Many or possibly most small businesses don’t have an internal IT department. They rely on a third party to help them manage their IT assets. These third parties are called Managed Service Providers (MSPs) or sometimes Managed Security Service Providers (MSSPs). This is not inherently bad. But many of these MSPs are not much larger than the companies they are managing. Many have 25 or less employees.
MSPs have to be trusted by their customers and have to have god-like permissions on their customers’ networks and systems. There is no way around that if you want them to manage things for you.
One example of an attack on an MSP right here in Colorado was an attack against Complete Technology Solutions. The attack on CTS compromised over a hundred Dental Practices who were CTS’s customers.
Another was the attack against Kasaya. Kasaya provides software to MSPs. Compromise Kasaya and you compromise a thousand MSPs, each of which has hundreds (or more) customers, each of which has many users.
There are lots more examples – SolarWinds, Microsoft Exchange and others.
It is not surprising that hackers want to compromise a company that can allow them to leverage their resources and maximize the damage they can do.
But now we have a joint advisory from the cybersecurity agencies of group of nations (the Five-Eyes) that are telling people to beware. The alert provides recommendations for both MSPs and their customers.
For the customers, you are the ones that are responsible for your network. It doesn’t matter that you outsourced the work to someone else. If your network is attacked, you are in trouble. That means that you have to take action to make sure that your MSP is following best practices.
If you need help, contact us.
Credit: The Register and CISA