Because of the list of benefits they offer, many organizations are outsourcing at least a portion of their IT operations to managed service providers (MSP). Depending on the MSP’s areas of specialization, security risks for client organizations may be reduced. But allowing external service providers to remotely access critical IT infrastructure can also have the opposite effect, as illustrated by the massive ransomware attack involving Kaseya software that made news in July of 2021. Up to 1,500 companies in 17 countries were directly impacted by the attack. Tens of thousands of other organizations were indirectly impacted, being forced to take down their systems in order to avoid infection until a patch became available.
Valuable lessons can be learned from events like this one. A July 2021 article posted at WeLiveSecurity.com describes how Kaseya was used by cybercriminals to perpetrate the attack and includes recommendations for organizations to follow prior to entering into a MSP service contract.
In brief, Kaseya software products automate patch installations and provide other services including remote monitoring capabilities that allow organizations to better manage IT infrastructure. Many MSPs use Kaseya software to remotely manage their clients’ systems. Services provided by Kaseya applications require system access via privileged administrator accounts.
Per the WeLiveSecurity.com article, Kaseya personnel were aware of zero-day vulnerabilities in one of their applications and were working on patches to resolve them when the attack occurred. Cyber criminals exploited those same vulnerabilities in the Kaseya product by targeting 50 to 60 MSPs using the application. Once the application was compromised, attackers used it to send ransomware disguised as legitimate software updates to MSP clients’ systems. Because each MSP provided service to multiple clients, there was a domino effect that resulted in an estimated 150,000 organizations being infected with the ransomware.
MSP clients are allowing external service providers to remotely connect to critical systems on internal networks. MSPs using applications and providing services that require use of highly-privileged administrator accounts must take precautions to protect their clients from these types of attacks.
Finding the right MSP
The article cites a “recent report” indicating that 73% of MSPs surveyed experienced security-related incidents within the previous year and that 60% of those incidents involved ransomware. If you intend to provide an MSP with high-level remote access to sensitive data and critical infrastructure, asking the right questions and doing some research is critically important.
Take time to thoroughly review the MSP’s proposal. Include stakeholders and IT staffers in the review process. Make a list of questions and don’t accept unclear or incomplete answers from MSP representatives.
Your MSP evaluation process should include the following:
• Determine whether the MSP partners with other service or application providers (e.g. Kaseya). If so, find out who they are and do some research into their histories, including reviewing any security related incidents.
• Determine whether the MSP utilizes applications that require high-level administrative access privileges and, if so, look into any security-related incidents that involved those specific applications.
• Ask detailed questions about how the MSP manages security within its own environment. What malware protection do they use? How do they handle patch management for their systems? Ask about network, endpoint, and email security controls as well.
• Find out about their internal access policies. Do they practice the principle of least privilege? Is their network segmented in accordance with industry best practices?
• Ask about the MSP’s threat detection and response capabilities and find out whether they have an incident response plan in place. Do they regularly test and update the plan?
• Determine whether the MSP adheres to any particular industry standards and whether the company and/or its personnel hold any certifications. If the MSP is subject to regulatory oversight, you may have some additional remedies available should an incident occur. You may also have the ability to check with the regulatory body regarding previous complaints filed against the MSP.
• Inquire about employee training programs and whether the MSP is being regularly audited to evaluate its security plan and controls.
The WeLiveSecurity.com article also recommends asking MSP representatives whether they use application whitelisting, whether their employees are required to use multi-factor authentication, and how often they back up their data. Based on the type of services the MSP will provide, you may come up with additional questions to ask.
Regardless of how much research you do or how many questions you ask, there is no way to guarantee that your organization will be immune to cyber attack resulting from your MSP being compromised. You can, however, minimize the threat by taking the time needed to thoroughly investigate prospective MSPs and the security precautions they take to protect their clients.
With the ongoing shortage of qualified IT specialists and the potential for cost savings associated with outsourcing, partnering with a MSP is generally a good idea. Just do your due diligence before you sign a contract.