ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah

    IT Discussion
    msp ransomware security breach
    21
    111
    12.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre @PhlipElder
      last edited by

      @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

      Privileged Access Workstation is the only way to go today. There needs to be an air-gap between systems being used to manage clients/customers and the MSP's day to day production systems.

      Agreed. The MSP doesn't need to be connected to their customer 24x7.

      1 Reply Last reply Reply Quote 1
      • dafyreD
        dafyre
        last edited by dafyre

        For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

        Edit: Passwords are different for each VM, as well as each VPN connection as well.

        PhlipElderP 1 Reply Last reply Reply Quote 0
        • PhlipElderP
          PhlipElder @dafyre
          last edited by

          @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

          For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

          Edit: Passwords are different for each VM, as well as each VPN connection as well.

          Catch is, the VMs need to be accessed from a system that has nothing to do with day-to-day operations. None.

          dafyreD 1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre @PhlipElder
            last edited by

            @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

            @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

            For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

            Edit: Passwords are different for each VM, as well as each VPN connection as well.

            Catch is, the VMs need to be accessed from a system that has nothing to do with day-to-day operations. None.

            I think I get your thinking... but for clarity's sake: Why?

            PhlipElderP 1 Reply Last reply Reply Quote 0
            • PhlipElderP
              PhlipElder @dafyre
              last edited by PhlipElder

              @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

              @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

              @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

              For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

              Edit: Passwords are different for each VM, as well as each VPN connection as well.

              Catch is, the VMs need to be accessed from a system that has nothing to do with day-to-day operations. None.

              I think I get your thinking... but for clarity's sake: Why?

              The whole point of a Privileged Access Workstation setup is to keep things separate.

              As soon as I manage client systems from this system I'm sitting at there is no guarantee of protection.

              The idea is to keep an air-gap in there.

              I remember a story of a small MSP that not too long ago got compromised. As it turns out, the perps that got in on their system managed to get in to the balance of the MSP's clients. Why? They had saved the passwords in the RDP files for their client's servers. Duh.

              All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

              dafyreD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender
                last edited by

                Basically you're saying that every admin at an MSP should have two machines - one for managing clients, and one for MSP related email/web surfing, etc.

                PhlipElderP 1 Reply Last reply Reply Quote 0
                • PhlipElderP
                  PhlipElder @Dashrender
                  last edited by

                  @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                  Basically you're saying that every admin at an MSP should have two machines - one for managing clients, and one for MSP related email/web surfing, etc.

                  https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

                  1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre @PhlipElder
                    last edited by

                    @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                    All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                    There's always going to be that risk or one absentminded click.

                    Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                    However if your admin machine is owned, you have bigger issues to start with.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @dafyre
                      last edited by

                      @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                      @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                      All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                      There's always going to be that risk or one absentminded click.

                      Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                      However if your admin machine is owned, you have bigger issues to start with.

                      Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                      scottalanmillerS PhlipElderP 2 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                        @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                        @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                        All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                        There's always going to be that risk or one absentminded click.

                        Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                        However if your admin machine is owned, you have bigger issues to start with.

                        Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                        It will be, because a human always has to use it at the end of the day. A used system is an at risk system. Less risk, certainly. There is good design and bad design. Good useage and bad useage. But any useful machine is at risk by nature of being useful.

                        1 Reply Last reply Reply Quote 0
                        • PhlipElderP
                          PhlipElder @Dashrender
                          last edited by

                          @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                          @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                          @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                          All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                          There's always going to be that risk or one absentminded click.

                          Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                          However if your admin machine is owned, you have bigger issues to start with.

                          Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                          There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                          We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                          scottalanmillerS 1 3 Replies Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @PhlipElder
                            last edited by

                            @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                            There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                            We do this for certain tasks, it is air gapped in that nothing can move between the main desktop and the VM. But the human is still there, of course.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @PhlipElder
                              last edited by

                              @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                              We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                              This can be a great use case for small, limited machines like Raspberry Pi. Or super high power desktops that can run a lot of desktop VMs for you locally. And a place where, if you can, using Linux makes it work so much better. No limitations on count, don't need a GUI in all cases. Can run on ARM if you want.

                              PhlipElderP 1 Reply Last reply Reply Quote 0
                              • PhlipElderP
                                PhlipElder @scottalanmiller
                                last edited by

                                @scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                                This can be a great use case for small, limited machines like Raspberry Pi. Or super high power desktops that can run a lot of desktop VMs for you locally. And a place where, if you can, using Linux makes it work so much better. No limitations on count, don't need a GUI in all cases. Can run on ARM if you want.

                                We're getting there but not yet. The idea that's coming down the pipe is a boutique build we have designed that has everything mounted on small aluminium plate and is essentially wireless except power. It's a fun side project. 🙂

                                1 Reply Last reply Reply Quote 0
                                • 1
                                  1337 @PhlipElder
                                  last edited by

                                  @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                  There's always going to be that risk or one absentminded click.

                                  Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                  However if your admin machine is owned, you have bigger issues to start with.

                                  Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                  There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                                  We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                                  There is security leakage between VMs on a client machine for instance over clipboard.

                                  Have a look at Qubes. https://www.qubes-os.org/

                                  It's probably the best implementation of security separation to date.

                                  scottalanmillerS PhlipElderP 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @1337
                                    last edited by

                                    @Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                    @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                    @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                    @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                    @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                    All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                    There's always going to be that risk or one absentminded click.

                                    Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                    However if your admin machine is owned, you have bigger issues to start with.

                                    Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                    There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                                    We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                                    There is security leakage between VMs on a client machine for instance over clipboard.

                                    Have a look at Qubes. https://www.qubes-os.org/

                                    It's probably the best implementation of security separation to date.

                                    not all have clipboards, that would be a big leak if they had that on.

                                    dafyreD 1 Reply Last reply Reply Quote 0
                                    • dafyreD
                                      dafyre @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      @Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                      There's always going to be that risk or one absentminded click.

                                      Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                      However if your admin machine is owned, you have bigger issues to start with.

                                      Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                      There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                                      We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                                      There is security leakage between VMs on a client machine for instance over clipboard.

                                      Have a look at Qubes. https://www.qubes-os.org/

                                      It's probably the best implementation of security separation to date.

                                      not all have clipboards, that would be a big leak if they had that on.

                                      Even if they do have clipboards, it is an easy enough option to disable.

                                      1 Reply Last reply Reply Quote 0
                                      • PhlipElderP
                                        PhlipElder @1337
                                        last edited by

                                        @Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                        @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                        @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                        @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                        @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                        All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                        There's always going to be that risk or one absentminded click.

                                        Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                        However if your admin machine is owned, you have bigger issues to start with.

                                        Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                        There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                                        We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                                        There is security leakage between VMs on a client machine for instance over clipboard.

                                        Have a look at Qubes. https://www.qubes-os.org/

                                        It's probably the best implementation of security separation to date.

                                        Using the Hyper-V VM Console without RDS pass-through eliminates any access to the VM beyond console.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @PhlipElder
                                          last edited by

                                          @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          @Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                          There's always going to be that risk or one absentminded click.

                                          Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                          However if your admin machine is owned, you have bigger issues to start with.

                                          Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                          There are several ways to implement with the simplest being the main machine having two VMs installed on it. One for day-to-day and one for client/systems management. Nothing is done on the machine itself with all designated tasks being done in their respective VM.

                                          We have a number of laptops that came back from client refreshes. So, we're using them as our dedicated management machines. Asus makes a great external USB3 DisplayLink and DisplayPort external monitor that allows for two screens. That makes the work easier.

                                          There is security leakage between VMs on a client machine for instance over clipboard.

                                          Have a look at Qubes. https://www.qubes-os.org/

                                          It's probably the best implementation of security separation to date.

                                          Using the Hyper-V VM Console without RDS pass-through eliminates any access to the VM beyond console.

                                          Same with KVM or whatever.

                                          1 Reply Last reply Reply Quote 0
                                          • 1
                                          • 2
                                          • 3
                                          • 4
                                          • 5
                                          • 6
                                          • 6 / 6
                                          • First post
                                            Last post