MSPs are accustomed to safeguarding systems from breaches and attack. But in a recent brief, the Department of Homeland Security’s Computer Emergency Readiness Team (CERT) warned that MSPs themselves have been targeted and will continue to be targeted by bad actors. So, in addition to watching out for your client’s security and safety, you have to make sure your own is beefed up and fortified.
SmarterMSP reached out to the Department of Homeland Securities CERT division and was told by an official that the attempted hacking of MSPs is “persistent but we have not attributed it to anyone at this time.” The DHS’s official Oct. 3 briefing on the matter contradicted the previous statement, as they attributed the breaches to advanced persistent threats (APTs) to unknown nation-states or “sophisticated adversaries.”
According to the DHS, businesses targeted by these APTs seem to be most prevalent in the following sectors: IT, energy, healthcare, communications, and critical manufacturing.
Victims of their own success
“Given the increasingly important role that managed services providers play in supporting business processes and operations in today’s business environment, a threat affecting one entity can have cascading effects across many sectors,” shared Christopher Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Charles Weaver, co-founder and CEO of the MSPAlliance, was not surprised by the government alert. In fact, ironically, it shows that MSPs are victims of their own success.
“I think it is an illustration of how prevalent MSPs have become, that they are now on the radar of cyber bad actors,” Weaver tells SmarterMSP.
It is an illustration of how prevalent MSPs have become, that they are now on the radar of cyber bad actors
Weaver says MSPs need to practice the same level of diligence they apply to their managed services customers.
“There is nothing really unique or special that MSPs need to employ other than constant monitoring of their networks and systems, staying current with patching, and having disciplined policies and procedures related to interaction with both internal and customer-owned systems,” Weaver suggests.
A deeper dive
Dr. Mehrdad Sharbaf is an information systems professor and author at California State University Northridge. Sharbaf, a past president of the Los Angeles chapter of the Institute of Electrical and Electronics Engineers, and an expert in systems management, gave SmarterMSP his thoughts about the DHS warning.
“The warning to managed service providers and cloud service providers indicates the need for a deep dive into risk management not just for customers, but for the MSP,” advises Sharbaf.
Think about a sophisticated security camera trained on a store’s inventory. In this analogy, the MSP is the security camera. The security camera does a superb job at deterring breaches into the store. But is the camera itself safe from criminals? That’s the question MSPs need to ask about their own ecosystems. Your defenses for others are first-rate, but what about your own? Once inside your system, a criminal organization can access your customers’ networks a number of ways.
Sharbaf said that for an MSP risk management isn’t a just a one-day systems check.
“In my opinion, the foundation of information security is based on risk management (which is a continuous process) and developing of policy based on that. And it needs to be reevaluated it on an annual cycle,” Sharbaf said.
Also, Sharbaf says, the people in an organization play an equally (if not more) important role in preventing intrusions than the technology.
“People are the first layer of defense in cybersecurity, and also people are the weak link in cybersecurity,” Sharbaf says.
People are the first layer of defense in cybersecurity, and also people are the weak link in cybersecurity
He recommends the following guidelines for MSPs:
First, establish a strategy to support in-depth defense in different layers, such as firewall, intrusion, detection, prevention, and antivirus training for the employees, along with internal phishing simulations. Next, establish a strategy to monitor log files and look activities and restrict user access to networks and systems. Make sure to use a dedicated Virtual Private Network (VPN) for MSP connection and use host-based firewalls. Lastly, implement best practices for a password (multifactor authentication) and permission management and incorporate operational controls. In other words, what you do for your clients, make sure you are doing for your own systems.
Tips to safeguard your MSP business
The DHS outlines many more specific steps MSPs should take to safeguard their own systems. Among the most important is securing the network architecture. By restricting user access to networks and systems, an APT actor’s movement is constricted. If you periodically audit the network environment’s physical and logical architecture, you can limit their visibility and access if the system is compromised.
Gaining account credentials is the most common way MSPs are getting compromised, the DHS brief explains. When SMBs create accounts for MSPs, the provider is typically granted elevated access, so they can provide customers the support they require. However, this tremendously increases the risk of an account credential compromise.
Maintaining your access to your customer is key, but you should compartmentalize it so that a breach in yours doesn’t equate to a breach in theirs. In many ways, the DHS has given MSPs a new client: themselves.
Photo: Ibrahim Rifath/Unsplash