Kaseya Ransomware Attack: Free Questionnaire to Assess Third-Party Risk

Assess your company’s exposure to the Kaseya supply chain attack with these 8 essential questions for your MSPs and other third parties.
By:
Alastair Parr
,
Senior Vice President, Global Products & Services
July 06, 2021
Share:
Blog 322 kaseya ransomware attack 0721

On July 2, Kaseya announced that attackers had taken advantage of a vulnerability in the company's VSA software to level a ransomware attack against the company's customers. Kaseya VSA is a remote monitoring and management tool for networks and endpoints, and the software is widely used by managed service providers (MSPs).

The Kaseya supply chain attack has potential implications for not only MSPs using the VSA solution, but also for their customers. While the full scale of the attack is still coming to light, Kaseya today released an update stating that approximately 50 of its MSP customers are known to be directly affected. However, the press release goes on to state that about 800 to 1,500 customers of the affected MSPs have been operationally impacted thus far.

Like the SolarWinds Orion breach and other recent third-party cyber security incidents, this is another example of the potential exponential impact of supply chain attacks on downstream customers.

8 Critical Questions to Assess Third-Party Exposure to the Kaseya Ransomware Attack

With over 35,000 companies using Kaseya software, it is possible that some of your third parties are too. Therefore, it is essential that you assess the potential impact to your third parties so you can mitigate the possible exposure of your company’s data. Prevalent has curated a 8-question assessment that can be leveraged to rapidly identify any potential impacts to your business by determining which of your third parties was affected and what actions they are taking.

Questions Potential Responses

1) Has the organization been impacted by the recent Kaseya VSA Supply-Chain Ransomware Attack?

(Please select one.)

Help text: This relates to the recent ransomware attack on the Kaseya VSA RMM Tool.

a) Yes, we have been impacted as a result of the recent Kaseya VSA Supply-Chain Ransomware Attack.

b) No, we have not been impacted as a result of the recent Kaseya VSA Supply-Chain Ransomware Attack.

2) As a result of this ransomware attack, has the organization identified and shut down any on-premise VSA servers?

(Please select one.)

a) Yes, the organization has shut down potentially affected on-premise VSA servers.

b) No, the organization has not currently shut down any potentially affected on-premises VSA servers.

c) The organization does not have any on-premise VSA servers.

3) Is the organization a Kaseya RMM managed service provider (MSP) or a customer of a managed service provider?

(Please select one.)

a) The organization is a managed service provider (MSP) of the Kaseya VSA RMM tool.

b) The organization is a customer of a Kaseya RMM managed service provider (MSP).

4) If the organization is a Kaseya RMM managed service provider, have the following actions been taken?

(Please select all that apply.)

Help text: The Kaseya VSA detection tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.

a) We have downloaded the Kaseya VSA Detection Tool.

b) We have enforced and enabled multi-factor authentication (MFA) on every account that is under the control of the organization.

c) We have enforced and enabled MFA for customer-facing services.

d) We have implemented allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs.

e) We have placed administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

5) If the organization is a customer of a Kaseya RMM managed service provider, have the following actions been taken?

(Please select all that apply.)

Help text: The following cybersecurity best practices are recommended, particularly where MSP customers do not currently have RMM services running due to the Kaseya attack.

a) We have ensured that backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.

b) We have implemented a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.

c) We have implemented multi-factor authentication on key network resource admin accounts.

d) We have implemented the principle of least privilege on key network resources admin accounts.

6) Does the organization have an incident investigation and response plan in place?

(Please select all that apply.)

Help text: Procedures for monitoring, detecting, analyzing and reporting of information security events and incidents should be in place, and allow an organization to develop a clear response strategy to handling identified incidents and events.

a) The organization has a documented incident management policy.

b) The incident management policy includes rules for reporting information security events and weaknesses.

c) An incident response plan is developed as part of incident investigation and recovery.

d) Incident response planning includes escalation procedures to internal parties and communication procedures to clients.

7) Who is the point of contact who can answer additional queries?

Name:

Title:

Email:

Phone:

8) What is the level of impact to client systems and data following this attack?

(Please select one.)

Help Text:

Consideration should be given to level of impact on the availability and confidentiality to client information or systems.

Significant impact: The Kaseya VSA ransomware attack has caused client systems to stop working or become unavailable. There has been a loss of confidentiality or integrity of data.

High impact: Service availability to client systems has been periodically lost, and there is the potential for some systems to periodically stop. There has been some loss of confidentiality or integrity of data.

Low impact: No loss of confidentiality or integrity of data, and minimal or no disruption to service availability.

a) There has been no impact to client systems or data following this attack.

b) There has been a low impact to client systems or data following this attack.

c) There is a high level of impact to client systems or data following this attack.

d) There has been significant impact to client systems or data following this attack.

Free Guide: 8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Prevalent Can Help Accelerate Third-Party Incident Response

Prevalent recently introduced the Third-Party Incident Response Service, a solution that helps to rapidly identify and mitigate the impact of supply chain breaches like the Kaseya attack by providing a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. Prevalent offers this solution as a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead.

Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring that provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors.

Together, these solutions help to automate breach impact discovery and accelerate response.

Next Steps to Address the Kaseya Supply Chain Attack

Use this questionnaire to determine the impact the Kaseya attack could have on your supplier ecosystem. And, learn more by downloading a best practices white paper or contact us for a demo!

Tags:
Share:
Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo