Customers of Managed Service Providers (MSPs) need to start demanding more of their MSP partners when it comes to security, a joint advisory from the cybersecurity agencies of Australia, Canada, New Zealand, the UK and the US urges -- in the latest Five Eyes warning that MSPs are in the crosshairs of attackers.
The new May 2022 advisory suggests that customers should demand eight clear things in their contracts when it comes to MSP cybersecurity, from backups to logging, MFA to network segmentation.
The agencies have issued no shortage of warnings that attacks on MSPs are rising and when successful, give hackers devastating access to thousands of their downstream customers. (The July 2021 attack on Kaseya is a recent example: REvil hackers used a vulnerability in Kaseya's software to hack approximately 50+ MSPs that used its products; riding that access downstream to hit 1,500 MSP customers with ransomware.)
Senior penetration testers have regularly told The Stack that MSP cybersecurity can be appalling and customers none-the wiser. As one recently told us: "I’ve worked for clients who had five different brands around the country and each of those brands had a different MSP – all with remote admin access into their environment... you’re seeing some MSPs who have done security testing, and some who are basically one guy doing it as a side-gig."
"We find a lot of unpatched boxes. Or organisations where they’ve patched the operating system but left third-party applications on there which haven’t been updated for years with critical vulnerabilities. Password qualities being terrible and it being very easy to brute-force user accounts. Domain admins who consider themselves pretty savvy using the name of their dog for their password and using it across all high-level accounts. We still see people putting RDP straight onto the internet; by default Windows has a lot of noisy and vulnerable protocols turned on and people don’t know how to turn them off; LLMNR; not using authentication for SMB..."
MSP cybersecurity requirements: Check these 8 things
MSP cybersecurity demands should include the following, the agencies said:
MFA: MSP customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive, the new advisory notes, emphasising that "contracts should also require MFA to be enforced on all MSP accounts used to access customer environments."
Logging & reporting: MSPs should implement comprehensive security event management that "enables appropriate monitoring and logging"; they should also provide visibility -- as specified in the contractual arrangement -- to customers of logging activities, including their presence, activities, and connections to the customer networks. (Yes, proper monitoring and auditing of MSP accounts is on the customer: do that too); and "notify customer of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks, and send these to a SOC for analysis and triage. "
Segregation: "Customers should review and verify all connections between internal systems, MSP systems, and other networks. Ensure management of identity providers and trusts between the different environments. Use a dedicated virtual private network (VPN) or alternative secure access method, to connect to MSP infrastructure and limit all network traffic to and from the MSP to that dedicated secure connection. Verify that the networks used for trust relationships with MSPs are suitably segregated from the rest of their networks. Ensure contractual agreements specify that MSPs will not reuse admin credentials across multiple customers."
Least privilege: "Customers should ensure that their MSP applies the principle of least privilege to both provider and customer network environments."Customers with admin of MSP accounts within their environment should ensure that the MSP accounts only have access to the services/resources managed by the MSP...
Updates: Customers should "ensure that they understand their MSP's policy on software updates and request that comprehensive and timely updates are delivered as an ongoing service" the advisory notes.
Backups: Ensure that contracts with MSPs include backup services that meet customer resilience and disaster recovery requirements: "Specifically, customers should require their MSP to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location, e.g., a cloud-based solution or a location that is air-gapped from the organizational network."
Supply chain risk: "Customers should also set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data it houses. Each customer should ensure their contractual arrangements meet their specific security requirements and that their contract specifies whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.
Authentication: Customers should ensure MSP accounts are not assigned to internal administrator groups; instead, restrict MSP accounts to systems managed by the MSP. Grant access and administrative permissions on a need-to-know basis, using the principle of least privilege. Verify, via audits, that MSP accounts are being used for appropriate purposes and activities, and that these accounts are disabled when not actively being used.