Another joint advisory on cyber security – this time, the risks presented by managed service providers
This time the advisory covers the risks relating to managed services providers (MSPs), or similar organisations, whose “trusted connection” could be used as a vector to attack one or more other businesses. It also contemplates them being used as a key part of the defensive strategy for an organisation looking to outsource elements of their IT services and IT security defences. The guidance, initially, looks holistically at how to prevent a cyber attack:
Prevent initial compromise
The advice here is familiar and common to the anti-cyber attack and anti-ransomware mitigation steps recommended by many experts in the space. Preventing direct access to systems as well as preventing access being obtained by subversive users requires focus on:
- Improving the security of vulnerable devices.
- Protecting internet-facing services.
- Defending against brute force and password spraying.
- Defending against phishing.
Two sides of the problem
Following focus on these initial defences, it’s important to recognise that the remaining controls and recommendations encompass cooperation and joint responsibility – things the MSP should do and things the Customer should do.
The individual steps aren’t repeated here, but the advisory warns both customers and MSPs (see here) of the specific tactical actions each must play in managing the risk of attack.
For example, concerning patching and applying updates, clearly there is a need for MSPs to apply patches to their own systems and any that they manage for their Customers. But also, Customers have a responsibility to patch their environments and assure themselves that their MSPs are doing likewise – both on systems they are paying them to manage and on any supporting infrastructure. Having visibility of this is vital, at both ends.
The advisory then expands to include a number of other mitigation strategies that we, at Huntsman Security, have talked about in depth before:
- Enable/improve monitoring and logging processes.
- Enforce multifactor authentication (MFA).
- Manage internal architecture risks and segregate internal networks.
- Apply the principle of least privilege.
- Deprecate obsolete accounts and infrastructure.
- Apply updates.
- Backup systems and data.
- Develop and exercise incident response and recovery plans.
- Understand and proactively manage supply chain risk.
- Promote transparency.
- Manage account authentication and authorization.
This advisory carefully addresses the risks faced by MSPs and their Customers when malicious cyber actors seek to target those MSPs in an effort to exploit their trusted provider-customer relationships. It adds to a body of advice which is now pretty much consistent across multiple jurisdictions. It includes aspects of previous advisories from the same group of agencies and reiterates the important steps and controls that MSPs and their Customers should take to protect themselves and their customers.
For more information on how to protect this risk vector and manage the effectiveness of your security controls, see our resource here or here for managed services provider security. Alternatively, there is a link to this Advisory here [Alert(AA22-131A)] which contains specific references to individual security agencies.