Protecting Against Cyber Threats to Managed Service Providers and their Customers
An interesting report was released today (12 May 2022) by cyber security authorities in Australia and New Zealand, alongside the United States, United Kingdom, and Canada, otherwise known as Five Eyes, about the “heightened risks to Managed Service Providers (MSPs) who look after the IT needs of clients”. You can find the full report on the Australian Government’s Australian Cyber Security Centre website - here.
To paraphrase, the main risk they are highlighting is if your IT Managed Service Provider (MSP) is compromised by hackers, then the hackers could potentially gain access from the MSP’s IT systems and networks to their clients’ networks, systems, and data.
“… whilst all risks cannot be eliminated entirely, the level of that risk can be significantly reduced… “
The report recommended that MSPs and their customers both implement the “baseline security measures and operational controls” listed below, while customers should ensure their contractual arrangements specify that their MSP implements these measures and controls. We have added some additional text to each point to explain each a little further (in non-techie language!):
Prevent initial compromise – by improving the security of vulnerable devices which might be vulnerable (e.g. PCs which have not had security patches installed for a while), Protect internet-facing services (e.g. websites running on your internal web servers), Defend against brute-force and password spraying (e.g. logon screens which allow for multiple repeated login attempts using well-known usernames and default passwords), Defend against phishing (not just relying on your users to spot a phishing attempt, but adopting multi-layered technical systems of defence).
Enable/improve monitoring and logging processes – monitoring and logging access to critical systems and/or unusual access in general (e.g., was it really you trying to access your work server from North Korea at 3am on Sunday?) - helping to provide early detection and alerting of a possible compromise.
Enforce multifactor authentication (MFA) – requiring two or more proof of identity to grant access (e.g. requiring Windows Hello for Business facial recognition [something you have] plus a password, [something you know]) - especially for remote access applications used by the MSP.
Manage internal architecture risks and segregate internal networks – this helps to limit an attacker jumping from one part of your network to others, perhaps where more critical systems (like finance and banking access) are operating.
Apply the principle of least privilege – administration accounts are clear targets and need additional protections for their user (use additional control like Privileged Identity Management and Just In Time Management), give users only the access and privileges required to do their jobs (and consider getting an independent audit done).
Disable/Remove obsolete accounts and infrastructure – do this periodically and especially after a change in personnel (consider setting up automated actions so when a staff departure date occurs there is already a scheduled IT service request and related automated task which disables their account - all as part of your digitally transformed HR processes), or a change in service providers.
Apply updates – to operating systems (Windows, Mac, iOS, Android), applications, and device firmware (PCS, routers, firewalls, network equipment etc.). Prioritise security updates as hackers will target unpatched known vulnerabilities first (easy pickings). Use Endpoint Management solutions like Microsoft Endpoint Manager/Intune to monitor and automate patching of devices, reporting of exceptions, and use controls like conditional access to automatically block access to your systems, services and/or data if minimum updates have not been applied (or if using an obsolete account).
Back up systems and data – system backups will allow you to quickly rebuild compromised systems (back to a known clean/working state - referred to as a Recovery Point Objective or RPO), data backup frequency based on acceptable level of data loss if compromised (known as your RTO or Recovery Time Objective), and have multiple offline and offsite backups going back over a period of time (helps if the compromise/hacker has been undetected on your system for a period of time and has been slowly corrupting your data, for example).
Develop and exercise incident response and recovery plans – documented plans will help you to pre-determine who makes the key decisions in the event of a compromise (according also to the level of severity), and should there be a compromise, a plan will clearly define the various roles/actors and responsibilities for carrying out the plan, processes and highly specific procedures to be followed (i.e. unambiguous steps your teams will execute exactly when all hell is breaking loose). Regular restoration testing to provide confidence in your backups, systems and procedures, and gaining important knowledge of the likely time to restore things back to ‘normal business operations’ in the event of a serious compromise.
Understand and proactively manage supply chain risk - manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritise the allocation of (likely scarce) resources. Your MSP will use software provided by their key vendor/suppliers, who also present a risk to downstream customers of the MSP (i.e. your business). note - an example of this exact risk becoming a horrible reality can be viewed here (see - Kaseya ransomware attack)
Promote transparency – MSP contracts need to have clearly defined responsibilities and arrangements around when and how the MSP must notify their customers of a breach. Gaps where services are outside the scope of the MSP’s contract should also be identified and risks mitigated.
Manage account authentication and authorisation – adhere to best practices for password and permission management. Regular reviews of logs is critical to expose exceptions (and use of advanced automation to filter out the noise for real security signals is critical).
Ok, so what are YOUR next steps?
We hope the above has provided a heads up for a very real risk for Australian businesses. A conversation should be held between your business and all managed service providers you have engaged to ensure the above has been considered and forms a part of your service provider contracts.
Interested in our Virtual CxO offering? The above is a sample of the type of regular advisory notices we provide clients who have engaged Explore Digital as a ‘virtual’ business-technology advisor or ‘Virtual CxO’ (with the ‘x’ in the CxO title varying depending on the scope of our clients’ brief and requirements - e.g. Chief Information Officer, Chief Technology Officer, Chief Digital Officer, Chief Operating Officer, etc.). If you are in need of independent, executive-level oversight of your Business-Technology function, then please feel free to reach out to us HERE for an obligation-free chat.