The Perilous State of the MSP
2020 will likely be a very perilous year for most managed service providers. MSPs will be under the most intense economic and operational pressure ever. The industry has been through a long period of consolidation, and many MSPs have completely outsourced their help desks and project engineering teams to reduce cost. Worse yet, MSPs have now become the greedy focus of cybercriminals. It stands to reason, as cybercriminals pay attention to industries that come under economic pressure. They know those companies will desperately try to control their expense lines to stay profitable which often translates into cutting corners on cybersecurity.
Keys to the Kingdom
MSPs also present a particularly attractive target for cybercriminals since they manage infrastructure for other companies. If you can hack through the MSP’s systems, you can often use those systems to penetrate all of their customers systems. Although you haven’t heard about that exact scenario, it has already happened. Last year, Chinese hackers broke into the networks of eight major MSPs and technology service providers in an effort to steal commercial secrets from the MSPs’ customers.
According to Reuters, the “Cloud Hopper” attacks penetrated the systems of:
- Computer Sciences Corporation (now DXC)
- Dimension Data
- DXC Technology
- HP Enterprise
- NTT Data
- Tata Consultancy Services
Ironically, most of those companies also have cybersecurity divisions, and rank high on the list of Top managed security service providers (MSSP). Although these are all very large MSPs, the FBI and US Department of Homeland Security have repeatedly warned that small and medium sized MSPs and their technology platform providers are under the same types of attacks.
Need to Know
So the big question here is what should every organization that is utilizing an MSP to manage their technology infrastructure be doing to validate that they have made the right choice?
The answer is to start asking some very good questions.
Every MSP uses a set of tools to provide their IT management services. An RMM (Remote Monitoring and Management) tool provides remote access to the customer systems. A PSM (Professional Services Automation) tool handles service tickets and workflow. A documentation tool keeps the entire store of system, network and application configurations as well as authentication credentials and passwords for access to customer systems.
The FIRST question you should be asking your MSP is whether MFA (multi-factor authentication) is required for access to their tools. If not, that is a very bad sign, and a big security whole that should be filled immediately. One set of compromised credentials at the MSP, and a hacker now has access to all of the contacts and email addresses at the customer, service records, documentation, and possibly remote access to their systems. This is he Holy Grail for an attacker.
Security Operations Center
The SECOND question you should be asking is whether the MSP has invested in a SIEM (Security Information and Event Manager) and if their systems are monitored by a 24×7 Security Operations Center (SOC). There are vendors now offering these specific services for MSPs on an affordable monthly subscription model, so there really isn’t any excuse for not putting this type of service in place. You can be sure that if an MSP is breached, it won’t be at 2:00pm in the afternoon on a weekday. Cybercriminals are smart enough to know that without a dedicated 24×7 SOC, no one will be watching at 2:00am on a Sunday morning. The huge value of this type of service is that hackers will normally spend days or weeks inside of breached systems discovering how to best monetize their attacks. A 24×7 SOC has the best chance of detecting that a bad actor is inside the environment and giving the MSP a fighting chance to identify and close the breach before the hackers have damaged anything.
Disaster Recovery Plan
The THIRD question is how does the MSP plan to access and secure the customer environment in the event the MSP’s systems become disabled? This is critically important for two reasons. One, if a disaster occurs at the MSP, will the MSP be able to continue providing service and managing the customer’s environment? Second, if the MSP’s systems become disabled because of a breach, will the MSP be able to rapidly secure the customer’s systems? Any plan provided by the MSP would probably need to include staff that operates from a different geographical location (Hurricane requires this), and a separate remote access tool for accessing customer systems that is NOT part of the RMM tool, which would likely be disabled. Ask for the written plan, and see if the MSP can provide one to you.
The FOURTH question is whether the MSP has ever had a penetration test (PEN test). A PEN test is a service where a third-party is paid to try and penetrate the MSP’s systems without being detected. Any organization that is really serious about cybersecurity schedules a PEN test at least annually. You don’t need to worry about the results of the test, just that the MSP is getting one done.
Get to Know your MSP
Your MSP’s answers to these four questions will tell you a lot about their cybersecurity maturity level. If your MSP has made these investments in time, money, and technology to lower their cybersecurity risk, you can sleep at night knowing that if the unthinkable occurs, you have the right team on your side.