Can You Get Hacked Through Your MSP?

What do the US Secret Service (USSS), the Federal Bureau of Investigation (FBI), the Cybersecurity & Infrastructure Security Agency (CISA), and the National Security Agency (NSA) all have in common?

Yes, of course these are all Federal agencies. But more to the point of this article is that all these security organizations have recently issued warnings that foreign hackers are targeting Managed Services Providers (MSPs).

In 2020, the US Secret Service sent out a security alert to the US private sector and government organizations warning about an increase in hacks of MSPs. Since that time, other Federal security agencies have echoed this concern.

Earlier this month, CISA, NSA, FBI and four similar international organizations issued a Joint Cybersecurity Advisory to protect MSPs and their customers. This alert specifically addresses the steps that MSPs and their clients need to take to defend against cyber criminals.

What prompted these global security agencies to issue this cyber security advisory?

There is no specific threat information in the advisory, nor is there any reference to any precipitating events. However, the following is in the first paragraph of the summary:

“The cybersecurity authorities of the United Kingdom (NCSCUK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue. This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion.”

The expectation that this attack trend will continue refers to a white paper entitled “State of the Market: The New Threat Landscape”. This document was produced by N-Able, a leading supplier of remote management and monitoring (RMM) software for the MSP market. While the details in the white paper are beyond the scope of this article, it is interesting to note that the very first footnote in the very first paragraph of the advisory references a white paper from a company that produces the very tool that could be exploited by hackers.

This advisory describes cybersecurity best practices for IT services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. The advisory provides a comprehensive list of recommendations for MSPs and their clients.

Why are MSPs a target for cyber-attacks?

There are several reasons that cyber criminals attack MSPs. But the primary reason is that if a hacker can break into an MSP, they may have unfettered access to all the systems serviced by the MSP. Why try to hack into companies individually when you can hack just one and hit the jackpot?

MSPs use RMM software systems for accessing all the computers and networks that they support across their client base. This software allows the technical support teams to monitor, update, and connect to the computers and equipment of the companies they service. By exploiting these systems, the hackers have the same access to customer networks as the MSP personnel.

Cracking the management software is not the only way to exploit the MSP customer base. MSPs can store critical client information—usernames, passwords, and technical documents in files that are not protected or encrypted. Often these MSPs store this information in typical Office files like Word and Excel. Once the criminals get this information, they can hack the customer directly. Even if the MSP eventually catches and fixes their own breach, the bad guys still win.

Another reason that MSPs are targeted is that they may focus more on their client systems than their own. To truly be secure, your MSP must practice what they preach to you. All the best practices, the technology investments, and the security policies that they advise for your company should be in place in their own business.

The last point I would like to make on this point is that MSPs often focus on vertical markets like financial, healthcare, government, or education. By targeting the MSP, the hackers can strike a vein of companies in a market in which they have had previous success in holding hostages for money.

What attacks have happened so far?

The biggest volume of information about breaches involving MSPs on the web involves exploits with the RMM software providers. ConnectWise, Kaseya, and Solar Winds have had compromises that have widely been reported in the media. To put these attacks in scale, with the Kaseya attack in 2021, it is being reported that 60 or so MSPs were attacked, and an estimated 1,500 customers fell victim.

There are numerous other reports to be found in a search for more isolated incidents.

What are the immediate steps I can take with my current MSP?

Because the business relationship between you and your MSP exists in your Master Service Agreement (MSA), this is the best place to start. Imagine if criminals breach your company through a gap in your MSP systems, what options do you have? Who covers the cost? Do they have cyber insurance that covers your company? Are these breach issues covered in your MSA?

Ask your MSP if they have hired an independent company to audit their security procedures and processes. MSPs can engage cyber security companies that specialize in the MSP industry to verify the practices of MSPs and certify that they follow the highest standards for information security.

If your MSP answers yes to this question, request a summary of the findings from the auditing company. If they answer no…consider switching to a more qualified MSP.

What questions should I ask when evaluating an MSP?

When interviewing companies to be your new MSP, add these questions to your list:

  • Do you have a trained security officer?
  • Do your staff have security certifications and which specific security certifications do they have?
  • Do you have a third party that audits and certifies your security practices?
  • Do you use a 24/7 Security Operations Center (SOC) monitoring service to ensure traffic coming and going is trusted and valid?
  • Is multi-factor authentication (MFA) used for your critical systems and what solution do you use?
  • Are regular phishing tests performed within your company?
  • Do you have cyber liability insurance?
  • How do you guarantee that our company information will not be compromised?
  • What are the conclusions to be taken away?

The primary conclusion is that you should immediately set up a meeting with your MSP to begin an ongoing conversation about your business risk. Armed with the information above and quick read of the a Joint Cybersecurity Advisory You and your team have the ability to ask all of the right questions.

And when you ask the questions of your MSP, don’t take “Don’t worry, we got this!” as an acceptable answer.

Published On: June 2, 2022Categories: Cybersecurity