Targeted Attacks on MSPs Create Opportunities with SMBs
MSPs are used to having hard conversations with their customers about implementing better security practices, but recently MSPs have found themselves being the ones advised to take more serious precautions.
In early October, the U.S. Department of Homeland Security (DHS) issued a warning to managed services providers and cloud services providers (CSPs) that they were being targeted by cyber criminals looking for a way in to their customers’ networks. You can read more detail here.
The DHS said it has been tracking hackers for the past two years that are using advanced persistent threats (APT) to break into MSP and CSP networks to reach their customers.
The National Cybersecurity & Communications Integration Center (NCCIC) states: “By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.”
In short, an MSP breach can have more far-reaching consequences than an incident at a single company. MSPs that haven’t been following their own advice when it comes to security best practices should be prepared to eat some crow if their customers demand a look behind the curtain–or worse, if there’s already been a breach.
The Security Conversation
The upside of the DHS alert is that it presents an opportunity for MSPs to sit down with their customers and have a conversation about how both entities can work together to strengthen their networks against these attacks.
It’s a talk that needs to happen soon. The APT attacks described by DHS are conducted using legitimate credentials as well as trusted off-the-shelf apps and pre-installed system tools like command line scripts to discover accounts and transfer data from MSP client networks. Because they are using legitimate scripts, it can be difficult to tell that there’s even been a breach.
The alert (TA18-276B) also includes connectivity and network configuration recommendations that can help MSPs and their clients protect themselves against these APT attacks. Those recommendations provide a good list of talking points for productive customer conversations. Among them:
- Use a VPN for the MSP connection. In addition, the VPN should terminate within a demilitarized zone (DMZ) isolated from the internal network; VPN traffic should be restricted; and authentication certificates should be updated annually (preferably every six months).
- Restrict access to unauthorized public file share sites.
- Establish a baseline for system/network behaviors. If you know what network traffic is supposed to look like, it’s easier to spot anomalies in the logs. This activity also can help both the MSP and client better understand which types of security and data recovery tools they need.
- Do a better job of managing MSP accounts. MSP accounts should not be assigned to administrator groups and should be restricted to only the systems they manage.
- Companies should establish robust password policies and apply them both internally and to MSP accounts.
- Use service accounts for MSP agents and services, and restrict those MSP accounts by time and dates that follow contract expirations. If the MSP is providing services only during business hours, then there should be time restrictions on the accounts, as well.
With DHS ringing the alarm bells, MSPs should evaluate their own networks and reach out to customers to provide assurances about security. But don’t stop there: Use this as an opportunity to further strengthen your client relationships by working together to guard against these emerging threat vectors.
Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.
This guest blog is part of a Channel Futures sponsorship.