A reflection on the attack on Kaseya
Essential controls and capabilities to get out of a cyber attack
We recently had the opportunity to attend a webinar entitled "The Kaseya Attack - What We Know and What We Must Learn", organized by a company that offers digital rating services, under the motto that these make it easy to understand and act on the risks.
It was interesting to learn the history of the incident, which began its path on April 6, with the notification to Kaseya from the DIVD (Dutch Institute for Vulnerability Disclosure) that they had detected 7 vulnerabilities in their VSA remote monitoring and management software. On May 8, Kaseya released the patches for 4 of them, and on June 26 it finalized those of the remaining 3, proceeding to update its SaaS version, and scheduling the update of the on-premise versions for July 7 .
But the attack came on July 2.
Certainly, Kaseya has done a great communication exercise, and in just 4 days, 98% of VSA installations were down until the company rolls out the appropriate patches.
The most significant thing about the webinar, apart from the interesting narrative of the course of the incident, is the summary that they provide us on the essential Controls and Capacities that must be implemented to have a better cybersecurity positioning in the organization:
Well, of all these conditions, digital rating services, such as those provided by the organizer of the webinar, can only evaluate whether the company is using some versions of software or applications that appear on public vulnerability lists (This wasn't the case with the Kaseya's VSA, since, until the incident, the DIVD had only notified the manufacturer). Therefore, this digital rating cannot offer a realistic assessment of the capacities available to the evaluated organizations.
This makes us even more aware that the only rating that provides real and reliable information is our cybersecurity rating is our cybersecurity rating, which takes into account all those essential controls and capabilities, and many others that are no less so, such as, for example, the awareness programs for staff, who are often the ones who open the door by clicking on improper links.
The characteristics of this incident make it possible to be considered a Zero Day, so any organization that used the on-premise version of the VSA would have been affected. However, here you can see how the rating offers a very different vision, since one of our controls requires, necessarily and from the lower level, that “All backups have at least one copy destination that is not addressable continuously through calls to the operating system ”, thus ensuring that ramsomware does not hijack the backup information as well.
The digital rating is a good complement, we are not going to deny its benefits. But it is surprising that it tries to position itself as the definitive tool for supplier risk management. It allows us, of course, a more continuous and automated observation of the perimeter that the organization has exposed to attacks from the outside, but in no way can it reveal its preparedness and recovery capacity in case of incidents. As such, it is used to monitor our clients who have qualified services, both providing the optimal combination to have the only truly reliable cybersecurity rating on the market.
LEET Security – The ultimate cybersecurity rating
Suscribe to our newsletter here