Managed service providers (MSPs) are popular with SMBs/SMEs for good reason. They can often maintain an organization’s network, applications and/or security posture better than many in-house IT departments can, and at a lower cost. They benefit from economies of scale and full-time specialists.
Unfortunately, as MSPs have grown so has their attractiveness as a target to malicious parties. It’s a matter of leverage: a single hack can yield access to dozens or hundreds of an MSP’s clients.
Breaches Affecting MSPs
Recently I wrote about the Wipro breach, which has garnered a lot of press. There have been a number of similar breaches that have received less press but have been equally as damaging:
- A February 2019 ransomware attack against a Managed Service Provider resulted in approximately 2,000 systems belonging to the MSP’s clients getting crypto locked.
- A September 2018 ransomware attack against an MSP hosting Electronic Health Records (EHR) resulted in a security breach impacting 16,000 patients’ protected health information.
- Operation Cloud Hopper involved a global series of sustained attacks by the APT10 hacking group against managed service providers and, subsequently, their clients. These attacks aimed to gain access to sensitive intellectual and customer data. US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a cloud service provider (CSP) the attackers used the cloud infrastructure to hop from one target to another, gaining access to sensitive data in a wide range of government and industrial entities in healthcare, manufacturing, finance, and biotech in at least a dozen countries.
Reducing the Cybersecurity Risks Posed by a Managed Service Provider
How do you minimize the chance that you will end up on the wrong end of an attack because your MSP was breached? Your best bet is to put them through an appropriate level of due diligence; i.e., Vendor Risk Management (VRM). You can build your own VRM process based on a set of good practices like the CIS Top 20, ISO 27002, the AITEC-AIMA DDQ, or the Shared Assessments program.
At a minimum, be sure to assess:
- User Account Management Reviews (e.g., procedures for granting employees access and taking it away when their roles change, or they leave the company)
- Two-Factor Authentication (e.g., all systems need to be protected by strong passwords and multi-factor authentication)
- Security Awareness Training for employees (e.g., education on security risks and education on theirs’ and their clients’ (as well as yours) security programs)
- Mobile Device Management (e.g., BYOD or company issued devices need to be managed)
- VPN (e.g., all remote access needs to be through a VPN or equivalent)
- Email Spam Software (e.g., as phishing is still the number one attack vector, scanning at the mail server level as well as at endpoints).
- Patch and Configuration Management (e.g., regular patching and configuration assessments)
- Password Vaulting (e.g., accounts need to be shared at an MSP—how is this done in a way that ensures your security?)
- Logging (e.g., all remote access is logged and audited)
- Disaster Recovery (e.g., is data stored offsite in a manner that minimizes ransomware risk?)
When issuing a security questionnaire, be sure to request as much evidence as possible. Organizations that can provide an ISO 27001 certificate or a SOC2 Type 2 Service Auditor’s report are demonstrating their commitment to being secure, and the reports provide independent and objective verification of their security posture.