Cybersecurity Best Practices for Today’s Providers: Resourceful Ways to Protect the Attack Surface

Not too long ago, I gave a talk about the importance of creating a red team and a blue team to help prepare for cyberthreats. I told a few stories about pen testers who acted as red team “attackers,” and the blue team security analysts who listen for the attacks and defend the company.

Afterward, a CEO of a Managed Service Provider (MSP) approached me with a determined look on her face. So did an IT leader from another provider. We all discussed the dynamic of how a “red team” pen tester helps make the “blue team” security analysts more successful and precise. Then, the CEO stated, “You know, this is all fascinating, but I just don’t know how I’m going to afford all of this.” The IT leader echoed her point saying that the skills sets I was talking about were far out of reach for the typical managed service provider.

A Question of Resources—and Resourcefulness

They both had excellent points. After all, how many businesses can afford entire teams of security workers? I’ve led a small business myself, and I recognize that a major component of success in a business is watching margins. I also know quite a few CISOs of large organizations around the world, including banks, mega-retailers, and manufacturing companies. They employ teams of testers and their security analyst counterparts. Few businesses can afford to do that. Fewer still can create a formal, high-tech security operations center (SOC), complete with expensive monitoring software and highly trained people. Many small businesses just don’t have the resources, and that makes them a target.

Yet, it’s possible to get resourceful. Some IT leaders for smaller companies and providers rent essential security services on a per-service basis. It’s also possible to obtain capable and powerful free software from the open source community. Tools such as Wireshark, Suricata, Metasploit, Zeek and Kibana stand ready to help. Of course, you’ll need workers who can use those tools properly—more about that in a second. But first, a few words about why constantly updating your cybersecurity is so important.

Why it’s Necessary: the Morphing Attack Surface of Today’s Businesses

Security issues continue to evolve, and with that evolution, a new phrase has emerged: attack surface. It describes the myriad ways organizations present a target to attackers. Sometimes, these attackers are external third parties. In other instances, attacks come from inside the organization.

Today’s attack surface includes employees who fall victim to social-engineering attacks as well as devices that aren’t properly patched, monitored and secured. Usually, the result is a form of ransomware or malware that gets unleashed on the network. Businesses of all types have experienced an increase of ransomware attacks over the past several months, as reported by CompTIA’s IT Industry Outlook 2020 report. Additionally, social engineering is becoming far more advanced. Attackers go beyond deep fakes and now employ artificial intelligence (AI) to help discover the best attack strategies for their targets. AI can help identify the attack surface of any organization, including a managed service provider, a manufacturer or a bank.

But in many ways, security isn’t just about managing or stopping the hacker. We’re now living in an age in which privacy laws require businesses to conform to standards. We’re only seeing the beginning of privacy and governance regulations, which currently includes the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). That list will grow larger; in the United States alone, models such as the Cybersecurity Maturity Model Certification (CMMC) and NIST Cybersecurity Framework (CSF) represent compliance standards for businesses of all types. Organizations need to either obtain (or rent) the talented people who can help them demonstrate compliance and prepare them to respond effectively to attacks.

Steps You Can Take

The first focus for service providers should be upskilling existing workers; it’s all about competencies. End-users require frequent, engaging training concerning how to avoid social engineering in all of its forms, including phishing. IT workers will also need specialized training. As a service provider, if you can provide increasingly nuanced and proactive services in this area, you’ll be seen as a go-to resource that is well worth the customer’s investment.

When it comes to workers in the managed service provider space, there’s a pressing issue. Many companies frankly don’t know where to start when it comes to training their workers. Some of the training is quite valid, but very costly. Other training has questionable benefits. Thus, some companies tend to avoid investing in their people. It also causes some providers to get overly choosy when it comes to hiring people.

As a result, some organizations decide not to invest in their workers. Instead, they expect talented workers to come to them. This is why we’ve created the CompTIA Career Pathway. Organizations of any size can use this as a guide for providing workers with strong IT infrastructure and cybersecurity skills. This provides confidence that their IT employees can work closely with cybersecurity professionals to create business resiliency solutions (e.g., cloud backup), incident response plans and monitoring solutions.

Additional Nuances: Changing Your Business Culture

Ensuring cybersecurity is, in many ways, a business culture issue. Let me draw an analogy: over the past few months, I’ve been restoring an old 1975 Toyota Land Cruiser. I’ve learned the hard way that it’s a bad idea to simply paint over existing rust without first completely eradicating it through grinding it out. It’s a lengthy, labor-intensive process. Why do I mention this? Because many businesses tend to approach security as if it were paint that you slather over an existing problem.

I know of a managed service provider that invested in some expensive security monitoring software to help stop ransomware. But the solution kept failing and ransomware kept hitting the company. The security worker started investigating the root cause of the attacks. It turned out that this particular provider allowed a partner to use their network every few days without first conducting a check on that partner’s notebook computer. This notebook computer was the “vector” that caused the ransomware problem.

The solution? The company established a simple policy that all computers needed to be inspected and vetted before connecting to the network. Any computer—even that of the CEO and her most-trusted partner—had to be checked. The company hasn’t had a ransomware problem since. Applying and enforcing a busines policy made all of the difference.

In short, it’s vital for a company to get its business policy ducks in a row first. You can’t secure something that is fundamentally broken, or simply slather paint over the problem and hope for the best. In this case, it took a bit of work for the company to grind out the policy and get everyone to follow it. But the process was worth it. The provider even found more uses for the monitoring solution. After the policy change, the provider was in a position to provide additional cost-effective monitoring solutions to its customers. Why? Because they saw through their own experience that technology, mapped to sound security policies, allowed them to sell an inexpensive but useful service that helped others identify root causes of various security problems.

Fostering Intelligence in the Workplace

At CompTIA, we’ve noticed that it’s easy for providers and businesses of all types to “lose the forest for the trees.” In other words, it’s sometimes hard to identify essential steps and best practices. That’s why we’ve created an Information Sharing and Analysis Organization (ISAO). The CompTIA ISAO is designed to help organizations obtain the latest cybersecurity threat information and create a clear, concise and coherent narrative concerning threats they’re facing. This includes MSPs as well as value-added reseller organizations.

An ISAO is designed to obtain timely information about today’s threats, then share that info with its members. The promise of using cybersecurity threat intelligence (CTI) is that it helps organizations make better decisions concerning how they secure the software and services they purchase, and adapting that security as threats dictate new actions. It’s also hoped that using threat intelligence information will help organizations make more-accurate choices concerning their purchases and efforts, so they can avoid “boiling the ocean” when it comes to their efforts. But that’s not all.

Increasing diversity in the workplace is another way to ensure that increased intelligence enters your organization. At CompTIA, we’ve found that the best way to ensure true resourcefulness and creativity is to foster an environment that includes varied backgrounds. Organizations that bring in workers of varied histories and backgrounds are the ones that have been able to better respond to today’s asynchronous threats.

Upskilling: the Best Practice

Today’s cybersecurity workforce is increasingly diverse and needs constant upskilling. To learn more about today’s tech and cyber workforce, check out the Cyberstates website, the definitive guide to the tech workforce in the United States. If you’re interested in learning more about the cybersecurity employment space, visit our CyberSeek site, created in conjunction with Burning Glass and the U.S. National Institute of Technology (NIST).

Finally, CompTIA recently published its “2020 Emerging Technology Top 10 List,” which can help you identify essential technologies companies are using today. One of the more surprising developments is that AI became the top technology adopted over the past year. Even though this isn’t a dedicated cybersecurity list, it nevertheless will help you understand the typical attack surface of today’s providers.

Dr. James Stanger
About the Author
Dr. James Stanger is a respected authority in cybersecurity, Linux and open source, and emerging technologies. He has helped create certifications and curricula in topics as diverse as security analytics, threat intelligence, online education, English Romantic literature, Linux system administration, kayaking, and Web development. Organizations he has worked with over the past 20 years include IBM, General Dynamics IT, Tesco, the British Army, Dell, the United States Department of State, the Japan Ground Self-Defense Force, the Open University (UK), Western Governors University, Microsoft, Symantec, the University of California, SoftBank, and Northrop Grumman. An award-winning author, blogger and educator, James currently works as Chief Technology Evangelist at CompTIA. He lives and plays near Puget Sound in Washington state.