RMM Vulnerabilities Potentially Devastating for MSPs: The 4 Security Pillars No Longer EnoughRMM Vulnerabilities Potentially Devastating for MSPs: The 4 Security Pillars No Longer Enough
There are major gaps in security for MSPs using RMM tools and a concerning lack of urgency to remedy the issue.
February 13, 2020
Remote monitoring and management (RMM) platforms are the norm with the majority of managed service providers (MSPs), helping them to remotely monitor client endpoints, networks and computers.
However, MSPs that use remote monitoring and management (RMM) tools without key security precautions run the huge risk of exposing themselves — and their clients — to a disaster of epic proportions.
In a super fun twist in the threat landscape, cybercriminals have turned their greedy gaze upon an extremely lucrative new target: MSPs. MSPs are responsible for keeping business computers patched and users connected to the business applications that millions of businesses use every day. MSPs rely on RMM tools like ConnectWise Automate and Continuum’s Command in order to effectively service a dizzying network of computers and users.
RMM has had a huge and significant impact on MSP services and profitability for the last few years, and the trend for MSPs to adopt more and more RMM features is set to rise dramatically. But, if you don’t have the proper security controls in place? Sayonara, suckers.
Ingalls Information Security’s Jason Ingalls
Despite all of the warnings out there and the uptick in MSP targeting, Jason Ingalls, founder and CEO of Ingalls Information Security, says that there is an extreme lack of urgency with regard to handling security issues among MSPs. Ingalls, who has worked in Fortune 50 company breach response for over a decade and small-to-midsize business breaches (including MSP breaches) for the last five years, stresses the serious nature of these vulnerabilities, and the potential havoc they can wreak on businesses.
According to Ingalls, MSPs, in general, think about four things when it comes to cybersecurity: patch management, antivirus, firewalls and backups. Often referred to as the four pillars of MSP information security controls, they are necessary in managing information security risk.
“The problem is, cybercriminals will blow right through those,” warns Ingalls. “They don’t care about what patch level you’re using, or which firewalls or antivirus tools you have in place. They will melt through them, no problem. Now of course, those elements are necessary — they are called pillars for a reason. But MSPs must develop the level of cybersecurity risk management that prevents attacks from succeeding and minimizes the impact of a successful intrusion.”
One of the biggest gaps, explains Ingalls, is a lack of multifactor authentication (MFA). At this point, only some of the RMM tools out there require MFA to function. Datto, for example, makes it mandatory. Ryan Weeks, CISO at Datto, makes it a point to educate MSPs in this regard. But others are still a bit behind the curve. But in many cases, RMM providers offer MFA as an option that is not enabled by default. According to Ingalls, the majority of MSPs have not enabled MFA and are not enforcing its use. This means that anyone could steal RMM login credentials and log in from anywhere at any time. According to Ingalls, this has led to dozens of MSP and MSP client breaches already.
But fear not, friends — all is not lost.
“There are partners and MSSPs that have channel partner opportunities to offload this kind of risk,” says Ingalls. “You also need next-generation behavioral-based antivirus. This means log collection storage …
… and the ability to search for things that don’t look right, so if something weird happens, you can figure out when it started, what else happened as a result of it, or what happened prior. But you need a security information event manager (SIEM) to be able to put a picture together. Having these tools and procedures in place is what will differentiate MSP shops moving forward.”
Ingalls outlines the following efforts be performed immediately in order to protect MSPs and their clients in order to control the risks that MSPs face due to RMM tool capabilities and how attackers are using RMM to deploy ransomware:
Enable and enforce Multi-Factor Authentication on any and all RMM management accounts used for MSP service delivery.
Prevent Powershell execution on ALL hosts where it is possible or limit Powershell usage to only specific, unique directories that are specified based on bare minimum requirements.
Change passwords on RMM tools and rotate them regularly, ESPECIALLY if the MSP has not enabled MFA (for example if the MSP can’t comply with recommendation #1).
Deploy next-generation endpoint protection that does NOT rely on signature-based detection of malware, and partner with a Managed Security Services Provider (MSSP) to collect and monitor logs and other data to identify attacks prior to payload deployment.
Reduce RMM user accounts to the bare minimum and audit them regularly.
Want to learn more? Ingalls will moderate a panel at the upcoming Channel Partners Conference and Expo in Las Vegas entitled “RMM Vulnerabilities That Are Devastating Service Providers.”
About the Author(s)
You May Also Like