Supply Chain Threats, Buffalo Jumps And The Simple Things That Count For MSPs
Andy Harris
MSPs and MSSPs are a vital part of the cybersecurity ecosystem
Recently I was asked by a magazine to comment on Supply Chain Threat and Buffalo Jumps. As is common, I was given 230 words to express my views. In this article, I can take a little more time to explore the issues.
According to this report from insurance specialists, Beazley, ransomware attacks via vendors or MSPs in 24% of cases.
At Osirium, we work with some outstanding MSPs and MSSPs (Managed Service Providers and Managed Security Service Providers). From these contacts, I found it hard to believe the assertion that 24% of ransomware attacks arrive via vendors and MSPs.
So, off to Google to do the research, and what I found, I found quite shocking.
A new report from Perch Security is relevant and introduces the issue of “Buffalo Jumps”: if an MSP becomes victim to malware, it can quickly propagate out to all their clients.
Digging behind the reports I found that US figures for 2019 show 1543 reportable breaches, of which 19 were at MSPs. I thought I'd work out if MSPs were more or less likely to have breaches. To get a feel for this we looked at American figures where we can find around 20,000 MSPs versus 10.75 million companies (7.6 million with employees and recorded turnover). This means that we should see about 0.26% of all incidents happening at MSPs. This means that if MSPs had the same breach rate as all organisations we should see about 1 in 380 incidents involving MSPs.
However, 19/1543 is 1.2%, which is 4.5 times higher than the expected 0.26%. This means that MSPs are just over 4.5 times more likely to experience a breach.
Why is this? Are MSPs inherently bad?
There are many factors that contribute to the statistics:
- MSPs proportionately handle a lot more IT processes and systems compared to general organisations, therefore they are at more risk.
- MSPs are very cost conscious, and procedures that take more steps cost money. Therefore, procedures are simplified as much as possible. This is a key issue which will be discussed later.
- Top level monitoring is expensive, in terms of software and staff to analyse the results.
- MSPs deal with a wide variety of systems but at the same time seek to have standardised methods for as many systems as possible. This can lead to loss of flexibility from the customer’s point of view.
- Some MSPs outsource as much work as they can offshore.
It's the Simple Things that Count
On an average day, I find myself discussing all sorts of prospect requirements and the various differences between us and competitors. Most often these are completely insignificant risks and time windows. This morning's reading from the ICO and US breach reports has made it absolutely clear: It’s the Simple Things that Count.
Looking through the security breaches, they are remarkably common: administrator credentials are stolen, used to compromise systems then lock out the MSP. Of much more concern is the common practice of all customer systems having the SAME credentials - so break in once and the attack has access to all.
I'm staggered that administrator credential theft is never reported as the root cause of an attack !!!!!!!!!!!!
If you’re interested, here's my google search: https://www.google.com/search?q=admin+credential+stolen&oq=admin+credential+stolen
Each report I read goes through all the bat fish complex routes that the attackers used before they obtained the credentials. It is these complex routes that are attributed as the root cause - FFS let’s get real here!
- It is impossible to keep every server and workstation patched at the latest level. Patches can break running systems, they need to be checked. Legacy systems can often not be patched.
- There are now 1 BILLION variants of malware for Windows. You can't stop them all -especially when you offshore to people using older hardware. Modern anti-malware will reduce Pentium class machines to less than a crawl - and when you are paying per incident ticket this stuff will get switched off.
- Someone will get fooled by a phishing attack no matter how well they are trained. Don't let admin credentials anywhere near people, they cannot reveal what they don't know. Make people prove their identity and have PAM deal with the privileged logins.
- When you are paying per ticket people will work out the fastest way of doing things -- and this will NOT be the most secure way. This is how we end up with all customer servers having the same simple credentials - so operators don't waste time looking them up.
- Security is not guaranteed by contracts and service agreements. These are only used when things go wrong.
It doesn't have to be this way.
We are well aware that the best MSPs use Privileged Access Management. This means that the MSP's administrators never have access to the operational administrator credentials. This stops the external access and is much better at tracking the actions of internal malpractice. Simple password vaults are not enough in these environments.
Gartner have made it very clear in their assessment of critical capabilities for MSPs that planning, and security posture are key.
We are also very aware of the common assumption that CISOs often believe that MSPs know more about security than their own IT departments. A key problem with this is you'll need to understand cybersecurity well enough to question your MSPs! Of course, you could start by asking the simple question "Do you use playbooks, a vault or PAM?"
Buffalo Jumps
This is the concept that if an MSP is compromised, all of its customers are compromised at the same time. Now, the attacker can demand a ransomware from MSP and all its customers at the same time.
It's based on the native American idea of directing buffalo to an area with a big drop to kill multiple buffalo with minimal effort.
As far as I can see, this is just a concept at the moment. It is painfully apparent that crypto-currency has given attackers a clean method of monetizing their work. However, I cannot imagine that cyber criminals will want to go through all the effort of administering multiple organisations to pay parts of a ransom. For the US, it's probably a matter for insurance, but it will also be an issue across Europe.
The fastest way can be the most secure way
It's clear to everyone in Osirium that secure automation is fastest and most secure way of getting recurring and repetitive IT processes done. Upfront you need good insight into the processes and some effort to define them, but after this, it is speedy ease all the way. See Osirium Automation for how this is possible.
If you'd like to discuss how MSP can and should be protecting their systems with PAM and Automation, please get in touch.