Managed service providers (MSPs) are coming under increased scrutiny because of a number of ransomware incidents reported on various security sites over the last 12 months. Criminals have learned that by infiltrating a single MSP, they can use the provider’s tools to infect and take hostage all of the MSP’s clients. Because the reporting of these incidents is haphazard, the number of compromised MSPs could be a handful, or it could be dozens. What is certain is that hundreds or thousands of their clients have experienced severe business disruption — or worse.
The enhanced scrutiny is justified, and as an MSP, we welcome it. We use powerful tools to manage and monitor our clients’ networks and systems. With that comes a responsibility to ensure that our own security is equal to or greater than the level that we promote to our clients.
Given that many MSPs specialize in serving a certain type of business, here are a few examples drawn from healthcare organizations over last year:
Ultimately the criminals do their damage by gaining administrator access to the MSP’s remote monitoring and management (RMM) tool, which allows them to install and execute the ransomware infector on the clients’ systems. The following means of infiltrating and compromising administrator credentials are either explicitly known or have been implicated in one or more incidents. We also list the countermeasure; ask your MSP if these protections are in place.
Means of Gaining Administrator Access |
Protective Countermeasure |
Known vulnerability in an unpatched RMM tool or administrative console |
Program of regular, systematic and diligent patch management and application |
Zero-day exploit in an RMM tool |
Proactive monitoring of the MSP’s IT environment |
Login credentials stored in cleartext on compromised machine |
Password vaulting solution or encryption and best-practices password policy |
Exploiting open remote desktop protocol (RDP) |
Disabling RDP if not needed, or application of access control lists to limit RDP sessions to known IP addresses |
Phishing email |
Email filtering solution backed with regular cybersecurity awareness training |
A single countermeasure would have stopped the vast majority of these attacks: Requiring two-factor (2FA) or multi-factor authentication (MFA) without fail, for each and every administrator connection and session, to each individual client’s IT environment. MSPs should enforce MFA to the enterprise login and ensure it encompasses VPN connections, RDP sessions, RMM sessions, internal management systems, and SaaS applications.
The other essential countermeasure is regular backups that are air-gapped or stored offsite. In far too many ransomware incidents, backups were stored online and the ransomware infector encrypted the backups as well, making them useless for restoring the client’s data. Also, in some instances the criminals first disabled the backup agents on each system, then waited for the old backups to age before executing the ransomware. So it’s important to not only have a backup system, but to monitor the backups and test for recoverability.
At FIT Solutions, we do all of the above and encourage you to ask your MSP if they do the same. We also have the advantage of our cybersecurity offering, SOCBOX, which provides us with the services of a Security Operations Center for 24-hour proactive monitoring—but we don’t stop there. We also contract with a separate third party to do regular penetration testing and evaluate our environment to ensure our defenses are solid.
If you’d like more information about MSP security, please give us a call at 888-339-5694.