Significant breaches and large companies are what grab headlines. If a Colonial Pipeline or a college campus gets hit, that’s what people hear about. Often, behind the scenes are the managed service providers doing the day in and day out unglamorous grunt work of protecting networks and company reputations. This, however, has not escaped hackers’ attention and MSPs must beware of the dangers of this reality.
“In many ways, MSPs have become victims of their own success. As MSPs have grown and become more vital in the ecosystem, they themselves are now sometimes seen as high-value targets by hackers,” says David Collins, a cybersecurity consultant in Memphis. “MSPs offer a `one-stop shop’ for hackers,” Collins says.
Imagine if you are a criminal trying to steal diamonds, you’ll target a diamond broker. But if you are a criminal going after all sorts of gems, you’ll target a jewelry store. “That is what MSPs are seen as, a repository of riches of all kinds for hackers. With a successful breach of an MSP, even a small player, a hacker can find themselves in the networks of many different lucrative verticals, from healthcare to hospitality to finance,” Collins emphasizes.
MSPs that are potential targets for hackers have put them on the radar of the FBI, who issued an advisory this past week warning MSPs to watch their own vulnerabilities.
MSPs hit the big leagues
“When the FBI begins talking about MSPs, you know MSPs have hit the `big leagues’,” Collins points out. Of course, defining an MSP can sometimes be challenging, but the FBI lays out a specific set of criteria:
This advisory defines MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer’s network environment—either on the customer’s premises or hosted in the MSP’s data center.
In short, the threat that the FBI sees is: Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects.
“A successful attack on an MSP can have huge consequences, depending on what kind of clients they have,” Collins warns. Specific tips that the FBI is offering MSPs include:
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
- Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs; and/or,
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
“These are all actions MSPs should be taking anyway, whether the FBI recommends them,” Collins advises.
Protecting themselves and their customers
Collins warns that the damage from hackers is two-fold. There is damage to the customer, but a successful breach can also spell the end of an MSP. “Recently, there was a small MSP in Illinois that was successfully breached. Most of their clients were local businesses – dry cleaners and dentists – so the fall-out was minimal, but the MSP’s reputation around town was so compromised that a few months after the attack, they shut their doors for good,” Collins says.
Collins advises that MSPs develop a crisis plan for those “just in case” instances. “MSPs do this all the time for their customers, but few have a plan in place if they are breached,” Collins explains.
“MSPs need to have a plan on the shelf ready to execute if the unthinkable happens and their own networks get compromised. Hopefully, the plan will never be used, but at least you’ll have it,” Collins adds.
What is exacerbating the vulnerability of MSPs right now is the conflict in Ukraine. “War makes everything more unstable, including the internet. State actors are probing everywhere for weak spots, and MSPs make sense for them to probe,” Collins says.
He advises that MSPs apply their own stringent security measures to themselves. “I have seen MSPs have Fort-Knox level security for a client and then protect their own systems with flimsy passwords and unpatched software.”
None of this is a winning formula, but the FBI is concerned, hence the warning this past week, so MSPs should take heed.
Photo: Jirsak / Shutterstock
Good article reminding MSPs about their own internal security plans.
Not a good look if the MSP isn’t following their own recommendations.
Very insightful and excellent advice!
MSP are a prime target, they have a easy access to a lot of client’s endpoints. IE Kasaya
Great article. Thank you for sharing these insights from an MSP perspective.
If anything MSP’s should always regard themselves as a higher value targets. We are tasked with securing our clients data on a day to day basis and we should absolutely be following our own recommendations internally and reviewing regularly.