Take these steps to help mitigate risks as MSPs become a growing security target

Managed service providers (MSPs) provide quantifiable value to organizations, making complex technical capabilities more affordable and accessible through outsourcing. What makes them so valuable also makes them a target for hackers. Weighing their risks and keeping close tabs on your MSP’s security structure and vigor is key to protecting your interests.

MSP Security Risk

CISA Issues Warning of MSP Threats

In May 2022, cybersecurity authorities in the U.S., U.K., Australia, Canada, and New Zealand issued guidance and a warning of increased malicious activity targeting managed service providers. CISA’s announcement states, “Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects.” Each country provided various recommendations on mitigating risks, ranging from technical logging to multifactor authentication (MFA) to organizational approaches like reviewing contracts. Review their guidance here.

MSP Security Risk

Why are MSPs a target?

MSPs use their own cloud-based tools to provide services, which give standardization, efficiency, and cost-controls. However, it also makes them a vector point in possible threats to your organization and customers. For example, Kaseya, who Russian ransomware group REvil breached in April 2021, offered a virtual systems administrator (VSA) capability over the cloud. This capability represents what makes MSPs valuable in their ability to remotely perform system administration duties, as well as high risk, as VSA tools touch on susceptible systems. For cybersecurity criminals and organizations, the motivation is clear. Why steal one egg when you can steal the basket?

MSP Security Risk

Are MSPs a Riskier Option for SMBs? It depends…

The added value that MSPs deliver can be immediate — enabling vital technologies, cost reductions, new capabilities, and more reliable outcomes without hiring more staff. While these benefits are ideal for small and medium businesses (SMBs) who may not have the resources to invest in IT and security functions, there is a downside.

No enterprise-level technical capability is as simple as plug-and-play. Large, high-risk enterprises can invest in MSPs and possibly deal better with the disruption and cost of increased risk. Smaller MSP customers, however, can’t afford to inherit those associated vulnerabilities.

MSP Security Risk

Steps to Protect Your Organization via MSP Oversight

Steps to protect your organization may be straightforward, requiring that you extend your current risk treatment approaches to your MSPs. As the CISA guidance highlights, taking the time to ask specific questions of an MSP can better inform your security and risk teams.

What security steps should you take with your MSP?

Considering an MSP can effectively take the role of an entire department, in many ways, they deserve the same level of scrutiny. Chiefly, MSP customers should have service-level agreement plans and an emergency contact if a disruption occurs or a vulnerability is discovered. Likewise, for more technical services, ensure an engineering team regularly tests any data feeds, APIs, or other integrations.

More simply, MSP customers also have a right to know where data is stored. If responses seem too generic – meeting compliance standards or just being “in the cloud,” consider asking for alternatives. Some MSPs may offer to host their services on-premises, which, though dated, provides greater control to organizations facing more significant regulations.

Keep in mind, too, that cloud-hosted services frequently change or update their software. A good MSP will inform its customers of these changes and their impact. In other words, if you access services through a portal, it may look different now and then.

Review and Customize MSP Tool Settings

Most MSP tools come out of the box with what you need to get up and running. We suggest taking the time to customize your settings. For example, Microsoft did not require multifactor authentication by default for Office 365 cloud tenants for the longest time. Considering the level of access and technical control some providers could have, this represented a significant risk for unauthorized access or compromised accounts to compromise a customer’s tenant.

Vulnerabilities that Affect Others Can Affect You

Verizon’s recent 2022 Data Breach Investigations Report (DBIR) points out a troubling reality. As cloud services have made accessing infrastructure technologies easier, that access is commonly done by simply creating an account with the provider. By extension, you can manage an account and services with username and password credentials. Encompassing 55 percent of compromises in third-party settings, it’s the leading route to vulnerable customers.

Additional DBIR data relies on some context with SolarWinds representing a large part of their data pool. Nevertheless, credentials or network configurations associated with MSP services represent a widening attack surface. This illustrates how much more valuable credentials are, considering a login is all that’s needed to access cloud storage and critical web apps, like, deployment tools, development environments, and network administration. Likewise, these vulnerabilities are present not only in your slice of a provider’s capabilities but in the entire pot. Unless there are significant reconfigurations, the same vulnerabilities in one instance are likely to present in all others.

Always Test Patches

The SolarWinds compromise provides an almost worst-case scenario of an MSP compromise.

SolarWinds itself provides cloud and database management software, and hackers had managed to enter their systems about a year before disclosure in December 2020. Hackers managed to inject malware into patches SolarWinds published for users. As high-value targets within the U.S. government rely on SolarWinds, it became a lucrative and effective entry point for hackers. Even if U.S. government entities were the primary target, the delivery mechanism (through published patches) meant the same malware spread to every customer who received and installed updates. The lesson is clear. Always remember to test patches. If that isn’t feasible, delay their deployment as much as you’re comfortable.

Assess Your MSP and Not Only Feel More Confident…Be More Secure

A breach of your MSP goes beyond merely breaching a supplier’s own perimeter. The very weaknesses a hacker may need could simply lie in misconfigurations or errors in a single client’s environment. They simply need to replicate their attack mechanism in other customer networks, including yours. Want to discuss additional ways to mitigate MSP security risks or discuss what we do to provide robust security for our MSP customers? Contact us.

CyLumena - Will Defeo

Insight Contributor:

Will Defeo, Consultant

Will DeFeo is a CyLumena consultant with experience in code release governance and risk management, having previously worked for PwC in anti-money laundering and as an AmeriCorps VISTA. He is a 2015 graduate of Mercyhurst University’s Ridge College.