The US Secret Service has warned organizations about a rise in hacks of MSPs and offers advice on how to beef up security.
Many organizations increasingly rely on managed service providers (MSPs) to remotely manage IT infrastructure and other resources. By outsourcing the care and feeding of their network, applications, or security, an organization can save time and money, especially if it lacks the necessary internal staffing and capabilities.
SEE: Security Awareness and Training policy (TechRepublic Premium)
But as MSPs have become more popular, they’ve also become more of an open target for cybercriminals. Since each MSP typically has access to vital resources for multiple clients, a single data breach can unlock the door to a treasure trove of sensitive data.
The level of risk can be even higher if the MSP is home to a server and other physical hardware for a customer. A recent alert from the US Secret Service warns of a rise in hacks of MSPs and offers advice on what providers and customers should do to beef up their security.
Noting the increase in cyberattacks against MSPs, the Secret Service’s June alert explains that since an MSP can service a large number of customers, hackers are targeting them as a way of attacking multiple companies through the same vector. Further, MSPs use various open-source and enterprise applications to remotely manage the environments of their clients. As such, cybercriminals are exploiting these applications to conduct ransomware attacks, Business Email Compromise (BEC) campaigns, and point-of-sale intrusions.
As described in a Monday story from ZDNet, threat intelligence firm Armor said in October that it identified at least 13 MSPs that were hacked in 2019, triggering the deployment of ransomware on the networks of their customers. Further, in a phone call with ZDNet, Kyle Hanslovan, CEO at Huntress Labs, said that his company provided support in at least 63 incidents of MSP hacks in 2019 that led to ransomware attacks on customer networks. However, Hanslovan believes that the total number of such incidents could have been more than 100 last year.
The alert from the Secret Service is far from the first such notice in recent years. In October 2018, The National Cybersecurity and Communications Integration Center (NCCIC) warned of ongoing attempts from state-sponsored hacking groups to breach MSPs, especially targeting cloud-based service providers.
“Attackers concentrate their malicious efforts on MSPs because they are now a low-hanging fruit,” Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, told TechRepublic. “Worse, most of the successful intrusions are never detected or reported given that the attackers have strong incentives to conceal the breach that may otherwise trigger an investigation that may depreciate the value of stolen data or even bring a SWAT team to their homes.”
In its advisory, the Secret Service offered advice for both MSPs and their customers to grapple with the rise in hacks and breaches.
Best practices for MSPs
- Have a well-defined service level agreement.
- Ensure remote administration tools are patched and up to date.
- Enforce least privilege for access to resources.
- Have well-defined security controls that comply with the regulatory compliance of end users.
- Perform annual data audits.
- Take into consideration local, state, and federal data compliance standards.
- Proactively conduct cyber training and education programs for employee.
Best practices for MSP customers
- Audit Service Level Agreements.
- Audit remote administration tools being utilized in your environment.
- Enforce two-factor authentication for all remote logins.
- Restrict administrative access during remote logins.
- Enforce least privilege for access to resources.
- Utilize a secure network and system infrastructure capable of meeting current security requirements.
- Proactively conduct cyber training and education programs for employees.
Risk management is another area that MSP customers need to reevaluate, according to Kolochenko.
“Their third-party risk management process is, however, mostly based on obsolete one-size-fits-all questionnaires,” Kolochenko said. “This bureaucratic approach can be unreasonably burdensome and complex for some small vendors; for others, they are inadequate and otherwise flawed. Organizations should rethink their third-party risk management strategies, making them adjustable and proportional to the risk on a case-per-case basis.”
Lane Roush, vice president of presales engineering at security provider Arctic Wolf, has three recommendations for MSPs.
Enable multifactor authentication. Showing two pieces of evidence to prove who you are is always better than one. MSPs should be enabling multifactor authentication for all of their tools. Doing so would cut down drastically on the probability of experiencing a breach.
Conduct periodic user access reviews. MSPs should regularly conduct manual user access reviews of their systems to track, control, and prevent access to critical assets and systems and ensure their credentials are not available on the Dark Web. It’s important to ensure that only authorized people, computers, and applications can access the information they need. This need for access control is especially true for organizations that may have recently furloughed employees due to COVID-19 and may not have revoked access to all of the systems to which they were previously provisioned.
Maintain or establish aggressive vulnerability management. MSP teams are likely to be swamped managing their customers dealing with remote workers from COVID-19 but they can’t neglect the work of benchmarking and patching. Unpatched vulnerabilities and system misconfigurations are a prime target for attackers.