Why is Cyber Security Important to MSPs?
Aside from the obvious - we are in the midst of an epidemic of cyber attacks - cyber security is important to MSPs because, whether they want to be or not, MSPs are the tip of the spear when it comes to protecting their clients. Especially when it comes to the small and medium sized business (SMB) community, MSP clients look to their MSP for all things technical or computer related. And if they suffer a breach, irrespective of how the service contract reads, they’ll be calling the MSP. Moreover, if you’re an MSP and you’re not providing cyber security services to your clients, another organization will deliver MSP security.
What is MSP Security?
In today’s environment, when anyone in the technology world uses the word “security,” it inevitably means cyber security. Thus, the phrase “MSP Security” is a reference either to the cyber security of an MSP’s organization, or the MSP’s clients, or both. Certainly, the protection of the data on the network’s of an MSP’s client is often either explicitly or implicitly the responsibility of the MSP. But, the security of the MSPs infrastructure may be even more important, simply because a compromise of an MSP’s network could easily lead to illicit access to the data of the MSP’s clients. Cyber criminals can breach one entity and potentially access many. Importantly, therefore, MSP security is the combination of protecting the MSP business’ infrastructure, as well as protecting that of the MSP’s client base.
What are the key Elements of MSP Security?
It’s easy to say that the key elements of MSP security are the same as any other business, but that’s not necessarily the case. Many MSPs service small businesses - medical practices, accounting firms, small law firms, title companies, for example - who can’t afford cyber security solutions built and designed for large enterprises with generous budgets and teams of cyber security analysts. Thus, MSP security has to be exceptionally wise, select cyber security products that match the threat posed to the SMB community, and be constantly aware of not only the costs associated with the security product, but also the complexity, ease of installation, and maintenance requirements. To reiterate, cyber security solutions are all designed for a target market, so those originally conceived for the large enterprise and “dumbed down” for the SMB community can introduce a mountain of challenges for the typical MSP customer, or even the smaller MSPs themselves.
How is MSP Security Different than Enterprise Security?
An experienced burglar can undoubtedly penetrate a home security system given enough time and commitment. But rather than expend substantial effort to rob the house with the alarm system, most thieves would likely choose to rob the house next door, the one without any defenses.
Seasoned pen testers can compromise just about any network given enough time and resources, but even those with little experience can penetrate poorly protected enterprises using freely available tools.
We’ve learned over the past few years that cyber criminals view the world through this kind of opportunistic lens, particularly when it comes to attacking the SMB (Small and Medium Sized Businesses) community. If professional cyber attackers from the Russian GRU, China’s PLA Unit, or North Korea’s Bureau 121 want to compromise just about any enterprise network, it’s very unlikely they can be stopped indefinitely. If an enterprise spending hundreds of millions of dollars is still at risk from sophisticated attackers, then the local roofing supply company, regional trucking provider, or 5-attorney law firm wouldn’t have a chance.
Fortunately, state-sponsored cyber criminals are focused with much more ambitious objectives than attacking the police department in a 10,000-person town in the midwest. Unfortunately, this does not spare the SMB community from the threat of cyber crime. In fact, there are countless cyber criminal entrepreneurs that see the SMB as a potential cash cow, largely unprotected and easy to target with broad, commoditized automated attacks that probably would be much less likely to work against a larger company. The logic is disturbing for the SMB community, but solid for the attackers: when they can use the same server to target thousands of businesses and get a success rate of 10%, cyber criminals can profit handsomely with little to no effort. Returning to our alarm system analogy, this means those houses without an alarm system are an easy mark, and will eventually be exploited.
What Does an Attack on an MSP’s Client Look Like?
When a nation-state actor targets a large private or government organization, the attack can take months to plan, involve weeks of probing, reconnaissance and extensive research, target specific individuals, leverage obscure vulnerabilities or spear phishing, and require multiple, highly-skilled cyber attackers. If you’ve never reviewed the MITRE ATT&CK Framework - you really should - it is a fascinating piece of work (see: https://attack.mitre.org/) that details attack methodologies observed over time by cyber bad actors.
While the same processes exist in attacks on the SMB, it is much, much easier to achieve success in that community, as evidenced by the countless number of hacks and ransomware incidents we see hitting the SMB every day.
It is easier because SMB systems and networks will never be defended the same way an enterprise network can be. This comes down to simple economics of time, money, and people. To build a sophisticated security program that takes into account all of the stages of the attack lifecycle is no easy effort. Because of this challenge, cyber criminals can be highly successful leveraging widely available tools to identify targets with glaring vulnerabilities, and in the largely unprotected SMB world, there are no shortage of options for the bad guys. Take, for example, a port scanning tool called masscan, available free of charge on Github, that can “scan the entire Internet in 5 minutes.” Cyber criminals can use tools like this to identify open ports on networks anywhere, essentially unlocked gates that can form the foundation of successful attacks.
What are MSP Security Vulnerabilities?
No software is perfectly coded. As applications increase in sophistication, and are integrated with other complex software systems, flaws or gaps in security are inevitable. The flaws are called vulnerabilities, and the US government’s National Institute of Standards and Technology (NIST) tracks them. Called Common Vulnerabilities and Exposures (CVEs), they are ubiquitous, and growing, totaling over 18,000 reported in 2020, or about 50 per day. CVEs can be the genesis of cyber attacks when “exploits” for them (small executable software programs that take advantage of vulnerabilities) are created and sold, often on the dark web.
Exploits for many CVEs require exposed ports to be executed, which is why port scanners like masscan are essential tools in the hacker’s toolkit. Thus, attackers identify a vulnerability - often those recently discovered and unlikely to be patched by their targeted victim - scan for the port or ports running the vulnerable software and version, and attack the organizations satisfying those criteria...a process that’s nearly 100% automated.
So, when you learn that a local chain of lumber yards was the victim of a ransomware attack, it wasn’t because the attackers meticulously surveilled the lumber yard’s network, or laboriously researched its employees to exploit a social media tidbit tied to an obviously-guessable password. No. The lumberyard was simply one of several entities that happened to have deployed the vulnerable software version, and it’s network configuration presented the port scan characteristics that enabled the chosen exploit to be effective
As they say in the mob movies: “it’s not personal, it’s just business.”
As an SMB or an MSP that serves SMBs, there are some stark realities to contend with in this discussion. First, with tens of thousands of vulnerabilities in deployed software today, and 50 new CVEs being introduced daily, it’s impossible to plug all the holes. Second, if your business is connected to the Internet - and which one isn’t in 2021? - you’re being scanned and probed for open ports and the vulnerabilities that lie behind them, probably much more often than you might expect.
Are MSPs and their Clients Likely to be Targeted by Sophisticated Threat Actors?
But, the good news is that, as an SMB, it’s highly unlikely you’re being specifically targeted by sophisticated bad actors, but rather the attacks for which you’re most vulnerable are automated and impersonal. And, automated attacks are easier to stop - or catch quickly - than those launched by sophisticated threat actors.
Author: Eric Clay