Managed Services Providers (MSPs) are prime targets for cyber attacks. In particular, supply chain attacks are one of the biggest concerns in today’s threat landscape as cybercriminals increasingly target MSPs to gain access to the networks of multiple organizations in one fell swoop.
The situation has become so concerning that the cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand, and the United States have released a joint Cybersecurity Advisory (CSA) to help MSPs and their customers reduce the risks of cyber intrusions.
The CSA details a series of baseline security measures and operational controls for MSPs and their customers. Here are 10 tactical actions you should implement right away:
1. Strengthen Your First-line Defense
Protect networks and infrastructures from threat actors who exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques by taking the following precautions to prevent initial compromises:
- Harden remote access VPN solutions and perform vulnerability scanning regularly.
- Protect internet-facing services and web application systems against credential stuffing attacks.
- Defend against brute force, password spraying, and phishing attempts.
2. Improve Monitoring and Logging Processes
Maintain activity logs for all delivery infrastructure activities (e.g., internal and customer network activities.) Store them for at least six months with a security information and event management (SIEM) solution or a separate logging tool to support threat detection and analysis.
Use a comprehensive SIEM system to monitor all network activities and provide customers visibility into the logging activities, including your presence, activities, and connections to their networks. Also, implement a process to notify clients of any confirmed or suspected security incidents on your infrastructure and administrative networks.
3. Enforce Multi-factor Authentication (MFA)
Secure remote access applications by using MFA as much as possible to harden any infrastructure that enables access to networks and systems. Also, implement configuration policies to prevent threat actors from exploiting “fail open” and re-enrolment scenarios.
Educate your customers on the importance of adopting MFA across all services and products and ensure that it’s properly configured. Also, enforce MFA on all your accounts with access to customer environments and treat them as privileged.
4. Manage Internal Architecture Risks
Identify and isolate critical business systems, then apply appropriate network security controls to reduce the impact of a breach across the organization. Review and verify all connections among internal infrastructure, customer systems, and other networks. Also, segregate customer datasets and services from each other to limit the impact of a single vector of attack.
Set up a dedicated virtual private network (VPN) or alternative secure access method to connect your infrastructure with your clients’ systems and limit all network traffic to that secure connection. Additionally, ensure that your team isn’t reusing admin credentials across multiple customers.
5. Adhere to the Principle of Least Privilege
Use a tiering model for administrative accounts to avoid granting users unnecessary access or privileges. Avoid default administrative privileges, assign full access only when strictly necessary, and further control access with time-based privileges. Also, restrict access privileges of high-risk devices, services, and users.
Additionally, implement policies to update privileges immediately when administrative roles change. For example, implement an offboarding process internally and for your customers to revoke all access privileges when an employee leaves the organization.
6. Deprecate Obsolete Accounts and Infrastructure
Review the attack surface of your internal infrastructure and your customers’ networks periodically. Limit it as much as possible, for example, by disabling or adjusting the access privilege of user accounts of employees who left their job or changed roles. Account sharing is not recommended, but if it’s required, reset passwords after personnel transition.
Audit the network infrastructures of your internal and customers’ systems to identify and disable systems and services no longer in use. Implement port scanning tools and automated system inventories to monitor connections and disable accounts from vendors no longer servicing the customer.
7. Stay Current With Software Updates
Install updates and patches for the operating systems, applications, and firmware on your internal infrastructure and clients’ networks. In particular, prioritize security updates for software with known exploited vulnerabilities, such as those listed in CISA’s catalog of known exploited vulnerabilities (KEV).
8. Back-up Data and Systems
Back up internal and customer data (where contractually appropriate) regularly. Maintain offline backups encrypted with separate, offline encryption keys. Also, encourage your customers to create secure, offsite backups with a frequency that matches their recovery point objective.
Use a solution that automatically and continuously backs up critical data and system configurations. Store the backups such that they’re isolated from network connections that could make them susceptible to ransomware attacks. Also, keep the backups in an easily retrievable location, e.g., a secure cloud application.
9. Implement Incident Response and Recovery Plans
Develop internal incident response and recovery plans and help your customers do the same. These plans should detail the roles and responsibilities of all organizational stakeholders and meet each client’s resilience and disaster recovery requirements. Maintain up-to-date hard copies of the documentation to ensure that stakeholders can access the information if the networks become inaccessible.
10. Manage Account Authentication and Authorization
Implement best practices for password and permission management and grant access and administrative permissions on a need-to-know basis. Ensure that your customers restrict MSP account access to systems managed by your company.
Additionally, implement processes to review logs for unexplained failed authentication attempts immediately as these attempts directly following an account password change could be a sign that an account is compromised.
Manage Supply Chain Risks Proactively With a Comprehensive SOC Solution
It has become more challenging for MSPs to cover all the bases and follow the CSA’s recommendations on their own by hiring an in-house SOC team, purchasing the latest security tools, and implementing the complex processes.
That’s why more savvy MSPs are using our SOC-as-a-Service solution to keep their systems and customers’ networks safe without a substantial upfront investment. Also, our sales and marketing support can help you seamlessly incorporate cybersecurity services into your offerings to increase revenue potential.
Book a Time to Talk to see how we can help you strengthen your protection and gain customers’ trust.
You may also be interested in…