The subscription model has become increasingly popular over the last few years as apps and other services move away from one-time purchase models. Once just the domain of magazines and cheese of the month clubs, service providers in the IT and cybersecurity spaces have begun to adopt this model with increased frequency as software transitions away from being desktop-based and migrates to the cloud. In this article, we will discuss the benefits of subscription-based IT and cybersecurity platforms for users.
Cloud and managed IT and cybersecurity services, in particular, are an excellent fit for the subscription-based model. Under this model, users don’t purchase software (or software licenses) outright and instead pay a monthly fee per user.
Complex IT systems are incredibly expensive to set up, maintain, and operate and come with steep upfront costs, putting them out of reach for most small and medium-sized businesses. Both the OPEX and CAPEX of maintaining the hardware and software needed to support complex IT and cybersecurity systems can be unpredictable, making even those SMBs with the budget to attempt a DIY approach hesitant to take this road.
Subscription Models Allow SMBs to Offload the Hassle & Expense of Maintaining Complex Infrastructure
The hardware and software needed to manage IT and cybersecurity systems is complex enough that entire teams of dedicated professionals are required to manage and support them to ensure everything is running smoothly. Should something go wrong, the entire system may grind to a halt until the experts determine what the core problem is. This is completely unacceptable for a SMB, who would need to pull critical team members away from other valuable, revenue-generating tasks to attend to the problem and pausing regular business operations until the situation is resolved.
By offloading this stress and people-power onto a SaaS (software as a service) company, SMBs can focus on running and growing their business, knowing that if an issue should occur an entire team of dedicated professionals will address it, often before the end user even realizes something was amiss. SaaS companies have one job: to maintain the hardware and software their product needs to run smoothly so that their customers can focus on their business and leave the IT and cybersecurity up to the professionals.
The User Benefits of Subscription-Based Software Platforms
Your Software is Always Up to Date
There is nothing worse than sitting down at your desk, ready to start the workday, and turning on your computer only to learn that your software requires updating. While many updates only require a few minutes, others can take much longer, leaving workers twiddling their thumbs while the clock ticks. And since desktop-based software requires users to manually trigger updates, many busy SMB IT managers are forced to continually remind their equally busy co-workers to update their software and download new security patches to ensure everyone is using the same version and that the network remains secure.
The subscription model addresses both of these problems by ensuring all new software updates are applied automatically, and if downtime is required, these updates can be timed so that they happen when the office is closed. This both ensures everyone is always using the same version, security patches are up to date, and eliminates time wasted while employees wait for software updates to finish.
Get the Latest Features & Bug Fixes Instantly
Security is everyone’s responsibility, from the summer intern to the CEO. Because subscription-model software is kept up to date automatically, businesses can rest easier knowing that every device on the network has its security patches up to date. This simple action, which the SaaS provider handles for you, has outsized results when it comes to cybersecurity.
Cybercriminals often target recently patched software, knowing that not all users will be as diligent as your business about installing security patches right away. By handing this responsibility back to the SaaS provider, your busy IT team can get this off their plate and focus on activities that build your business instead of just maintaining its infrastructure.
Everyone is Always on the Same Page
Automatic updates also ensure that every user on the network is using the same version of every program, eliminating versioning issues across your organization. By ensuring everyone is always on the same page, you can focus on building and growing your business instead of worrying about whether your co-workers will be able to access the report you wrote or if they are seeing something different than you are when they open a file.
Dramatically Reduce Up-Front Costs
Setting up and maintaining your own IT and cybersecurity infrastructure is incredibly expensive and labor-intensive; that is why entire companies are built around providing these services for other businesses.
The subscription model eliminates the need to purchase a bunch of expensive software licenses upfront (a not insignificant expense, even if your business only has a handful of employees). Offloading the stress and hassle of maintaining a server room or other IT or cybersecurity infrastructure also dramatically reduces CAPEX costs, and not needing to hire an entire team to manage and maintain this infrastructure drastically reduces personnel costs at the same time.
Hiring even a single IT or cybersecurity professional to wait around in case something goes wrong is an unnecessary expense, using up funds that could be better deployed elsewhere. With the subscription model, if something goes wrong, you can breathe easy knowing an entire team of professionals, whose entire job is to make sure things go smoothly, is already on it. These service providers also invest in layers of hardware redundancy, so if something does go wrong, user traffic can be smoothly rerouted (eliminating or at least dramatically reducing downtime) while the experts get to the root of the problem.
Shop Around Before You Commit
Software licenses can be very expensive, so you want to make sure you have chosen the right tool for the job before you hand over your business’ hard-earned funds. Because the subscription model dramatically reduces these upfront costs, it is much easier to shop around for a SaaS provider that offers a product that meets your team’s needs and plays nicely with your existing infrastructure.
Scale Your Subscription to Meet Your Current Organizational Needs
When you purchase a software license up-front, you are often locked into a contract that lasts at least a year and may not be easy to cancel. By opting for a provider that operates using a subscription model, you are never paying for more licenses than you are actually using at any point in time, and scaling up or down to meet your organization’s shifting needs is as easy and painless as a few clicks of a button.
Also, because SaaS subscription models are specifically designed to scale smoothly, you can avoid the headache and lost productivity associated with finding a new vendor should you outgrow your current software solution.
Multi-Tier Approach & Personalized Options to Suit Your Needs
Every business is unique and has unique IT and cybersecurity needs and concerns that need to be addressed. Many SaaS providers offer multiple tiers for users to choose from so client companies can select the best tier to meet their needs. For example, VirtualArmour offers two tiers: essential services and premium services.
Many of these services can also be personalized using an à la carte approach that allows users to pick and choose between multiple services so they can curate a package that suits their needs. This not only gives users more granularity over their solution but eliminates the need to pay for services a particular company doesn’t actually need or want.
Subscription Model Software Makes Budgeting a Breeze
Moving CAPEX into OPEX by opting for a subscription model approach makes it much easier to budget for software expenses. When a software license is purchased outright, most companies offer users a quote based on the customer’s current number of users and (if relevant) the service tier they would require. However, a once cost-effective solution can transform into a huge financial drain if a company scales more rapidly than anticipated (thereby jumping into a higher, more expensive, user number tier) or requires a more personalized approach, achieved via pricy add-on services, than their current providers’ one-size-fits-all approach can offer (the additional cost of which the customer may not have been made aware of before committing to a one year or multi-year contract).
Software licenses are also typically purchased on contract, meaning you pay for a full year upfront, whether you will use the full year or not. Suppose a pivot or other business change leaves you with a bunch of unnecessary software licenses. In that case, the traditional licensing approach can leave you eating the cost for the whole year, effectively paying for software you aren’t even using. The subscription model offers much more transparent pricing: You pay a set fee per user, which is communicated upfront before signing on the dotted line. If you need to add or subtract users, your price increases or decreases by the previously communicated per-user amount accordingly, and the change is reflected in your next monthly bill.
Not having to purchase, upgrade, and maintain your own supporting hardware makes it significantly easier to allocate your infrastructure budget since you don’t need to worry about suddenly replacing damaged hardware or pouring your own money into necessary upgrades to ensure your workers can continue to do their jobs effectively.
Unlike one-time purchases, the subscription model approach also helps build relationships between providers and users. In addition to providing you with a service, subscription model providers are now invested in helping ensure you and your team are comfortable using their product and pleased with the functionality it offers since an unhappy subscription customer can quickly and easily switch to a competitor.
Providers are also more likely to proactively solicit and consider user feedback to keep users happy. There is also a strong incentive for the provider to stay up to date on the latest industry developments and continually work to improve their product by adding more features and addressing user concerns promptly and effectively, all while sharing expert knowledge with their customers so users can get the most out of the provider’s product.
Unlike the one-time purchase model, the subscription model is a natural relationship-building tool, encouraging ongoing communication and feedback between the user and the provider in a way that benefits both parties: providers typically enjoy higher levels of customer loyalty, while users are often given more say in future features and updates.
Reliability You Can Depend On
You have a job to do: yours, not your IT or cybersecurity teams’. The SaaS business model is predicated on making sure all users have the tools they need to do their jobs effectively at all times. To help ensure smooth, uninterrupted service, many SaaS providers invest in multiple layers of hardware redundancy and multiple secure backups (a high but necessary expense, well out of the reach of the average SMB) and employ an entire team of experts whose only goal is to keep things running smoothly.
Redundant systems also help ensure that impacted user traffic is swiftly and smoothly rerouted until the problem is solved, a process so seamless that many end users might not even realize there was a hiccup in the first place. This allows customers to focus on their business instead of managing their own IT and cybersecurity infrastructure, hiring internal IT or cybersecurity experts using funds better spent elsewhere, or spending money on now-redundant licenses for software they may not even be using anymore.
Need an Expert? VirtualArmour is Here to Help
Not everyone is an IT or cybersecurity expert, and that’s okay. A good SaaS provider is more than just a service provider; they are a valued partner, working with you and your team to ensure you have the tools you need to do what you do best and leave the hassle and expense of managing your IT or cybersecurity infrastructure up to a trusted team of experts.
VirtualArmour offers a wide variety of IT and cybersecurity services, including :
The goal of cybersecurity is to safeguard your organization’s digital assets, including data and systems. Both EDR and MDR work to achieve this goal in different ways, and a good strategy will rely on both approaches to create a robust, more comprehensive cybersecurity strategy.
EDR: A Software-Focused Approach to Cybersecurity
EDR (endpoint detection and response) is a software-based cybersecurity approach designed to detect and respond to endpoint threats. Endpoints refer to any remote computing devices that are able to connect with your network, including computers, smartphones, tablets, servers, and IoT devices. Endpoints act like the doorways to your network, making them key points of entry for cybercriminals. As such, these portions of your network are vulnerable and require special security considerations.
Good EDR is Reactive…
EDR is designed to safeguard these endpoints by using both tools and solutions to detect and address threats to your endpoints and hosts (such as networks). Should an endpoint or host become infected with malware or otherwise compromised, the software can also quarantine the affected systems or endpoints to help slow or stop the attack. EDR is incredibly valuable because it can detect advanced threats without relying on behavioral patterns or malware signatures like anti-virus software does. EDR can also trigger an adaptive response to a threat (much like your immune system responding to an infection), allowing your system to learn from the situation and adjust its response accordingly. This approach not only helps contain the situation at hand but also helps improve your threat responses moving forward.
… But Also Proactive
In addition to learning from past incidents, good EDR also takes a proactive approach by seeking out new potential threats before they become actual threats. EDR is also able to gather data about the overall health of your network and record network activity. Should an attacker manage to slip past your defenses, this treasure trove of data gathered before, during, and after the attack will prove invaluable for identifying the root cause of the attack so that steps can be taken to improve your security moving forward.
EDR works like a security system, setting off an alarm if a window is broken or a door is forced open in an attempt to scare off the intruder and alert the business owner that something is amiss. Unfortunately, even if the security system alerts the business owner, the owner may not immediately realize something is wrong. After all, she is a busy woman with a business to run. She is also only one person: if the break-in happens while she is asleep or in a meeting, she may not see the alert on her phone until she wakes up or the meeting has ended.
On the other hand, MDR is more like hiring a security guard: You already have an expert on-site, keeping an eye out for any suspicious activity. Should a break-in occur, the security guard can respond right away. That doesn’t mean that alarm systems aren’t useful, but they are more useful if you have a security guard keeping an eye on things as well.
MDR is one piece of the SOCaaS (security operations center as a service) ecosystem, helping create a holistic, turnkey solution to continuously monitor threats across your network.
Good MDR Incorporates EDR
MDR solutions are empowered by EDR solutions, much like how a security guard is better able to perform their job because of an alarm system. MDR analysts and other cybersecurity experts are able to use the data gathered by the EDR system, as well as the abilities it provides, to more easily assess the threat and respond swiftly and appropriately. By leveraging EDR systems, your cybersecurity team can use the data the system has collected to better prioritize threats (such as identifying which users are logged in and which systems and files are being targeted) and move quickly to shut down impacted systems or institute quarantines to contain the threat and minimize or even avoid further damage.
MDR is a particularly effective approach for small and medium-sized organizations, which are less likely to have in-house cybersecurity teams to manage and respond to threats identified by their EDR systems. Many managed security services providers offer a variety of services that can be mixed and matched to suit your needs, whether you are looking to fully outsource your cybersecurity needs or simply augment your existing in-house security team.
Looking to Improve Your Security Posture for 2022? VirtualArmour is Here to Help!
Not everyone is a cybersecurity expert, and that’s okay. No matter your cybersecurity needs, VirtualArmour’s team of experts is always here to help. In addition to MDR, we also offer:
VirtualArmour also offers tailored services on an à la carte basis, allowing you to pick and choose the services your organization requires to create your own premium services package, essential services package, or tailored one-time expert consult. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times. We have extensive experience working with a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers.
GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users.
On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.
In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users.
So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:
The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks.
The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.
The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers.
It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable
Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:
General Web Hosting Vulnerabilities
This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations.
Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.
DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.
Web Server Misconfigurations
Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications.
Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access.
Shared Hosting Vulnerabilities
If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server.
Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.
Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.
All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.
Malware (Including Ransomware)
Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.
Shared IP Addresses
Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well.
This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.
VPS & Cloud Hosting Vulnerabilities
Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods.
Cross-Site Security Forgery
Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure.
During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password.
This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.
This can be particularly devastating on admin accounts and can compromise the entire web application.
SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server.
This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels.
Exploiting XSS Flaws
Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites.
Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.
Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.
Virtual Machine Vulnerabilities
Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure.
Supply Chain Weaknesses
One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.
APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly.
Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.
Steps You Can Take to Protect Your Organization & Your Website
In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole.
If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change.
By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.
For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)
There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.
You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.
Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action.
You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.
Interview Your Hosting Provider & Review Your SLA Carefully
The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.
Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it.
You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.
You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks.
Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees
When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.
In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.
Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.
Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization.
To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.
Cyber attacks, and ransomware attacks, in particular, are on the rise, and this troubling trend is likely to continue. Having an effective incident response plan in place is vital for protecting your organization and its digital assets, but even the best plan is only as good as the facts that inform it.
To create a solid incident response plan, you need specific, actionable information about your current cybersecurity posture. A vulnerability scan gives your cybersecurity team invaluable insight into your current cybersecurity posture’s weaknesses or deficiencies so those cracks in your armor can be addressed before cybercriminals are able to use them against you.
What is a Vulnerability Scan?
A vulnerability scan involves having trained cybersecurity experts evaluate your IT infrastructure for software and firmware vulnerabilities, as well as evaluate all devices that connect to your network for configuration issues that pose security gaps. Using this valuable information, your cybersecurity team or partner can develop strategies and solutions to address these shortcomings before cybercriminals are able to leverage them and sneak past your defenses.
Whether you opt for a one-time engagement scan or ongoing vulnerability scanning as part of a larger suite of managed services (such as managed SIEM), a vulnerability scan is a critical component of any robust cybersecurity posture.
What Should All SMBs Look for in their Vulnerability Scans?
What weaknesses your vulnerability scan will look for will vary slightly between organizations, but all comprehensive scans should assess your systems for:
Software vulnerabilities are the most common vulnerability discovered. This type of scan involves checking for known weaknesses in all the third-party hardware and software your system relies on. These known weaknesses are discovered by security researchers and typically only pose an issue in select versions of particular technologies.
When software engineers employed by software companies discover a vulnerability or other issue in their code, they create security patches (small corrective snippets of code) to address the issue. However, you can only take advantage of the security patch if you download it, which is one of the many security reasons you should be keeping your software up to date. Cybercriminals frequently try to exploit known vulnerabilities in recently patched software in the hope that not all organizations are as studious as yours about keeping their software up to date.
Web Application Vulnerabilities
Another common type of vulnerability cybercriminals often seek to exploit are security gaps in web applications, which can be used to gain unauthorized access to sensitive data, compromise your web server, or attack web application users.
Whether you are using third-party applications designed by other companies or proprietary in-house applications, make sure any vulnerability scan you commission includes web application vulnerability scanning.
Common Misconfigurations & Mistakes
Sometimes the issue isn’t the software or the hardware, but the people using it or configuring it. Incorrectly configured software can inadvertently leave your entire system vulnerable, and you may not even realize it.
Not following established security best practices can also leave your network vulnerable. After all, investing in a high-quality, unbreakable lock is only useful if you don’t leave the key under the mat (or your password written on a sticky note under your keyboard).
Make sure you have security best practices in place and that those practices are effectively communicated to all network users. Investing in employee cybersecurity training can not only help curtail network vulnerabilities but can also help secure your network in other ways by making it less likely employees will fall for phishing scams (or other social engineering based attacks). Security-minded employees are also better able to identify potentially suspicious activities (such as strange network traffic), so they can alert your security team.
Encryption Configuration Weaknesses
A good vulnerability scan will also assess the encryption configurations used to safeguard data in transit between your users and your servers.
An effective strategy for improving your cybersecurity posture is to limit your attack surface area. You should only publicly expose core services or systems if you absolutely have to, and those exposed surfaces should be continuously monitored for suspicious activities. When choosing a vulnerability scanner, make sure you select one that assesses your attack surface area for issues such as unprotected ports and services that are exposed to the wider internet. Examples of vulnerable attack surfaces include exposed databases, exposed administrative interfaces, and sensitive services such as SMB (server message block).
Information leaks involve exposing information to end users when that data should remain private.
In addition to assessing your system, the final report of your vulnerability scan should include both the weaknesses discovered (in plain, accessible language so that even non-technical team members are able to understand what was discovered) as well as concrete, actionable recommendations for remedying the situation. When it comes to cybersecurity, information is only useful if it can be easily understood and actioned upon. That’s why it is vital you choose a cybersecurity partner whose goal is to educate and inform your team and help you improve your cybersecurity posture.
Not all vulnerability scans will include checks in all of the above categories, and the quality and number of checks a scan includes will vary between organizations. As such, it is critical to do your research before conducting a scan, particularly if you are opting for a paid option, to ensure the scan will meet your needs.
Free vs Paid Vulnerability Scanning
User Beware: “Free” Doesn’t Always Actually Mean Free
Also, the term “free” can vary from scanner to scanner, with some offering a free trial, a free version for non-commercial use only, or limited functionality at the free tier. As such, make sure you are clear about what the free version does and does not include before you sign up and do your research to ensure the free scan will actually give you the information you need in a format you can actually use to improve your security posture.
Just Because You Aren’t Paying with Money Doesn’t Mean There Isn’t a Cost
When it comes to many “free” vulnerability scans, you may not be paying with money, but there is still a cost. These tools are often limited in scope, so you likely aren’t getting the whole picture. This can lead to a false sense of security as you metaphorically check that the front door is locked while leaving the back door wide open.
As you will soon see, these tools are also frequently not very user friendly (at least for individuals who aren’t already technology experts), which can mean either hiring a tech expert just to perform your free scan or setting time and personnel aside to learn how to use this product, pulling them away from critical tasks. Free software is typically developed on an extremely limited budget, and UX design is often an “extra” that is left out, making it difficult for even the most technically inclined to get useful information out of these tools.
Free vulnerability scans are also not carried out by teams of experts and are frequently just tools you can use to assess select aspects of your infrastructure on your own, so even the most comprehensive versions will still require your team to take the information they have gathered and turn it into actionable suggestions.
Paid options are almost always more user-friendly and typically come with ongoing support and guidance. They are more likely to offer a polished, easy-to-understand report detailing what vulnerabilities were discovered, as well as actionable advice on how to address these issues and improve your security posture.
Top 4 Free Vulnerability Scanning Tools (& What They Can Tell You)
While paid vulnerability scan options typically yield more detailed and in-depth information (and cover a wider range of checks), free scanning tools can help small organizations on a tight budget assess specific areas of their networks (such as their web applications or security patches).
However, these scanning tools tend to be limited in scope, so you may need to run several in order to piece together a full list of all vulnerabilities on your network.
Burp Suite (Owned by PortSwigger)
Burp Suite is a popular web vulnerability scanner used by a variety of organizations and offers a free version (referred to as their Community Edition). However, this free version has limited functionality and does not include automation capabilities. This version contains essential manual tools and is mostly aimed at researchers and hobbyists.
Burp Suite is Java-based and can be used to check for SQL injections, cross-site scripting (XSS), and other web vulnerabilities, as well as for security auditing and compliance purposes.
Nmap bills itself as a pen-testing tool but works more as a port scanner. Nmap scans your network and flags ports that are vulnerable, which can aid in pen-testing. In addition to port scanning, Nmap can also look for other vulnerabilities in your systems and networks, monitor host uptime, service uptime, and map network attacks when they occur. By pointing out potential weaknesses, it has its strengths as an auditing tool, but it isn’t able to actually show users how the vulnerabilities it discovers could be penetrated.
Nmap is an open-source tool aimed at ethical hackers looking for network weaknesses. Like all open-source software, Nmap is free, but like other open-source programs, it isn’t particularly easy to use unless you are already familiar with using open-source software.
Wireshark is a well-known open-source network protocol analyzer designed to help with select network vulnerability scanning tasks. It relies on packet sniffing to understand your network traffic patterns, which is useful for network administrators looking to design effective countermeasures.
By detecting suspicious network traffic, Wireshark can help you discover errors and detect if an attack is underway, categorize the attack, and help you implement rules to protect your network. However, like other open-source options, it isn’t particularly easy to use for the non-technically inclined and will need to be carefully managed and configured in order to meet your organization’s needs.
The Open Vulnerability Assessment System (OpenVAS) is a free, open-source platform offering a variety of vulnerability management services. Designed as an all-in-one scanner and maintained by Greenbone Networks, it is designed to perform over 50,000 vulnerability tests and is updated daily.
OpenVAS is designed to run in a Linux-based environment and is aimed at experienced open-source users looking to perform pen-tests or targeted scans. However, like the other open-source tools in this list, it isn’t particularly easy to use for the non-technically savvy, and installing and using this tool poses a significant learning curve. Because it is so difficult to install and learn to use correctly, it can take a lot of time to get up and running smoothly, which can eat up employee time and pull them away from other tasks.
What Information Does Your VirtualArmour Vulnerability Scan Contain?
VirtualArmour offers both one-time vulnerability scanning engagements (vulnerability assessment) and ongoing managed security scanning (vulnerability scanning premium).
One-Time Scan: Vulnerability Assessment
Our one-time vulnerability assessments include both an external scan and a certificate scan and can be useful for auditing purposes or to prove compliance.
Our ongoing vulnerability scanning solution (Vulnerability Scanning Premium) is designed to expose and notify you of potential security gaps in your environment before they can be exploited by cybercriminals. As part of this process, our team of experts will identify:
Software and firmware vulnerabilities
Weak security policies and configurations
Outdated software and operating systems that could be used to penetrate your endpoints and infrastructure
Our team will also scan and audit your publicly exposed resources (such as file servers and web applications) with the goal of minimizing your attack surface as much as possible.
Vulnerability Scanning Premium can also be integrated with our managed SIEM option, offering more comprehensive data and additional context for alerts.
Vulnerability Scanning Premium also includes:
Custom vulnerability severity levels
Defined processes and escalation procedures
A record of all vulnerabilities detected across your environment, both on-premises and in the cloud
Threat intelligence feeds
SIEM platform enrichment using vulnerability analytics
This premium option also offers both periodic and on-demand reports, so you always know exactly what is going on, improving your organizational agility by making it easy to respond to issues as they come to light. All asset vulnerabilities are correlated with network configuration and traffic data, allowing us to identify active attack paths across your network. This vital information is used to simulate threat vectors and predict how a theoretical attack could potentially spread across your network. This can help you adjust your incident response plan as necessary and help you take a proactive rather than reactive approach.
In addition to these security benefits, continuous vulnerability scanning can help ensure your organization is complying with relevant legislation, helping you avoid the costly fines associated with noncompliance. Our team of security engineers will continuously analyze the results of your vulnerability scans and use this information to craft concrete, actionable recommendations designed to improve your overall security posture across your organization’s infrastructure, from core to cloud.
For more information about the importance of vulnerability scanning, or to learn more about our vulnerability scanning options, please contact our team today.
Cybersecurity is a complex and continually evolving field. To help keep your knowledge up to date, please visit our articles and resources page and consider reviewing these suggested educational articles and resources.
Credential sharing, the practice of using someone else’s digital identity to gain access to a platform or product, has become commonplace, particularly when it comes to video streaming services. While credential sharing brings with it obvious user-end security issues for organizations of all sizes in all verticals, it also poses a serious problem for organizations that depend on the revenue generated from paid user accounts.
When most of us think of credential sharing, we likely think of people sharing a Netflix account with friends or family members as a favor or in order to split the cost of one account between two or more people. However, credential sharing can also take a more transactional form, such as sharing credentials in exchange for payment or sharing credentials with third-party resellers in exchange for a fee.
At its core, credential sharing is a form of theft. When two or more users share access to a paid account designed for single-user use, businesses lose out on the revenue they would have earned if each actual user paid for their own account.
Security Issues & Threats to Bottom Lines: Credential Sharing is Problematic from Both Perspectives
Credential sharing poses issues both for the companies creating the product that is being illegally shared between users and for organizations whose employees are sharing internal login credentials among themselves. In this article, we will discuss the problems credential sharing poses from both of these perspectives and discuss strategies organizations can use to discourage this problematic issue.
How Common is Credential Sharing?
Credential sharing is incredibly common, particularly when it comes to video streaming platforms. A survey found that 22% of US residents (46 million people) are using credentials borrowed, purchased, or stolen from someone outside their household to access video content without paying for it.
The Security Implications of Credential Sharing
Obviously, credential sharing is a serious problem for organizations like Netflix and Hulu, which rely on paid user accounts to generate revenue. However, credential sharing also poses a serious security risk for individuals and organizations that engage in this risky behavior. A recent survey of 1507 American adults found that 34% said they shared passwords or accounts with their coworkers, allowing us to extrapolate that as many as 30 million of the 95 million American knowledge workers may be engaged in credential sharing. Considering 81% of cyber incidents used stolen or weak passwords to gain unauthorized access to systems, this high rate of credential sharing is alarming.
Credential Sharing Leaves Your Organization Vulnerable to Credential Stuffing Attacks
Re-using passwords also makes users vulnerable to credential stuffing attacks: when cybercriminals use username and password combinations obtained during a previous breach to attempt to login to a targeted account. This means that if one of your accounts (say, your email) is compromised, any other account that uses that same username and password combination is now vulnerable.
Steps Organizations Can Take to Prevent Credential Sharing
Fortunately, there are steps organizations can take to prevent credential sharing, whether they are concerned about employees sharing accounts amongst themselves or paying users sharing their credentials with unauthorized, non-paying, third parties.
Preventing Credential Sharing Amongst Employees
Credential sharing among employees poses a serious security risk and should be heavily discouraged. Employee education, consequences for credential sharing, and making credential sharing less enticing are all critical for curtailing this risky behavior.
Ensure Employees Understand the Risks
The first step to stymying credential sharing between employees is to explain why credential sharing, which many view as “harmless”, is a serious issue. When employees understand the reasoning behind rules, they are much more likely to see why those rules are necessary, improving adherence. It helps to include specific examples where credential sharing caused cybersecurity incidents and discuss the fallout of those incidents. By highlighting the serious consequences of credential sharing, you can help employees better weigh the temporary convenience of credential sharing against the serious potential cost.
The risks of credential sharing should be discussed as part of your employee onboarding process and during regular cybersecurity refresher training. Regular reminders, such as a message that reminds users about the risks of credential sharing whenever they log in, can also help ensure this message sticks.
Implement Consequences for Credential Sharing
Rules are only effective if there are consequences for breaking them. Many businesses continue to foster a culture where password sharing and other “harmless” rule-breaking earns employees a gentle reprimand at best. Credential sharing is not a victimless crime; Instead, it is a serious threat to your IT security and your business.
Ensure you have a clear disciplinary procedure for dealing with employees who engage in credential sharing and ensure that this procedure is clearly communicated to all employees. You should also include consequences for employees who witness credential sharing and do not report it, as well as a clear, easy-to-navigate procedure for reporting instances of credential sharing.
Improve Your Access Processes
Most employees don’t share credentials because they want to harm your organization; they do it because it is convenient. The most effective way you can reduce credential sharing within your organization is by identifying why employees are sharing credentials, adjusting your processes to address those root causes, and making it easier for employees to follow the rules without compromising efficiency.
How you address this issue will depend on the root cause of credential sharing within your organization. This may include:
Reviewing your onboarding process: If new hires are waiting too long to be issued credentials, their managers or co-workers may be sharing credentials so that the new hire can actually perform their tasks.
Improving your approval time rates: If employees are waiting too long to be granted access to files or servers they need to do their jobs, managers may be tempted to share credentials to avoid work delays.
Are managers sharing passwords because they need their subordinates to tackle some of their workload? If so, you might want to explore officially re-allocating some of your manager’s tasks to appropriate subordinates (and issues login credentials for those subordinates) or adding new members to that team to better even out everyone’s workload.
Disable Concurrent Logins
Disabling simultaneous logins is an easy way to discourage credential sharing since it ensures any user who shares their login information cannot log in while another user is using those credentials. While this strategy alone won’t prevent credential sharing, it does make it a less practical and attractive option, potentially negating any temporary productivity benefits.
Enabling this feature without prior notice is also a great way to pinpoint which employees are currently engaging in credential sharing behavior since users are likely to complain when they discover they cannot log in or are repeatedly booted from the system.
Don’t Forget About Third-Party Users
If you use third-party organizations to supplement your team, you should also be taking steps to limit credential sharing on that front. Though you likely have less oversight over these users and how they act, you need to ensure controls are in place to ensure offsite third-party users aren’t engaged in credential sharing behaviors.
Ideally, this would include time restrictions and tracking on third-party users that alert you to any potential credential sharing behaviors. This is particularly critical from a legal and compliance perspective since you will need to show that any contractors accessing your data are following your internal procedures correctly.
Monitor Your Network for Suspicious Activities
Tracking behavior that may indicate users are engaged in credential sharing can help you determine how widespread this practice is while also hardening your systems against cyberattacks.
Many cybercriminals rely on stolen credentials to gain unauthorized access to sensitive systems. By taking steps to curtail credential sharing, such as disabling concurrent logins or sending users an alert when another user attempts to log in using their credentials, you are also taking steps to improve your cybersecurity posture as a whole. Preventing concurrent logins can help keep cybercriminals out, while alerts can let employees know if their credentials have been stolen or compromised so they can alert your IT and security teams so they can take appropriate action.
Preventing Credential Sharing Between Paying and Non-Paying Users
When it comes to preventing credential sharing among your user base, there are many lessons to learn from streaming services such as Netflix, Hulu, and Spotify.
Make Your Accounts More Personalized & Ownable
While Netflix and Hulu have to deal with rampant credential sharing, Spotify does not. The reason so many people share Netflix accounts is that Netflix allows different users to create different profiles. While this is supposed to ensure your spouse or children aren’t inadvertently messing up your recommendations lists, it also makes it easier for users to engage in credential sharing without consequences.
On the other hand, Spotify does not allow users to create separate profiles within a single account. While different household members can get a discount by purchasing multiple accounts under one payment umbrella, sharing individual accounts messes with users’ personalized recommendations and playlists.
How you go about tailoring your product to individual users depends on the product, but some strategies you may want to consider include:
Limiting the number of files a user can save (so no one wants to give up precious save slots)
Limiting the number of times a file can be downloaded
Personalizing the user’s experience based on previous behaviors (for example, e-learning software that tailors courses based on a user’s past quiz performance, interests, or previously accessed courses).
Implement Single-Sign-On Technology
Single-sign-on technology involves replacing user-generated usernames and passwords in favor of social media account logins from popular platforms such as Facebook, Microsoft, LinkedIn, or Facebook. This makes the login process more convenient for users (who need to remember one less username and password combination) and discourages credential sharing.
People don’t want their friends and co-workers poking around on their personal social media accounts, which are chocked full of sensitive personal information and, in the case of Google, credit card access in the form of Google Pay.
Insist on Two-Factor Authentication
Two-Factor authentication, also called multi-factor authentication or MFA, requires users to enter two different pieces of information to verify their identity. Most systems pair a strong password with a second factor such as a text message sent to a pre-registered phone number or a hardware element. For example, if an employee tries to login to their account on your product, they would need to enter both their username and password, as well as a one-time code sent to their phone.
Mandating two-factor authentication both improves user security and makes it incredibly inconvenient to engage in credential sharing behaviors, since the unauthorized user would either need the account owner’s phone or have the account owner send them the one time code, most of which are only valid for thirty seconds to a minute at most.
Block Simultaneous Logins
Everything we do online is tied to our IP addresses. An IP address is a unique piece of information used to identify a device on the internet or a local network. Since people (and their devices) can’t physically be in two places at once, there is little reason for anyone to log in from two different IP addresses simultaneously.
Using IP addresses, companies can block simultaneous usage on their accounts from two different IP addresses. So if one user logs in on computer A, then computer B (which is using the same credentials) is automatically logged out so that only one device using a single set of credentials can access the product at a time. This approach makes credential sharing inconvenient and frustrating since both users are continually being logged out by one another and can’t be using the same product simultaneously.
Pay Users for Referrals
While it won’t single-handedly stop credential sharing, paying users for referrals can help discourage this practice by making referrals a more attractive option. Paying for referrals re-frames credential sharing as a money-losing endeavor. Ordinary credential sharing is a net-neutral financial option for paid users: after all, it isn’t like they are paying extra to let their friend, family member, or co-worker use their credentials. When you add a referral bonus, credential sharing is re-framed as a loss.
Offering existing users a percentage of each sale, a flat rate fee, or a discount when they refer a friend incentivizes existing users to get their friends, family members, or co-workers to pay for their own accounts rather than engage in credential sharing behaviors.
Credential sharing is harmful and needs to be discouraged, whether you are concerned about paid users sharing their accounts with unauthorized, non-revenue generating users or worried about how co-workers sharing accounts impacts your organization’s security. For more information about the security, financial, and other harms credential sharing can cause, or tips on reducing or eliminating credential sharing, please contact our team today.
Cybersecurity is a complex and continually evolving field. To help your team stay up to date on the latest developments and best practices, please visit our articles and resources page and consider reviewing these suggested educational articles and resources.