Business + Partners

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

Oh no! A client failed a pen test. Now what?

In a previous post, we talked a bit about what pen testing is and how to use the organizations that provide them to your benefit. But, what about when one of them hands a client a failing grade?

Consider this, you’re an MSP and you get a letter or email from one of your customers that reads:

“Dear ACME MSP,

We regret to inform you that you’ve had a Penetration Test Failure produced by: “FreindlyHacker-Pentesting Inc” and we’d like to discuss the details further to determine if you have what it takes to continue to handle our security needs.

Regards,

Largest MSP Customer.”

A customer may not pass along this exact wording, but the implications are clear. The results can be embarrassing or at worst devastating. When a customer reaches out after failing penetration testing, it can put an MSP on its heels and create unnecessary angst. Should the MSP have been more involved in the testing? Did my tools cause the failure Has the MSP soured its relationship with its client? Will the business be lost?

So, how should an MSP respond when a customer fails a pen test?

Some MSPs turn to self-doubt and start wondering if the layers of protection they’ve put in place are worth the costs. Others will immediately start pointing fingers at the tools that were identified in the pen test report. When a report comes through with a failure, it’s usually unexpected and can take time away from more important activities.

To save time and effort if this should happen to you, here are a few key elements of a good response to a pen test failure.

Immediately start asking questions.

  • What kind of penetration testing was involved?
  • Who performed the testing and what are their credentials?
  • How was the penetration testing organization positioned to start taking action?
  • Where the testers acting as “Red Team” or “Blue Team” actors?
  • When did the testing take place?
  • May I examine the data and reporting?

Review your tools configurations.

Rather than immediately assume bad tech, it’s best to step back and evaluate each tool identified in the pen test report and the associated configurations, policies and control points. Often, a security tool is designed to identify, evaluate and/or stop bad actors along the threat chain. If it failed, it could be that a setting was disabled or miss-configured. Review all tools’ “best practice” guides, documents and suggestions before making assumptions.

Ask for partnership with the customer during their next review.

If the customer did not provide a heads up or pretesting communication, request that you be more involved during their next review. If pen testing is important enough for them to do once, it’s probably that they’ll do it bi-annually or annually, depending on the industry and regulatory concerns. It’s always good to be involved in advanced than after the fact.

Blue Teams vs. Red Teams: Which type of test was conducted?

The difference between a Blue Team and Red Team is how much previous access they have to a target’s networks and devices. This can make a huge difference in how the results of a pen test are interpreted. When a Blue Team—with some previous knowledge of an organization and its IT systems—is able to breach a business, it may not be representative of real-world circumstance. It could be an internal IT admin who was able to find a vulnerability after poking around in a system she previously had access to.

When a Red Team compromises a client, on the other hand, it’s time to examine the reporting closely. Starting with zero knowledge of an organization’s systems, this type of breach could point to serious flaws in the defenses an MSP has set up for a client. Likely there are real holes here which need to be patched.

Evaluate the pen testing organizations

While there are many levels of testing capability, keep in mind that pen testers come from many IT walks of life. Former sysadmins, hackers and network administrators make the most common tester. They come with their own experiences, specialties and biases.

One question to always ask is, what are the testing organizations credentials? What is their background and how did they come to the business? How long have they been testing?

The goal is to guage whether the individuals who’ve conducted the test are knowledgeable enough to make judgments about your organization’s defenses? Did they actually breach the defenses or are they simply reporting on a “potential” for a breach?

Not all testers are alike, not all testing organizations are alike.  Each has to successfully make the case of its own expertise in coming to the conclusion that it has.

As I say, trust but verify. And be prepared to ask LOTS of questions if a client ever fails a pen test.

An Inside Look at Cybercrime-as-a-Service

You’ve likely heard of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and numerous other “as-a-service” platforms that help support the modern business world. What you may not know is that cybercriminals often use the same business concepts and service models in their own organizations as regular, non-criminal enterprises; i.e., the same practices the majority of their intended victims use.

As senior threat research analyst Kelvin Murray explains to Joe Panettieri, editor of Channel E2E and MSSP alert, in our most recent Hacker Files podcast, cybercrime-as-a-service “essentially follows the same path as most as-a-service things in business.” He goes on to explain, “If you were a small company in 2002 and needed to set up email, you’d set up a mail server, a mail relay, mail clients, and you might hire an email admin. And then you might have to set up things like spam filters yourself. People like Microsoft figured out that they could just provide all of [these services] from a web page and rent it out to companies and take all the hassle out of companies’ hands.” That’s the as-a-service model in a nutshell.

According to Kelvin, a very similar thing happened in the cybercriminal space. Effectively, talented criminals who’ve written successful malicious code have begun renting access to their own cybercrime “solutions” to lower-level criminals who either don’t have the resources or know-how to design, write, and execute cyberattacks on their own.

Of course, the people providing the so-called service don’t do so out of any goodness in their hearts; they do it for a cut (sometimes a significant one) of any profits made in an attack that uses their code.

Hear more about the evolution of cybercrime-as-a-service in the full podcast. Be sure to check out other discussions and recordings in our Cybersecurity Sound Studio.

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic. For MSPs, that makes up a good portion of their clientele.

Remote workers were abruptly pulled out from behind the corporate firewall, immediately becoming more susceptible to the targeted attacks of cybercriminals. Acceptable use policies could no longer be easily enforced, home devices became work devices, and employees distracted by life around them became more likely to click carelessly.

What’s worse, because the pandemic was affecting more or less all of us at the same time, cybercriminals had a virtually limitless pool of targets on which to test out new scams. Phishing scams imitating eBay skyrocketed during the first months of product shortages brought on by COVID-19. Scam emails claiming to be from Netflix rose by more than 600% in 2020.

We were fish in cybercriminals’ collective barrel. Now, even with vaccinations rising in the U.S., many companies are rethinking the way they work. It’s up to MSPs to have a strategy for security remote workers, because they’ll likely need to serve more than ever before.

Find out how to ensure your clients’ remote workers are resilient against attacks across networks in this informative conversation between ChannelE2E and MSSP Alert editor Joe Panettieri and his guest Jonathan Barnett. In addition to being a network security expert and senior product manager for Webroot’s DNS solution, Barnett brings 20 years of experience as the head of his own MSP business to the podcast.

Here’s what he has to say about ensuring a cyber resilient remote workforce.

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous term; everyone wants it to be better, but what exactly does that mean? And how do you properly measure it? After all, if a security product is effective, then that means few or no cyberattacks should be getting through the lines of defense to the actual infrastructure. Yet, faced with modern cyber threats, that seems like a pretty impossible goal, particularly as many attacks are designed to operate under the radar, evading detection for weeks or months at a time.

As a result, many businesses and managed service providers may try to account for their efficacy needs in the tools that they choose, vetting the solutions with the highest reviews and the best third party testing scores. But the tools aren’t everything. What else can you do?

Here are our top 5 tips for getting the best possible efficacy out of your IT security stack.

  1. Partner with solution vendors who can guide you to the right setup.
    Most small to medium-sized businesses and many MSPs just don’t have the resources to keep dedicated security experts on staff. That’s not a problem, per se, but it does mean you might have to do some extra legwork when selecting your vendor partners. For example, it’s important to take a hard look at the true value of a solution; if it requires costly or time-consuming training to attain a skill level high enough to get maximum value from the product, then the cost-benefit ratio is much different than it initially appears. Be sure to choose vendors who provide the type of guidance, support, and enablement resources you need; who can and will advise you on how best to configure your cybersecurity and backup and disaster recovery systems; and who are invested in helping you ensure maximum return on the investment you and your customers are making in these solutions.

  2. Trust your tools, but make sure you’re using them wisely.
    According to George Anderson, director of product marketing for Carbonite + Webroot, OpenText companies, many of the tools IT admins already use are extremely effective, “as long as they’re being used properly,” he cautions. “For example, Webroot® Business Endpoint Protection includes powerful shielding capabilities, like the Foreign Code Shield and the Evasion Shield, but these are off by default, so they don’t accidentally block a legitimate custom script an admin has written. You have to turn these shields on and configure them for your environment to see the benefits; many people may not realize that. But that’d be one simple way admins could majorly improve efficacy; just check out all your tools and make sure you’re using them to their fullest capacity.”
  • Consider whether EDR/MDR/ADR is right for you.
    If you’re not already using one of the solutions these acronyms stand for, you’ve likely heard of them. Endpoint detection and response has a lot of hype around it, but that’s no reason to discount it out of hand as just another industry buzzword. It’s just important to demystify it a little so you can decide what kind of solution is right for your needs. Read more about the key differences here. Keep in mind, there’s often a high level of involvement required to get the most out of the additional information EDR provides. “It’s really more of a stepping stone to MDR for most MSPs,” per George Anderson. “Webroot Business Endpoint Protection actually provides all the EDR telemetry data an MDR solution needs, so I don’t recommend EDR alone; it should be used with an MDR or SIM/SIEM solution.”
  • Lock down common security gaps.
    Some of the easiest ways to infiltrate an organization’s network are also the easiest security gaps to close. Disable remote desktop protocol (RDP.) If you really need these kinds of capabilities, change the necessary credentials regularly and/or use a broker for remote desktop or terminal services. Use hardened internal and external DNS servers by applying Domain Name System Security Extensions (DNSSEC), along with registry locking domains; looking at certificate validation; and implementing email authentication like DMARC, SPF and DKIM. Be sure to disable macros and local admin privileges, as well as any applications that are not in use. And, of course, run regular patches and updates so malicious actors can’t just saunter into your network through an old plugin. These are all basic items that are often overlooked, but by taking these steps, you can drastically reduce your attack surfaces.

  • Train your end users to avoid security risks.
    Phishing and business email compromise are still top security concerns, but they’re surprisingly preventable at the end user level. According to the 2021 Webroot BrightCloud® Threat Report, regular phishing simulations and security awareness training can reduce phishing click-through by as much as 72%. Such a significant reduction will absolutely improve the overall efficacy of your security program, and it doesn’t impose much in the way of administrative burden. The secret to successful cyber-awareness training for end users is consistency; using relevant, high-quality micro-learning courses (max of 10 minutes) and regular phishing simulations can help you improve your security posture, as well as measure and report the results of your efforts. 

All in all, these tips are simple, but they can make all the difference, especially if you have big efficacy goals to meet on a lean budget.

For more industry tips and tricks and product-related news, follow @webroot and @carbonite on Twitter and LinkedIn.

How MSPs can use Webroot Cyber Resilience Solutions to Get their Time Back

Although they didn’t always call themselves a managed service provider, that’s exactly what T-Consulting has been since its inception. According to Vera Tucci, founder and CEO of the Italy-based MSP, it was her mission to give her clients more than a basic hardware/software bundle with a few hours of IT consultation. She knew her clients needed a greater level of service, especially those whose businesses had grown from small family operations into larger companies, and that’s what she built her own business to provide.  

When one of her oldest clients began having issues with the previous security program T-Consulting offered — issues that prevented the client from being able to access business critical systems and required hours upon hours of her team’s time to diagnose and resolve — Tucci immediately started working to identify a better solution. As far as she was concerned, the tools her team used should solve problems, not cause them. That’s when she came across the Webroot® portfolio of cyber resilience products for endpoint protection, DNS protection, and end user training.


“I actually remember the change in mood within my company. Within days of making the decision [to switch to Webroot], my employees were happy again. They weren’t waking up worried about what would go wrong. […] We saw immediate results in terms of the time our team suddenly had on its hands. We were not wasting time trying to solve problems we shouldn’t have had in the first place.” – Vera Tucci, Founder and CEO, T-Consulting

Hear how T-Consulting integrated Webroot® Business Endpoint Protection, DNS Protection, and Security Awareness into its RMM, enabling its team members to take back their time and refocus their efforts on business priorities and revenue-generating tasks in CEO Vera Tucci’s video testimonial.

Watch the video on YouTube.

Building a Successful Customer Advocacy Program (Hint: It’s Not How You Think)

What’s better for getting your business’ name out there and boosting sales than having a killer business marketing plan with well-placed ads, zippy copy, and a slick design?

The answer is: having a group of dedicated real-world customers who use their own platforms to advocate for your business and its offerings.

Thanks to social media, reviewing platforms, and the steady rise of online presence, your customers have numerous avenues in today’s internet to help make (or break) your brand. Discerning prospective customers don’t trust faceless brands with no reviews. In increasingly saturated markets, one of the best ways to build your brand is not to advertise to your customers, but to turn them into advocates for your brand and services.

What’s the difference between advocacy and community?

Although they may go hand in hand, an advocacy program isn’t the same as a user community. User communities are more about connecting all of your end customers with one another, your teams, and the resources they need to be successful with your products; and about giving them an active forum to find support, both from their peers and your teams. But an advocacy program should be more selective about its members. Sure, at first, you may be happy just to get people involved so you can get your program off the ground; but the ideal customer for your advocacy program isn’t just an average user with little investment in the product. Instead, it’s someone whom you can recognize as a power user; someone who is invested in the success of your product as being integral to their own success, and will, therefore, be more likely to help evangelize your wins and also bring enhancement requests, unanticipated requirements, bugs, and other worthwhile concerns to your attention.

But how do you find these people? How do you keep them engaged once you do find them? And what does it look like to build an advocacy program that actually works for you and that your customers genuinely want to be a part of? We checked in with Emma Furtado, customer advocacy manager at Carbonite + Webroot, OpenText companies, for her take on the best tips to turn your savviest customers into your loyal advocacy partners who can’t wait to spread the word about your amazing products and efforts.

Top 4 Tips for Building a Successful Customer Advocacy Program

Tip #1: Take your time.

According to Emma, step one is recognizing that doing anything right takes time. “You can’t build a successful advocacy program overnight,” she clarifies, “you’ll need to have at least one employee, maybe even a team, depending on the size of your business and program goals, dedicated to research and relationship-building. You should also think about coordinating across teams. Very few customers want to be cold-called to take part in an advocacy program. Take advantage of the relationships your sales reps and engineers have already built; start working with them to identify power users and have them make an introduction so that you don’t have to start building the relationship entirely from scratch.”

Tip #2: Figure out your goals.

Sometimes in business, we end up with the desire to do something without fully understanding why it’s necessary or what it can do for us. “The point of an advocacy program isn’t to just being able to say you have one,” Emma explains. “It needs to be doing something for you and for your advocates. So, start with the basics around your own needs. Are you trying to build brand awareness, get stronger product feedback, or something else? Ask yourself how this program could boost efforts that your team is already working towards. After you fully outline why you’re doing it, you can start determining realistic goals, deliverables, and KPIs to measure the progress of your program. And once you have those pieces in place, you can start working to determine how best to engage with your customers to develop the kind of program that can achieve those goals.”

Tip #3: Hand-pick your members

As mentioned previously, when your program is in its infancy, you might choose to have a sort of volunteer enrollment phase just to get people in the proverbial door. But Emma warns that, to actually meet your objectives, you need to make sure you’re bringing in customers who will work with you and make good brand advocates. “Not every customer meets that criteria, and that’s okay. Each customer will want to engage with us differently. Your job here is to identify the people who would make good advocates and be willing to be active for your brand in one way or another. A good place to start is by looking for folks who are already engaged in customer-facing programs, such as product betas; who have already provided a Net Promoter Score (NPS); who recently responded to a survey; and/or people who are already active in your industry through blogs or social media.”

Tip #4: Give customers incentives, not bribes.

It sounds rational to entice advocates to your program with exclusive swag or even free software. That’s not the worst thing you could do; but quality brand advocates are the ones who do it to get the word out, help their fellow IT pro, and improve the products we all use, regardless of whether they have a sweet, company-branded vacuum-insulated stainless steel tumbler for their morning coffee. “A good advocacy program isn’t about getting any old kind of engagement with your wider audience,” Emma says, “it’s about creating a mutually beneficial situation between your business and a select group of highly-invested power users. Those users aren’t doing it for the swag. They’re doing it because they believe in your mission; or because they love your products and want to help guild your roadmap; or because they feel they represent unique concerns and feel an obligation to share that voice; or because they want chances to increase their own expertise or presence in the space. There are so many reasons that have nothing to do with free stuff.”

Summary

While customer advocacy can’t entirely replace your normal marketing spend line items, creating an advocate program can make all the traditional line items significantly more effective. It is an exciting and important opportunity to level up your marketing efforts by identifying and leaning on your brand evangelists, who effectively share the marketing burden with you.

“Figure out where your advocates are and go there. Talk to them about their businesses and goals. Show them you’re invested in their success, with or without your products. You’ll have an advocate for life.”

– Emma Furtado, customer advocacy manager, Carbonite + Webroot, OpenText companies

Keep in mind: an advocate program cannot succeed as a siloed effort. Customer advocacy works best when it supports your marketing efforts and product development. You can use the real-world customer input to inform your understanding of how customers want to be interacted with, improving the success of marketing programs and return on spend. Additionally, you can use the same feedback forum to guide how you use marketing and product development resources and pivot quickly on a leaner budget. By tailoring the overall customer journey to best serve their unique preferences and needs at each stage, you demonstrate to your base how highly you value their input. Ultimately, these actions serve to build a better experience for the customer overall, i.e., better reputation, brand recognition, and market posture for you.

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually corresponding shifts in crypto-based crime, such as ransomware, though it’s not necessarily the kind of change you might predict.


According to Tyler Moffitt, senior threat researcher and resident crypto expert, “whatever Bitcoin does, the altcoins are going to follow. When [Bitcoin] crashes, the rest crash.” But that doesn’t necessarily mean you’ll see big spikes in ransomware or cryptojacking. In fact, Moffitt states, because Bitcoin is known for being fairly volatile, it can undermine any direct effect on, say, the amount demanded in a ransomware scheme. It’s very possible for a Bitcoin ransom to lose value over time due to market flux, making it less profitable than it might otherwise appear.

So, what’s the real story? As we see cryptocurrency values rise and fall, how should we interpret shifts in the threats we can expect to see? Is it safe for ordinary folks to try to get into the crypto market, or does that just give malicious actors another method to scam and steal from you?

Get answers to these questions and more in this informative Hacker Files podcast with Joe Panettieri, in which he and Tyler Moffitt discuss the ins and outs of crypto, what the market looks like, how it actually affects cybercrime, and what everyone from crypto novices and to bigtime enthusiasts need to know.

Ransomware, BEC and Phishing Still Top Concerns, per 2021 Threat Report

Although cybercriminal activity throughout 2020 was as innovative as ever, some of the most noteworthy threat activity we saw came from the old familiar players, namely ransomware, business email compromise (BEC) and phishing. According to the 2021 Webroot BrightCloud® Threat Report, each of these threat types saw significant fluctuations as people all over the world shifted to working, studying, and doing everything else online. Here are some of the findings from the report.

Ransomware

One of the newer trends we saw in ransomware was that of data extortion. Believed to have been started by the Maze ransomware group, the data extortion trend involves not just encrypting business’ data and holding it for ransom, but in fact threatening to expose the compromised data if the victims refuses to pay. This new ransomware business model specifically targets sensitive data to increase the likelihood of payment.

Unfortunately, there’s little a targeted business can do in these situations. If they don’t pay up, their data might be disclosed publicly or otherwise misused. And, depending on what kind of data has been compromised, the consequences of exposure could include costly fines for violating privacy regulations like GDPR and California’s Consumer Privacy Act (CCPA). These fines can really add up, starting at $100 per customer per record lost and going up to flat percentages of revenue.

As if the ransom cost and regulatory fines aren’t enough, there’s also the cost of other ransomware fallout, such as downtime and time to recover. Universal Healthcare Services reportedly suffered three weeks of downtime after its September 2020 ransomware incident, resulting in a $67 million loss of revenue. Finally, there’s the question of the brand’s reputation and customer trust, which could be so irreparably damaged that the business might not survive.

Read more about the hidden costs of ransomware in our eBook.

As the data extortion trend took off, we also saw massive payouts to ransomware actors.

  • The attackers who hit Foxconn demanded ~1804 Bitcoin ($34 million at the time) to prevent the data they’d stolen from being publicly exposed.
  • Malicious actors infected Garmin’s systems with ransomware and required (and reportedly received) $10 million to destroy the stolen data.
  • By September 2020, the average ransom payment peaked at $233,817.

“In most cases, ransomware isn’t the beginning of a compromise. It’s actually the end state, where the criminals cash in after an extended period. By the time you realize you’ve got ransomware on your network, the criminals may have been in there, watching, listening, and tampering with things for weeks or months without your knowledge. They might’ve even checked out your financials, so they know what kind of ransom to demand.”
– Kelvin Murray, Sr. Threat Research Analyst

Business email compromise (BEC)

BEC typically targets commercial, government, and nonprofit organizations by impersonating a senior colleague, IT team member, vendor, or trusted customer. In most scenarios, the malicious actor contacts the victim via email under the pretense of requesting money (especially via wire transfer or pre-paid gift card), provide credentials, or release sensitive data.

BEC relies pretty heavily on the inherent trust of employees in their management teams, fellow colleagues, and customers. But with so many invoices and payment requests that occur as part of the daily operations in any businesses, it can be quite easy for attackers to sneak a fake one in.

From the example above, you might not think much of the consequences of this type of attack. It’s important to keep in mind that it’s not always a matter of a few $50 or $100 gift cards; it could just as easily be a legitimate-looking vendor invoice for tens of thousands of dollars. BEC remains a very lucrative business; the Internet Crime Complaint Center (IC3) got 19,369 BEC complaints in 2020, resulting in adjusted losses of $1.8 billion!

“Like phishing prevention, successfully preventing BEC involves a combination of robust training for end users and appropriately designed and publicized business policies around how to handle financial or technical requests.” – Grayson Milbourne, Security Intelligence Director

Phishing

Phishing is still one of the most popular ways (if not the most popular) to get ransomware and other types of malware into a business’ network. Getting a victim to fall for a phishing attack is often the first step, which gives attackers a jumping off point to perform reconnaissance on the network, acquire any necessary credentials, interfere with protection measures and backup schedules, deploy malware payloads, and more — and then they get to decide what to do with any data they steal at their leisure.

COVID-19 definitely affected phishing in very visible ways. For example, the majority of phishing lures we spotted throughout the year pretended to offer information on the pandemic, COVID-19 tracking, protection measures and PPE, and more, often purporting to be from reputable sources like the CDC or WHO. There were also numerous malicious spam (malspam) emails claiming to provide details on stimulus checks and vaccines.

The rates of phishing attacks throughout 2020 largely coincided with the early months of the pandemic. Attacks increased 510% from January to February, with eBay and Apple the brands most often targeted (we believe these numbers were due to buyers increasingly looking online as product shortages and technology needs arose). Attack volume continued to grow into March, then dropped off as we moved into the summer months. A more modest spike occurred in the months leading up to the U.S. election, up 34% from September to October, and another 36% from October to November.


Here are a few of the other phishing stats that stand out.

  • From March to July, during the initial lockdown phase in the U.S., phishing URLs targeting Netflix jumped 646%. Other popular streaming services saw similar spikes at corresponding times.
  • By the end of 2020, 54% of phishing sites used HTTPS, indicating that checking for the lock icon in your browser’s address bar is no longer an adequate way to gauge if a website is legitimate or not.

Summary

Cybercriminals certainly didn’t sit 2020 out, but it’s not all gloom and doom. In fact, there were numerous cybersecurity achievements throughout the year that work to the benefit of businesses and individuals everywhere. Security researchers and analysts have been working hard to identify and neutralize new threats the moment they’re encountered. More businesses are adopting robust backup and disaster recovery plans to remain resilient in the face of downtime, planned or unplanned. Operating systems and web browsers are improving their built-in security to stop threats sooner in the attack cycle. Phishing simulations and security awareness training for employees continue to improve business security postures by major percentages (up to 72%, per the report). Nations and companies are working together to break down cybercriminal infrastructure. Even malware (for the moment) is trending gently downward. It’s clear from our findings that, with the right backup, training, and security layers working together to form a united defense against cyber threats, businesses and individuals can achieve true resilience, no matter what threatens.

Get the full story on these details and more in the 2021 Webroot BrightCloud® Threat Report.

Human-centered Design in the New Webroot Management Console

At Webroot, we could go on and on about user experience (UX) design. The study of the way we interact with the tools we use has spawned entire industries, university programs and professions. A Google Scholar search of the term returns over 300 thousand results. Feng Shui, Leonardo Davinci and Walt Disney are all described as important precedents for modern UX.

Just to say: it’s something software companies spend a fair amount of time thinking about, even cybersecurity companies.

April 27 marks the release of the re-designed Webroot business console, and our team of UX designers had plenty to think about in terms of inspiration for our first major business management console re-design in more than 10 years. Ultimately, it was decided that console’s facelift would be guided by the principal of “human-centered design,” or HCD.

The International Standards Organization describes HCD as “an approach to interactive systems development that aims to make systems usable and useful by focusing on the users, their needs and requirements, and by applying human factors/ergonomics, and usability knowledge and techniques.”

Ultimately, human-centered design entails giving people the tools they need to accomplish what they set out to. It can refer to designing products to help individuals overcome their disabilities or making sure a driver feels like he’s behind the wheel of an Indy Car every time the engine turns over. As CIO puts it, “human-centered design focuses on the human first.”

HCD and the new Webroot management console

The humans we put first are our users. More specifically, in terms of our business products, managed service providers (MSPs) and small to medium-sized businesses (SMBs). These groups have varying pain points they need addressed by our software. MSPs tend to need multi-site, multi-tenant capabilities for managing many clients, whereas SMBs typically require a simplified console that’s easy to use. So, in accordance with HCD, we’ll be releasing a separate console for each.

That’s not the only way we considered the user in refreshing our console though. Our UX and product management teams directly discussed desired improvements with more than 50 top users and incorporated feedback from hundreds of users through the Community, wire frames, usability tests and conversations. Enhancements were made based on this customer research.

All this led to a cleaner, more intuitively designed management console that we hope puts the needs of the user first. It’s our hope that HCD will make the lives of our business customers easier, removing some of the barriers they encounter with the software they use to make their clients and businesses more secure.

For more release details, specific improvements made and screenshots of the new console, download the full product bulletin here.

What is Pen Testing and Should You Have a Company that Performs them on Retainer?

Pen testing is the art of attempting to breach an organization’s network, computers and systems to identify possible means of bypassing their defenses. It’s an “art” because there is no one-size-fits-all method or process. Testers need a variety of skills, knowledge and tools to make the attempt.

Most testers are hackers trying to use their skills legitimately, technical administrators, network administrators or just computer enthusiasts who enjoy trying to undermine IT security stacks. Many testers are jacks-of-all trades (and masters of them all). Their primary goal is to succeed in getting past defenses and report on their findings. An MSPs intention is to NOT allow this to happen by putting up the right security posture through layered defenses.

So it’s easy to see how the relationship can quickly become adversarial. But there are ways pen testing organizations can help MSPs. Before we get to that, more details on types of pen tests.

Types of testing

An issue with pen testing is a lack of standard operating procedures. No one company performs the tests the same way. Testers are fallible actors with certain skills they apply to circumvent defenses. While testers and testing organizations are usually highly skilled, they are not all knowing. Trust, but verify.

So, what types of testing methods are there? While standardization is scarce and pen testing is pretty much a Wild West environment, there are some common methods and approaches. These can be broken down into two categories: Blue Teams and Red Teams.

(Tools are varied and not important until the tester discovers or knows what type, brand or systems are present. In other words, tools are specific to the environment.)

Blue Teams

With Blue Teams, “tester” has some information about the network, computers and organization that they’re pitted against. They know how things are set up and are there as more of an audit/report type tester rather than a malicious hacker.

Blue Teams can be anyone inside or outside the organization. However, in the MSP community, the Blue Teams are usually the technicians responsible for establishing the layered security defenses and then verifying their effectiveness. They’re the internal folks that are standing up various tools to block bad actors from encroaching or breaching their network, computers and systems.

Here’s where it can get murky and why you should always insist on more information about ay client’s pen test. Pen testing can be an outside organization performing a Blue Team activity and their report can be communicated as a Pen Test Failure. Trust, but verify.

Red Teams

Red Team testers have no idea about the organization they’re testing against and must figure out the technology, network, computers and systems before doing anything. These are true hackers starting from nothing. They may use social engineering to conduct reconnaissance, they may google employees, use LinkedIn or any other publicly available information to gain a foothold with the organization before they write one line of code.

This is real penetration testing, as they make the attempt to access networks, computes and systems of the identified organization they’re testing against. When a Red Team reports its findings on why and how they were able to breach a client, it’s time to pay attention.

Should you put a Penetration Testing company on retainer?

So, now that we’ve established some high-level perimeters, how should MSPs engage with pen testers?

First, it’s important to learn everything you can about your tools. The mantra of a strong security posture is ‘know your tools inside and out.’

But don’t stop there. Rather than stand up the layers of the latest cool tools and cross your fingers no pen tester hits a client with a failing report, be proactive. Learn about the penetration testing market, find a good pen testing company with strong credentials and engage with them. With security concerns exploding over the past few years, pen testing should be considered an essential tool for validating your effort and spend on the security stack. So get to know the good ones.

Again, many MSP view third-party pen testing organizations as the enemy. Instead, engage with pen testing organizations to test your own defenses before issues affect your customers.

Here are a few tips for improving your business’s relationships with pen testers:

  • Pen test your own network, computers and systems. If you want to know how good your “Blue Team” is, put their feet to the fire and have a solid, reputable third-party pen testing organization attempt to breach your own defenses. Learn all you can about their methods and findings, then review and adjust.
  • Work with the pen test organization as a potential revenue opportunity. Work out an agreement that lets you as the MSP provide work and opportunity through your own customer network. You act as the lead generator and offer their services as an adjunct to your own.
  • When customers come along with a report that you were not involved, ask questions about how the test was conducted and then offer your own services to proactively verify their report.

Now that you know the basics of pen testing and how they can be used constructively, here’s a question: what happens when a customer fails a pen test? We’ll answer that question in an upcoming post.

What Real Security and Compliance Look like when Managing 5000+ Endpoints

In the United States, there are approximately 350,000 companies contracting for the Department of Defense. Each of these companies have to meet varying degrees of compliance and are now subject to the Cybersecurity Maturity Model Certification (CMMC). Effectively, CMMC means that before a DoD contractor can execute on their contract, they have to receive an independent, third-party verification certifying whether they meet the correct security and compliance criteria. The process is expensive and it’s pass/fail.

F1 Solutions, an MSP based in Huntsville, Alabama, has been working to align their security stack to the CMMC guidelines to help ensure that all of their customers, whether DoD contractors or otherwise, benefit from the comprehensive level of security the regulation requires. DNS protection, in particular, is a must-have under these rules. With over 5,000 endpoints under management, F1 has set itself quite a task. But with cyber resilience solutions from Webroot in their security stack, they’re up to the challenge.

“Of all our clients on our full stack (about 140), we’ve never had a client fall victim to cryptojacking or any significant virus, for that matter, unless the system was not using part or all of our stack or being managed by us. That’s pushing 5,000 endpoints, including all servers, terminal servers, Macs and PCs.” – James VanderWier, CEO, F1 Solutions

Hear how F1’s overall security and compliance offering changed for the better since they made the switch to Webroot endpoint security solutions in F1 CEO James VanderWier’s video testimonial.

Watch the video: https://vimeo.com/487018201

We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said.

“It is a nightmare. Do all you can to prevent ransomware.”
 
– A survey respondent

Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.

By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.

Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.

Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.

But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.

Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.

Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.

Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.

KEY FINDINGS

  • 50% of ransomware demands were more than $50k
  • 40% of ransomware attacks consumed 8 or more man-hours of work
  • 46% of businesses said their clients were also impacted by the attack
  • 38% of businesses said the attack harmed their brand or reputation
  • 45% were ransomware victims in both their business and personal lives
  • 50% of victims were deceived by a malicious website email link or attachment
  • 45% of victims were unaware of the infection for more than 24 hours
  • 17% of victims were unable to recover their data, even after paying the ransom