This article by Ryan Heidorn originally appeared in CISO Mag.
As if 2020 isn’t challenging enough for businesses, reports warn that Managed Service Providers (MSPs), often contracted to provide outsourced IT and cybersecurity services, can represent a significant security risk to the companies they protect. The U.S. Government and cybersecurity firms are sounding the alarm that MSPs represent a significant threat vector for enabling breaches or spreading ransomware to their customers.
Ironically, many businesses hire MSPs to address their cybersecurity challenges (a 2019 SANS Institute survey found that one-third of small business respondents were outsourcing cybersecurity). But the MSP cybermaturity problem is real – and well documented. In a security alert released in June 2020, the U.S. Secret Service warned that their global investigations team continues to see an increase in incidents of hackers specifically targeting MSPs as a springboard into their customers’ internal networks.
Because MSPs often use centralized platforms to manage remote access into their customers’ environments, they are an attractive target for cybercriminals seeking to exploit this one-to-many relationship. CrowdStrike’s 2020 Global Threat Report states, “An alarming trend in targeted ransomware operations is the compromise of MSPs. Subsequent use of remote management software can enable the spread of ransomware to many companies from a single point of entry.”
Perch Security details real-world examples of this threat in their 2020 MSP Threat Report. One of the most prominent examples is APT10, a nation-state hacker group, attributed to China, also known as STONE PANDA. In 2019, the FBI reported that APT10 had hacked into the eight largest MSPs, with the end goal of pivoting into the MSPs’ customers’ networks.
If your business uses a third-party vendor like an MSP or MSSP to manage your IT or security operations, for better or worse, you inherit many elements of the vendor’s own internal cybersecurity maturity (or immaturity). Because of the direct relationship between your MSP’s security practices and your organization’s security posture, there is significant upside for your organization if your MSP has developed a mature security practice and substantial risk if they have not.
The “maturity check” below includes 21 questions you should ask to vet a potential MSP or MSSP partner to understand their security posture, along with some suggested actions based on the answers you may receive.
Security starts with governance.
1. Is the MSP’s security program based on a publicly vetted framework, such as the NIST Cybersecurity Framework or CIS Controls? It should be. When it comes to building cybersecurity maturity, a standards-based approach is always better than trying to piece together ad hoc security.
2. Has the MSP designated an internal Information Security Officer or similar role? Ask about this person’s experience and qualifications, if he or she exists, as well as finding out how many other internal staff are in security-relevant roles.
3. Request a copy of the MSP’s information security plan and related policies. You’ll likely need to be under NDA for the vendor to consider sharing these documents. If they are reticent to provide this information, ask if you can see the table of contents – this may give you an idea of how robust their security program is (or is not).
4. How does the MSP support their clients’ compliance requirements? (For companies subject to DFARS or CMMC, see our article on additional compliance considerations for working with an MSP.)
Get to know the people you’ll be working with.
5. Will the MSP subcontract any work in conjunction with delivering services to your business? If so, you should find out if these contractors are contractually bound by the MSP’s security policies, and/or if relevant compliance requirements flow down contractually from you, the client, to relevant subcontractors.
6. What kind of background checks does the MSP conduct on its employees and contractors? Make sure these checks are, at the very least, on par with what your company requires for its own employees.
7. If you need to comply with export control requirements like EAR or ITAR, are the MSP’s staff all US Persons? They likely need to be if they will have access to your network.
8. Does the MSP employ individuals with cybersecurity credentials such as CISSP or CISM? Certifications aren’t everything, but they are an indicator that the MSP has invested in hiring the necessary skillsets to secure their own systems and manage yours.
Your MSP should practice what they preach.
9. What security technologies are employed on the MSP’s internal systems and infrastructure? Make sure the MSP is meeting best practices in basic cybersecurity hygiene categories like network security, access control, and multi-factor authentication.
10. How does the MSP assess and manage risk? Determine the frequency with which the MSP conducts risk assessments and ask for details (who, what, when, where, how) on their internal risk management program.
11. Where does the MSP store client data – including network diagrams, configurations, and knowledge base articles – and what access controls, authentications methods, or other security practices are in place to ensure that client security and compliance requirements are being met?
12. Does the MSP conduct regular vulnerability scanning of its environment? If so, are scans conducted internally, externally, or both? You should be aware of your MSP’s process and timeline for detecting and remediating vulnerabilities.
13. How does the MSP manage configuration changes to their internal systems? Determine if the MSP has a formal change management process in place to control the security configuration of critical systems.
Access to your network should be authorized and controlled.
14. How does the MSP manage access to your environment? Many MSPs rely on software products designed to manage multiple clients simultaneously, including remote monitoring and management (RMM) platforms, which are frequently the target of attacks such as those mentioned in this article. While RMM platforms help MSPs deliver services at scale, vulnerabilities in these systems are leveraged by attackers to gain access or simultaneously spread malware to all the MSP’s clients.
- Ask about the infrastructure used by the MSP to deliver services to clients. Where are these systems hosted – on-premises or in the cloud? Who is responsible for managing vulnerabilities on these systems – the MSP or another vendor?
- What access controls, authentications methods, or other security practices are in place to secure these systems?
- How does the MSP protect its systems to prevent attackers from moving laterally from one point of entry to gaining access to all the MSP’s clients? Similarly, how does the MSP segment data, documentation, and management capabilities for different clients?
15. What are the MSP’s practices for managing privileged account credentials, private keys, and other secrets? Make sure that a breach of the MSP’s RMM platform would not expose this information to attackers.
16. Does the MSP retain access logs of remote connections to their clients’ networks? If so, this information should be regularly reviewed for unauthorized activity.
17. Does the MSP operate a security operations center (SOC) or subscribe to a third-party service? There should be continuous monitoring systems in place to identify suspicious, anomalous, or unauthorized activity across the MSP’s systems and network.
The best MSPs prepare for the worst.
18. What are the MSP’s backup and recovery strategies for systems that contain client data or are used to deliver services to clients?
19. Does the MSP undergo periodic testing of their security controls (e.g., penetration testing, red teaming, security controls validation)? If so, request the results of the most recent test – like security documentation, you will likely need to be under NDA to receive this information.
20. How prepared is the MSP to respond to security incidents? Request details of the MSP’s incident response plan and dig into their Service Level Agreement (SLA) for reporting incidents to clients. If it is not already part of your standard contract terms, consider contractually requiring the MSP to report relevant security incidents to you.
21. Does the MSP retain any third-party services for responding to a breach of its own systems or client systems? Determine the MSP’s insurance coverage amounts (cyber liability and professional liability) and assume the MSP will get breached – do they have the resources to respond rapidly and appropriately?
There’s no such thing as perfect security, and if your MSP doesn’t have good answers for each of these questions, it doesn’t necessarily mean they are putting your company at risk. But the strongest indicator of an MSP’s ability to secure their clients’ information may be the nature of their own internal security practices. Like the story of the cobbler’s children who go without shoes, some MSPs operate at low cybersecurity maturity even as they sell security solutions to their clients. The best way to determine if your MSP is the right fit for your business and not a potential source of cybersecurity headaches is to have a candid conversation about their security practices. Getting the answers to these 21 questions is a great place to start.