Global Cybersecurity Authorities Warn of Cyber Threats Against Managed Service Providers
On May 11, 2022, the United States’ Cybersecurity & Infrastructure Security Agency (CISA) issued a joint statement with the cybersecurity authorities from the United Kingdom, Australia, Canada, and New Zealand warning of an increase in threatening cyber activity against managed service providers (MSPs). The joint Cybersecurity Advisory (CSA) advises that MSPs, who provide an assortment of services from IT infrastructure services to business support functions, are prime targets for cyber-attacks, a trend likely to continue for the foreseeable future, as threat actors aim to exploit the innate trust in MSP-customer relationships.
The joint statement notes that threat actors can use susceptible MSPs as an initial access vector to compromise not just the MSP itself, but its entire customer base. Compromising an MSP can lead to a domino effect across customers, including the spread of ransomware and cyber espionage.
CSA recommendations for MSP customers
The CSA urges MSPs and customers to actively reduce their attack surface and secure their data. MSPs and customers should address their unique cyber risks in accordance with their organizational needs, regulatory requirements, and contractual agreements between the two parties.
In the advisory, the CSA breaks down their recommendations to implement baseline security measures with specific action items. The following is a summary of their Information and Communications Technology (ICT) best practices for MSP customers (specific guidance for MSPs can be found in the advisory).
Prevent initial compromise
The CSA emphasizes the importance of defending against compromise techniques.
- Improve device security
- Protect internet-facing services
- Prevent brute force attacks and password spraying
- Protect against phishing attempts
Enable/Enhance monitoring and logging processes
The CSA recommends storing important logs for at least six months, employing/maintaining segregated logging regimes, and implementing endpoint detection and network defense monitoring.
- Enable logging of systems
- Contractually oblige MSPs to implement comprehensive security event management, provide visibility around logging activities, and notify of suspected or confirmed security incidents
Implement Multifactor Authentication (MFA)
Organizations should enforce MFA where feasible, though they should remain vigilant as recently Russian state-sponsored threat actors have exploited MFA to gain unauthorized access to accounts.
- Contractually oblige MSPs to mandate MFA on all services, products, and MSP accounts with access customer environments.
Manage internal environment risks and segregate internal networks
The CSA advises to isolate critical business systems and apply network security controls to diminish the impact of compromise throughout an organization.
- Review and validate all connections between internal and MSP systems, as well as other networks
- Use a VPN or similar tactic to access MSP infrastructure
- Limit traffic to and from MSP
- Contractually oblige MSPs to not reuse admin credentials
Employ principle of least privilege
Accounts should only receive access privileges when and where truly necessary. The CSA recommends implementing time-based privileges and identifying high-risk devices to reduce the possibility of unauthorized access.
- Ensure MSP applies this principle internally and in customer environments
- Consider contractually obliging MSPs to only have access to their managed services and resources
Disable obsolete accounts and infrastructure
Customers should disable obsolete user accounts and infrastructure to reduce attack surface.
- Disable MSP accounts no longer managing services and resources
- Do not overlook disabling accounts when an MSP relationship terminates
Update software consistently
Both MSPs and customers should update software (e.g., operating systems, apps, and firmware) regularly, prioritizing updates that patch known/exploited vulnerabilities.
- Understand the contractual requirements with your MSP regarding software updates
- Request that updates are delivered as a service exhaustively and judiciously
Regularly backup systems and data
Backup systems in case they need rebuilt, and frequently test these backups to ensure they work. Backups should be stored in multiple places separate from network connections.
- Contractually oblige MSPs to arrange automatic and continual backup services that are stored in an easily reachable location
Develop Incident Response and Recovery Plans (IRP)
All organizations should identify roles and responsibilities for stakeholders during incident recovery. Keep hard copies of updated plans in case the network becomes inaccessible.
- Ensure that contractual arrangements include IRPs that meet resilience requirements
- Test IRPs regularly
Manage supply chain risk
The CSA encourages the use of risk assessments across security, legal, and procurement groups to proactively manage ICT supply chain risk.
- Identify third-party vendors or subcontractors associate with their MSPs
- Set network security expectations with MSPs
- Understand the level of access and MSP has to data and networks they house
- Contractually oblige MSPs to meet defined security requirements
- Contractually delegate ownership of responsibilities between customer and MSP
Roles and responsibilities across the MSP-customer relationship need to be defined.
- Understand the contracted services provided by your MSP to address and security requirements that fall outside scope
Oversee account authentication
The CSA advises all organizations to follow password and permission best practices and review logs for unexplained failed authentication attempts. Click the following links to be redirect to our guidance on password strength and password resets.
- Ensure MSP accounts cannot access internal administrator groups
- Grant access and permissions on an as-needed basis
- Audit MSP accounts to confirm they are only used for appropriate activities and purposes
- Disable inactive MSP accounts
Recommended additional resources
The CSA recommends reading their advisory alongside the following supplemental guidance:
- CISA guidance on their Shields Up and Shields Up Technical Guidance webpages
- The United Kingdom National Cyber Security Centre’s “Actions to Take When the Cyber Threat is Heightened”
- The Canadian Centre for Cyber Security’s “Cyber Security Considerations for Consumers of Managed Services”
How we help
We understand the criticality of an MSP in an organization’s day-to-day operations. We offer comprehensive solutions to maximize the benefits of an MSP relationship:
- Aponix Protect™ to assess an organization’s risk, identify program gaps, draft a mitigation roadmap, and partner with MSPs to oversee associated remediation activities.
- Vendor due diligence to evaluate an MSPs internal cyber program, as well as ascertain how they house, protect, and use customer data.
- Operational resilience and governance services such as business continuity planning, incident response, and tabletop testing to draft, enhance, and routinely test an organization’s ability to respond to critical business disruptions alongside their MSPs.
Learn more about our additional solutions here.
For questions about this alert, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber advisor or contact us.