, two-factor authentication.
“We also require our team members to train and certify on firewall products and their complementary systems prior to being able to work on or configure systems for customers,” Adams added. “Even when someone has completed the training process, we will typically require a senior engineer with specialization in that product to review or verify the configurations.”
As part of its ongoing training platform, Les Olson Company provides security awareness training and tests clients through phishing and vishing maneuvers. Much of its training is focused on the systems and certifications from specific vendors for the products the dealer provides, and includes extensive lab work and testing. In addition to online training and curriculum systems for general industry knowledge and baseline certifications, Les Olson Company is implementing a learning management system for training content and testing of content unique to its business or customers.
When it came time for Marco to pick a security framework, the St. Cloud, Minnesota-based firm opted for NIST, which is what most of the regulatory frameworks (including banking, health care and government) are based upon. Mike Burgard, Marco’s chief information security officer (CISO), notes the dealer wanted to ensure its offering covered five different phases in NIST CSF and was fortified with the products and services that fulfilled the requirements in each phase within the framework. That translated into defensible solutions and optimal client security protection.
The training component has to continually evolve to address newer threats. Unfortunately, there’s persistence from an adversary perspective, and that calls for constant due diligence.
– Mike Burgard, Marco
In dealing with various client verticals including the aforementioned, Marco has certification/accreditation requirements that are required for doing business in various regulatory environments. In fact, the dealer built its onboarding and offboarding procedures to ensure it remains compliant, which comes back to its framework alignment.
“Having strong framework alignment really does aid throughout the process in building standard processes and standards of work,” Burgard said.
End-user security awareness training for Marco is delivered via KnowBe4, which it not only resells, but consumes as a customer. Burgard believes the value of the security awareness training extends beyond work applications, as users can apply it in their personal lives. Burgard particularly values the real-time remediation training that provides red flags for users to watch and guidance on how to handle suspicious emails moving forward.
The days of obvious scams (remember the Nigerian prince hoax?) have given way to evolved tactics being used by bad actors wishing to infiltrate networks. “The training component has to continually evolve to address newer threats,” Burgard said. “Unfortunately, there’s persistence from an adversary perspective, and that calls for constant due diligence. Attackers are now using good platforms, like Microsoft or Google, so these things get through traditional email security products.”
According to the FBI, phishing was the No. 1 cybersecurity incidence in 2019 that resulted in the highest dollar loss for organizations, Burgard said. “And phishing is not new, it’s been around for years. It’s not going away anytime soon.”