Kaseya, an IT solutions provider for managed service providers (MSPs) and small to medium-sized businesses (SMBs), became the victim of an extensive cyber attack over the American Independence Day weekend in 2021. As the smoke cleared, Russian-linked ransomware gang REvil claimed responsibility for the attack on a dark web forum, offering a decryption key for $70 million in cryptocurrency.
The best way to protect your organization from future data breaches and third-party risk is to develop comprehensive vendor security questionnaires that accurately assess the security posture of new and existing vendors. Regarding the Kaseya cyber attack, it is essential to understand if your vendors were affected and if they have taken precautions to fortify their data systems from future attacks.
Keep reading to learn what questions you should be asking your vendors regarding the Kaseya attack.
Learn more about UpGuard’s comprehensive third-party risk management solutions>
How Did Hackers Exploit Kaseya’s Systems?
The 2021 Kaseya cyber attack exploited a hidden vulnerability in the company’s VSA RMM software, which professionals estimated to have compromised the accounts and sensitive information of at least 800 customers, with some reports estimating as many as 2,000 accounts were affected by the attack. Many cybersecurity professionals have compared the Kaseya attack to the 2020 SolarWinds breach, concluding that extensive, interconnected supply chains have made cyber threats more prevalent and sophisticated than ever before.
Recommended Reading: How Did Kaseya Get Hacked?
Questions To Ask Vendors Regarding Kaseya & IT Service Management
Here are several questions your organization can use to build out its own Kaseya security questionnaire and assess the status of your vendors.
1. Was your organization impacted by the recent Kaseya VSA ransomware attack?
- Yes
- No
- [Open text field for vendor comments]
2. Has your organization ever run an affected version of a Kaseya Product?
- Yes, we are currently
- Yes, we have in the past
- No, we have never
- [Open text field for vendor comments]
3. Have you updated the affected Kaseya products to unaffected versions?
- Yes
- No
- Not applicable
- [Open text field for vendor comments]
4. Are you aware of any suspicious activity or compromised data related to a Kaseya incident?
- Yes
- No
- Not applicable
- [Open text field for vendor comments]
5. Do you partner with any third parties affected by the Kaseya breach?
- Yes
- No
- Unsure
- [Open text field for vendor comments]
6. If yes, please list the vendors below
- Vendor Name:
- Vendor Name:
- Vendor Name:
- [Open text field for vendor comments]
7. If you do partner with any vendors who were affected by the breach, what level of data is shared with them?
- Sensitive data
- Personal data
- No data is shared
- Not applicable
- [Open text field for vendor comments]
8. What onboarding procedures does your organization implement to assess its third-party vendors?
- Our organization follows extensive vendor risk workflows that include security questionnaires, risk assessments, and other vendor due diligence procedures.
- Our organization loosely utilizes security questionnaires, risk assessments, and other vendor due diligence procedures.
- Our organization is in the process of refining its vendor due diligence procedures.
- Our organization needs to improve its due diligence procedures.
- [Open text field for vendor comments]
9. How significantly did the Kaseya attack impact your organization?
- The attack significantly impacted our network, IT infrastructure, and security programs, disrupting operations and business continuity. There also was a loss of sensitive data.
- The attack greatly impacted our network, IT infrastructure, and/or security programs, causing a slight disruption to operations and business continuity. Some data confidentiality was lost.
- The attack slightly impacted our network, IT infrastructure, and/ or security programs. However, business operations were not disrupted, and no data was lost or corrupted.
- The attack did not impact our network, IT infrastructure, and/or security programs.
- [Open text field for vendor comments]
10. Did the Kaseya attack disrupt critical services your organization delivers to clients and partners?
- Yes
- No
- [Open text field for vendor comments]
11. Does your organization’s cybersecurity program possess a developed security incident response plan?
- Yes, our organization does have an incident response plan in place that includes steps for identification, mitigation, reporting, future prevention, and client communication.
- Yes, our organization does have an incident response plan in place. Still, the program is either outdated and needs to be updated or does not include procedures for one or more of the following: identification, mitigation, reporting, future prevention, or client communication.
- No, we develop incident response procedures case-by-case after an incident investigation.
- No, our organization does not have any developed procedures for incident response.
- [Open text field for vendor comments]
12. Does your organization’s cybersecurity program possess a developed disaster recovery plan?
- Yes, our organization does have a disaster recovery plan in place that includes steps for risk assessment, evaluating critical needs, testing, recovery, remediation, and future prevention.
- Yes, our organization does have a disaster recovery plan in place. Still, the program is either outdated and needs to be updated or does not include procedures for one or more of the following: risk assessment, evaluating critical needs, testing, recovery, remediation, and future prevention.
- No, we develop disaster recovery procedures case-by-case after an incident investigation.
- No, our organization does not have any developed procedures for disaster recovery.
- [Open text field for vendor comments]
12. Does your organization utilize Multi-Factor Authentication (MFA)?
- Yes
- No
- [Open text field for vendor comments]
13. How often does your organization evaluate its security systems using penetration testing, firewall audits, etc?
- Every six months
- Every year
- Whenever needed
- [Open text field for vendor comments]
14. Does your organization have a dedicated security team?
- Yes
- No
- [Open text field for vendor comments]
15. Does your organization have a dedicated security operations center (SOC)?
- Yes
- No
- [Open text field for vendor comments]
16. Who is your organization’s point of contact for additional security queries?
- Name:
- Title:
- Email Address:
- Phone Number:
- [Open text field for vendor comments]
17. Has your organization implemented new protections, installed new security controls, or updated existing infrastructure to resolve the Kaseya attack's impact on the business?
- New controls and protections have been identified and installed for future prevention
- New controls and protections have been identified and are currently being installed for future prevention
- New controls and protections have been identified, but installation has not yet begun
- New controls and protections have not been identified or installed
- [Open text field for vendor comments]
18. If your organization has yet to install new security controls, has it implemented workaround methods or compensating controls to avoid similar attacks in the future?
- Compensating controls and/or workaround methods have been implemented to mitigate and/or prevent future cyber attacks
- Compensating controls and/or workaround methods have been identified to mitigate and/or prevent future cyber attacks, but they have not yet been implemented
- Compensating controls and/or workaround methods have yet to be identified or implemented
- [Open text field for vendor comments]
Streamline Kaseya Vendor Questionnaires With UpGuard
UpGuard’s questionnaire library includes a comprehensive Kaseya vendor questionnaire and other security questionnaires that meet industry-accepted data protection standards. Organizations looking to improve their vendor due diligence protocols and develop robust Third-Party Risk Management programs can use UpGuard’s library of questionnaires to identify and mitigate information security risks throughout the vendor lifecycle.
In addition to its comprehensive library of security questionnaires, UpGuard Vendor Risk also provides organizations access to several other powerful Cyber Vendor Risk Management tools.
Notable features and use cases of UpGuard Vendor Risk include:
- Vendor Security Ratings: Instantly understand your vendor’s security posture
- Vendor Risk Assessments: Reduce the time it takes to assess new and existing vendors
- Vendor Tiering: Classify vendors based on their level of inherent cyber risk and your organization’s unique risk tolerance
- Compliance Reporting: Map vendor details against common compliance frameworks (NIST, ISO 27001, PCI, etc.) and initiatives
- Vendor Data Leak Detection: Prevent data leakage due to third-party breaches, phishing attempts, ransomware, endpoint vulnerabilities, and other cyber threats
- 24/7 Continuous Vendor Monitoring: Receive real-time updates when your vendor’s security ratings change
- Third-party integrations: Configure UpGuard within your existing security tools and web applications
