Cyber attackers have increasingly gone after managed service providers (MSPs), which provide remote management of customer IT and end-user systems, which are mostly used my small and mid-sized businesses for IT, data storage, and various process support.
MSPs usually allow customers to scale and support network environments at a reduced cost compared with the customers managing this on their own, and because the MSPs have this access to their customers network, it makes them more of a target for cyberattacks.
When cyber attackers breach information from these organizations, it can have a global negative impact with risks of ransomware and cyber espionage for their customers.
The Cyber & Infrastructure Security Agency (CISA) posted information on their website for these organizations in terms of mitigations and hardening guidance for MSPs. They recommend that MSPs make sure that log information is preserved, aggregated, and correlated to maximize detections capabilities along with applying the principle of least privilege to customer environments.
The principle of least privilege is the idea that users, programs, and processes should only have the bare minimum privileges necessary for them to function.
CISA also recommends the implementation of robust network and host-based monitoring solutions along with working with customers to make sure hosted infrastructure is monitored and maintained. They also recommend managing customer data backups in relation to business value and operation needs, test recovery plans, and reviewing of data backup logs.
CISA also provided similar recommendations for small and mid-sized businesses which included managing supply chain risks related to network security expectations, and legal and procurement groups.
They strongly suggest implementing strong operations controls by creating a baseline for system and network behavior to detect future anomalies, implementing system log files into customer intrusion detection and security monitoring systems, and requiring multi-factor authentication (MFA).
Small and mid-sized businesses should also manage architecture risks by reviewing and verifying all connections between systems and using a virtual private network (VPN), to connect to MSP infrastructure.
They should also manage accounting, authorization, and authentications risks by employing the safest practices for password and permission management, making sure MSP accounts are not assigned to administrator groups, and verifying service provider accounts are being used for appropriate purposes.
In the post, CISA also provided their Cyber Essentials to help organizations reduce risk of cyberattacks.