Written by Benjamin freed
Organizations that rely on managed service providers for their IT needs were shaken up on Wednesday when cybersecurity authorities from the US, UK, Canada, Australia and New Zealand released a common warning Warning of increased aggression by malicious actors targeting these providers.
Local governments in the US rely on MSPs for a range of functions, but in recent years many places have become familiar with ransomware attacks launched by a criminal actor is aimed at a service providereventually compromising that company’s government customers.
The alarm Wednesday from Five Eyes allies warned not only of criminal threats to MSPs, but also of increased activity by advanced, persistent threat groups backed by foreign governments.
“Regardless of whether the customer’s network environment is on-premises or hosted externally, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the alert reads. It also reminded companies to question whether their MSPs are using several key cyber hygiene tools, including multi-factor authentication, event logging, and principles of least privilege.
“It wasn’t obvious”
For local security observers, the warning couldn’t come soon enough.
“It’s almost like stating the obvious, but it wasn’t obvious,” said Alan Shark, executive director of CompTIA’s Public Technology Institute. “It’s a wake-up call to action. I think it should be taken seriously.”
Shark is an outspoken advocate for local governments, particularly those with fewer financial resources and minimal in-house capabilities, outsourcing their IT servicesespecially as technologies and threats become more advanced.
“More and more local governments will need to turn to MSPs for better expertise that they cannot possibly manage themselves,” he said.
But the managed service provider industry hasn’t necessarily kept pace with the changing threat landscape, Shark said. Many companies in this space offer mainline IT services — like data storage or application hosting — but no cybersecurity.
“They see themselves primarily as cloud providers,” Shark said. “They rely on local governments to maintain cyber hygiene as a shared responsibility. There are very few [MSPs] that put safety first.”
Curtis Dukes, executive vice president and general manager of best practices at the Center for Internet Security — the New York state nonprofit group that operates the Multi-State Information Sharing and Analysis Center — agreed with Shark’s assessment.
“First and foremost, you’re talking about small and medium-sized businesses in the public and private sectors,” he told StateScoop. “There is a general lack of awareness of what to ask about. You need IT services to provide services. They don’t have the skills, so they outsource.”
But security, Dukes said, isn’t typically a standard menu item in an industry built on offering essential IT products at competitive prices.
“Their key performance indicators are availability and delivery of essential IT services at the lowest price,” he said. “Security isn’t usually part of that discussion.”
A few cybersecurity events involving MSPs have shifted the conversation in recent years, notably a August 2019 ransomware attack via a service provider that trickled down to 23 communities across Texas. Similar events occurred in other states such as Louisiana, where these incidents prompted Secretary of State Kyle Ardoin to do so knock out at service providers.
“They don’t protect local governments,” Ardoin told StateScoop in January 2020. “When entire cities are attacked if I have to [communicate] by fax and phone because a local government cannot function, that is a problem.”
Ardoin pushed for it later that year a law MSPs serving public sector entities are required to register with the state and disclose cyber incidents and ransomware payments.
The conversation about MSP security became even more urgent this past July than the IT service company Kaseya reported that a remote monitoring platform it sells to thousands of service providers was compromised by the REvil ransomware. This attack reached up to 50 MSPs, which in turn affected more than 1,500 organizations worldwide, including schools, retail stores, and several cities in Maryland.
“In a way, I saw this coming,” Shark said. “Since Kaseya, there’s been a growing concern.”
He said some MSPs were up to the task, including the company that serves Leonardtown, Maryland, one of the communities hit by the Kaseya breach. That provider, a local company called JustTech, quickly pounced on the ransomware infection and told Leonardtown employees to shut down their computers, Shark said.
“I do not think so [municipal] Employees could have done what this MSP did,” he said.
But that’s the exception rather than the rule in a cost-driven industry: “People think a lot of MSPs haven’t taken cyber as seriously as they should.”
Apply some pressure
Wednesday’s warning could push the MSP industry as a whole to focus more on cybersecurity — or at least that’s how it’s designed, Shark and Dukes told StateScoop.
“As an MSP or customer, I would like to know whether or not there are targeted threats to my sector,” Dukes said. “The one really important part is tactically operating around the roles and responsibilities between MSPs and their clients. I don’t think that’s always clearly defined.”
According to Shark, the alert can serve as a “checklist” for MSP clients to ensure they are following key cyber hygiene protocols such as MFA and documented incident response plans. He also said there could be additional pressure from the cyber insurance industry asking for evidence that these steps are taken before a policy is issued.
“I would advise any local government to ask their MSPs to look into this,” Shark said. “A lot of MSPs didn’t do all of those things. That will put pressure on them to do more.”
#MSP #Warning #Means #Local #Governments #StateScoop