It’s been in the news everywhere. Managed Service Providers are now a favorite target of hackers and their ransomware attacks. The bad guys know that MSPs hold a lot of sensitive information and keys to many kingdoms. They also know that the cobbler’s child has no shoes. So, they’ve decided to make bank on the reality that MSPs aren’t protecting their own data nor their access to client data very well. I’ve seen many MSPs looking to the developer of the software tools that they use to come up with a solution for them. Sure, those software packages need to get better but that isn’t where the solution should end. What should be happening instead is that MSPs should conduct an internal security audit, determine their weaknesses, then make sure that the solutions to those weaknesses happen. If you just jumped from Vendor X who needs to fix their software because that’s how data breach Y happened to someone else, then you’ve missed the point. If that breach didn’t happen to you this time, consider it just a shot across the bow. Everyone should now be woke and perform an internal security audit.
First, let’s note that I’m just an MSP owner and not an auditor. But any good IT professional knows a few things about where they store data and how they access their clients’ infrastructure. In addition, any good IT provider also knows that you can’t rely on policy alone (otherwise we wouldn’t have people still using simple passwords or the same password for different logins) to secure information and remote access. We have to have hard blocks and good practices together and ways to verify that it is working.
My MSP has eight people. It’s a pretty typical size for a mature firm. We called an all-staff meeting. I laid out the information from the news about what had happened to those high-profile MSPs and what the response from the software vendors had been. Then we reviewed our practice.
I could have done this all myself, but it was important that everyone was on board and that we used everyone’s brain to recall where absolutely everything with any sensitivity was stored. Of course, we knew where it was supposed to be stored but we needed to expose the anomalies too. Once we got the ball rolling everyone then felt comfortable verbalizing where we’re doing things right and where we needed to be better.
The kinds of data that MSPs are housing that if in the wrong hands could be very bad include at a minimum the following categories of items.
What will the bad guys do with this information? Well, obviously deploy ransomware but they will also gather data to perform future spear-phishing attacks and deploy malware that could sit there for a very long time (six months is now the average) before making itself known. Can you imagine the damage that would do to your business reputation? Are we or the tools we depend upon using insecure methods for authentication or access? These include things like the following:
There are several ways that you can expose this information. Your knowledge is the first one. Most people know if they are using RDP or not. But the others might not be obvious depending upon the tool. The first task then is to ask the vendor from whom you purchased the tool. What is the protocol in use? What authentication method are they using? Other ways to discover this information include sniffing tools like Wireshark or authentication logging. If these things are being used, turn off that option, or if that isn’t possible, stop using that tool and get a new one. There are plenty of good tools that don’t violate today’s security standards. You may have to leave an old standby, but so be it.
Multifactor authentication should be turned on for everything. Everything means everything – it includes the documentation store, local accounts, password storage tools, remote access tools, and more. Any access to anything should require MFA. It’s a pain, no one loves MFA. What do you do about shared accounts? Many MFA tools support connecting multiple devices.
It has been standard practice to tell users to change their password often, use complexity, and make them unique to all others. MSPs have been caught not following their own advice in these continued hacks. Ask yourself these questions:
Local admin accounts being enabled and all having the same password across the network were the No. 1 cause of lateral access in ransomware events. Those must have unique passwords. Microsoft makes a tool called LAPS that should be part of your standard toolkit. LAPS will make sure that unique passwords are in place. Optionally there are third-party tools that will change the password with every use.
This can harken back to the above-mentioned use of the same password, but it can also be a failure of keeping everything in one place. When you enter your credentials do you get access to remote access, passwords, and documentation all at once for a single client? When you enter your credentials do you get access to those things for multiple clients? One is obviously worse than the other, but both are bad and should throw up red flags in your audit.
Now that you’ve identified where the problems are, they need to be corrected. Those corrections are going to happen in several different ways.
Set a task for each of your team members to make the changes necessary to bring more security into your practice and secure yourself and your clients against becoming the next victim of contracting with an MSP. Hold regular report-in meetings so that everyone can see everyone else’s progress. I found that peer-pressure helps keep that sense of urgency going.
In the end, we want businesses to feel secure that when they use an MSP, they are doing the right thing for their business and not exposing it to another threat. It’s one thing to know that we as MSPs want to operate efficiently with as little productivity friction as possible and another thing to put our clients at risk. This isn’t something that we can balance. It is something that simply can’t happen. We must do better as an industry.
Featured image: Shutterstock
As cloud computing grows, the sheer number of options can be a problem. But there…
If you are building a new Exchange 2019 environment from scratch, you will have to…
Microsoft 365 users have access to an app called Microsoft Bookings. Before you dismiss it…
As cyberthreats rise in number and complexity, biometrics authentication technology has seen rapid adoption and…
Remote work is likely to remain permanent — and so will the vulnerabilities it brings…