As an MSP You Are A Target
There have been three events recently that highlight the targeting of MSPs(Managed Service Providers). Ransomware encrypts all the important data and holds it for a price. Hackers are going for these MSPs increasingly as they open the door to a whole host of companies who these MSPs have administrator rights over.
One was an MSP who kept care of several nursing homes. The payroll is crippled. The nursing homes want their data back. Sadly the MSP can’t provide it to them as it’s encrypted. It doesn’t appear backups are available either.
https://healthitsecurity.com/news/ransomware-attack-on-it-vendor-disrupts-care-at-110-nursing-homes
Another more recent event ransomware attacks were pointed at a company who handles dentists offices. The dentist’s data are being held hostage, the MSP is recommending they get with their insurance and see about paying the demands. There’s Cybersecurity insurance for this kind of situation that others have used. Whether the insurance companies end up helping is still not fully determined.
https://krebsonsecurity.com/2019/12/ransomware-at-colorado-it-provider-affects-100-dental-offices/
An attack on Municipalities in Texas went through an MSP. A large number of them ended up with all their data encrypted at the same time.
Selecting an MSP
As a customer, how do you help avoid this? Build a selection process that makes sure the evaluation process prioritizes security. Waiting until after to check will be too late. Contracts and cost will prevent your MSP from taking any meaningful action during your contract and you’ll be either stuck waiting it out or paying a considerable fee to escape and pick a new provider meeting your Cybersecurity needs.
MSPs need to elevate their security rapidly. Get a Cybersecurity audit, make a budget for it, and plan on time to invest in remediation of the findings. Plug this into your budget each year. Consider finding a company to help manage your security.
If you’re an MSP, you are like a bank who holds everyone’s money in the vault. You have the master key to the apartment complex. The payoff is much larger if the attacker can get into your systems. MSPs make wonderful targets if successfully exploited. Here are some ways MSPs can limit their attack surface.
Two Factor Authentication
Cloud providers give the ability to enable 2 Factor Authentication. A security conscious MSP that manages customer’s cloud systems (e.g. AWS, Google Cloud, Azure) will have this turned on.
When it comes to VPN access to your client’s systems two factor is a must. Management systems for remote control of those client systems should offer this as well. If the software lacks these security controls an MSP with a security mindset will find something better to use.
Shared accounts
2 factor helps limit this problem yet won’t eliminate it. Why is this a problem? Sharing accounts is not a good security practice. You can’t prove who did what for one. And two, turning off access becomes troublesome. The shared password can’t be left as is in situations like a person leaving the company. This can lead to poor password practices like writing them down, emailing them around, and all sorts of other behaviors which ultimately leads to a more vulnerable environment.
Stale Active Accounts
Put a process in place to regularly check for stale accounts on the network. Stale accounts are used to break in remotely several times. One scenario had them accessing a VPN that had 2 factor authentication, except…can you guess? Except the stale account. It didn’t have 2 factor enabled.
Lack of Account Monitoring
Going along with stale accounts is account monitoring. Who’s logging in from where? Did they login at midnight? Is that normal? A process should be in place to watch these logins and see if anything suspicious is taking place. Logging systems like Splunk, LogRhythm, and Sumologic help pull that all together as log aggregators. AWS and Google are coming into the marketplace here as well.
Separation of duties
If you have the staff to do this, keep roles separate. A network admin doesn’t access the active directory as an admin. The active directory admin doesn’t have enable rights on the router. Alternatively stack rights like a pyramid. Many have lower level access, yet few have high level access to various systems.
Audits
For the very high-end MSP managing regulated industry systems get audits done regularly. A SOC2 or ISO27001 may be the place to start. A HIPAA or HITRUST is helpful for those in healthcare.
Setup Separate Machines
This has been a method for other secure institutions. Create a separate network to browse the internet. With places like AWS offering virtual desktops this cost may not require an upfront big investment. You still need Google for research purposes, but you can offload the risky internet uses to a different network from your MSP management network making you and staff much less susceptible to phishing attacks and malicious websites. Filter the internet heavily on the MSP management network and loosen the reins at the external browser network.
Training
One day the CEO and CFO were talking. The CFO asks, “What if we train people and they leave for a better job?”. The CEO replies “What if we don’t train them and they stay?”.
Making sure at least some of the staff are trained on security is an excellent way to increase awareness which changes behavior. Look into introductory certification (Security+), attending conferences (SANS, ISC, RSA), or look at various online training (Cybrary, ITProTV).
Summary
An MSP has a lot to care for. The larger the client base the bigger the risk. Security must be built into the daily activities. The management has to buy into this shift in behavior. Not giving attention to security is similar to not buying insurance for a house or car. There’s a cost for ignoring security which eventually impacts the MSP’s business.