CISA Guidelines For MSPs And Their Customers: An Explainer

By Corey Nachreiner, WatchGuard

MSPs are attractive targets to many threat actors, and it’s easy to see why: they’re a treasure trove of information, giving hackers access to tens, maybe hundreds, of businesses’ sensitive data. According to recent research, 90% of MSPs surveyed reported increased attacks since the beginning of the pandemic.

Some of these MSPs include Verteks, who has this to say about these threat increases:

“With the amount of sensitive customer data we manage, MSPs are a one-stop-shop for threat actors. We’ve definitely seen an increase in attacks in the wake of COVID.” – Don Gulling, CEO and President

It's no wonder then that in May of this year, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on the surge in cyber threats targeting MSPs and their customers. The report predicted even more sophisticated attacks on the horizon, perhaps some potentially coming from state-sponsored advanced persistent threat (APT) groups.

With the increase in malicious attacks against MSPs and their customers and the rising sophistication of attack methods, many MSPs are pondering how to navigate their relationships with security as threats targeting service providers escalate. CISA provided some tips for MSPs and their customers – read on for a walk-through of the bulletin.

Avoid Potential Breaches

Prevention is key in protecting against attacks. By practicing good security cybersecurity practices, users are one step closer to keeping threats at bay. Watching out for phishing and defending against brute force and password spraying are some steps MSPs and customers can take to block threats lying in wait. Avoiding breaches requires a complete cybersecurity strategy, including policy, risk-based security controls, and procedures. Adopting a good existing Cybersecurity framework, like the one from NIST, is a good start.

Enable Or Boost Monitoring And Logging

In the worst case, discovering security incidents can take months, so organizations must store important logs for at least six months, if not a year. MSPs must ensure they’re logging the delivery infrastructure they use to service their customers and log internal and external customer network activities as needed and signed under contract. Customers should also implement monitoring and logging.

Customers must enable reliable system monitoring and logging and include that in their contracts. The agreement should also cover event management and visibility, as well as provide notifications of a breach or potential attack.

Most importantly, if customers and MSPs want to monitor for this, it’s a good idea to get all logs aggregated and normalized in one place. This is often a missing part of smaller organizations’ overall security strategy. That’s possibly why CISA puts so much attention on what customers should ensure their MSPs are doing, as many SMBs have trouble doing this independently.

Make Multi-Factor Authentication (MFA) Non-Negotiable

In 2021, CISA reported that Russian state-sponsored APT actors exploited several organizations’ default MFA settings, allowing them to access the victims’ systems. Once inside, the hackers took advantage of a vulnerability in Windows Print Spooler, “PrintNightmare,” which used random coding with system privileges, allowing them to get their hands on cloud and email accounts.

MSPs should urge customers to adopt MFA across all accounts and products. And customers must take a close look at their MSP contract and make sure it requires MFA implementation on each offering or solution they receive. Equally important, MSPs must leverage MFA themselves and ensure it’s required for all privileged systems, especially if they’re remotely accessible. Past MSP breaches have been due to the MSP not using MFA on an administrative interface themselves.

Implement Zero Trust

Both MSPs and their customers should apply and adhere to the zero-trust principle. Too many networks are designed flat, meaning all trusted employees have the same network access to everything. MSPs should encourage their customers to update their networks and policies to limit employees’ specific access to things they need to do their job. This takes the MSP working with customers to understand their business, what different roles in the organization need access to, and more, to design the right architecture and policies to support the Zero Trust paradigm.

Say Goodbye To Unnecessary Accounts And Obsolete Infrastructure

When a company loses an employee, IT teams should act fast and remove them from Active Directory. Customers should also get rid of any MSP accounts once a contract ends.

Don’t Forget To Update And Backup

Updating software is vital, especially for those with weaknesses. CISA recommends prioritizing patching vulnerabilities included in its list of known exploited vulnerabilities instead of just those with high Common Vulnerability Scoring System numbers that may never be exploited and don’t indicate future threats. MSPs should update internal systems as soon as possible and customers should be 100% clear on their MSP’s software update policy and ask for ongoing updates to be included in their contract.

We all know the importance of backups in the event of a breach or emergency, but MSPs should also double-check backup systems are working through regular testing. MSPs should also perform regular data audits to ensure they and their customers know their data, its value, and where it’s housed. Then if disaster strikes, it’s just a matter of finding the right methods of backup that work properly.

Create An Incident Response And Recovery Plan

This one’s simple: MSPs should make sure they have a plan so that when the inevitable occurs, they can respond and get the lights back on quickly. Customers should also ensure their contract includes Business Continuity and Disaster Recovery services.

Get A Handle On Supply Chain Risks

MSPs and customers must understand and manage their supply chain risks. Customers should lay out clear expectations around network security for the provider and understand their MSP has access to their data and networks. MSPs also can assess vendor risk for their customers.

Push For Transparency

MSPs and their customers should be on the same page regarding service offerings, i.e., what they’re contractually obligated to provide vs. what they’re not. Customers should also make sure their contract notes how and when the MSP will inform customers of an incident potentially affecting their environment.

Implement Account Authentication And Authorization Best Practices

Every organization should provide their employees with password and permission management best practices and regularly check for unknown login attempts. CISA states that “failed authentication attempts directly following an account password change could indicate that the account has been compromised” and “network defenders can proactively search for such ‘intrusion canaries’ by reviewing logs after performing password changes.” Intrusion canaries refer to the canary in a coalmine idea: an early warning sign of danger.

Providers must confirm customers restrict account access to systems only managed by the MSP. Customers should confirm there are no MSP accounts linked to internal administrators and instead limit MSP accounts to specific, MSP-managed systems only.

Keep these best practices in mind when implementing or revising your security strategy. These practices require some work, though, and if that work isn’t done, your organization could be one of the mounting cybersecurity victims making the headlines.

About The Author

Corey Nachreiner is the CSO of WatchGuard Technologies. A front-line cybersecurity expert for nearly two decades, Corey regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the Secplicity Community, which provides daily videos and content on the latest security threats, news, and best practices. A Certified Information Systems Security Professional (CISSP), Corey enjoys "modding" any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word.