Don’t judge a book by its cover. Not all that glitters is gold. If it sounds too good to be true, then it probably is.
These are critical phrases to keep in mind when hearing pitches from Managed Service Providers (MSPs), since many of them will make claims to get your business but then deliver the minimal amount of support and security possible.
With the upsurge in the general public’s awareness regarding cybersecurity, the number of blatantly unethical claims regarding service provider ability to protect your environment has undergone a similar surge. Phrases like “#1 cybersecurity firm in <insert city name here>”, “Secure your systems with our advanced compliance package”, “Go beyond regular support and talk to us about our Security and Compliance offerings!” are prominently plastered on the home page of thousands of managed IT providers. This dangerous, but legal, misrepresentation of ability and skill sets hurts not only the clients of the MSP but all of us.
There is a distinct difference between IT support and security services. IT support is focused around making sure everything works from the user perspective. Security services are focused on configuring the system in such a way as to make illicit activities difficult to achieve. IT support innately bolsters functionality at the cost of security.
This difference in focus can lead to catastrophic incidents. As we’ve seen in the recents weeks, a MSP missed a critical part of cybersecurity by failing to patch a vulnerability that was over a year old. The result was 2,000 systems belonging to their customers were encrypted by ransomware and all the data lost. A different set of MSPs have fallen victim to an active exploit of a plugin used with their endpoint agent. Another MSP was recently hacked, resulting in the loss of close to two decades worth of customer data. These examples are just from 2019.
You don’t have to take our word for it. Here are a few quotes from the subReddit r/msp:
“Just had a former customer call us yesterday, their SQL data files got encrypted over the weekend. Their trunk-slammer pizza tech left RDP open to the world and looks like they got into the server around early December and just hung out for a while. They had NordVPN installed and everything, and had disabled the backups. Didn't even have to rely on a drive-by download to infect, they encrypted just the files they wanted and waited for Monday morning.” - e2346437 (Reddit)
“This is common problem with many MSP tools, Kaseya in particular but Connectwise is guilty of it. They are mostly what I call "Blender software" where they buy a bunch different fruit (software tools), blend it their special blender (Slap a web interface on it) and sell it to clients acting like they are ones who grew the fruit. Problem is when fruit goes bad, the vendor is either clueless it happened or doesn't know how to fix it because they are not original fruit vendor. Add on MSPs general disregard of security best practices, the margins they operate under and I'm not shocked this doesn't happen more.” -rabbit994 (Reddit)
“I don't think I've met a sales engineer that would say anything other than "oh our product would totally save you in that scenario".” - disclosure5 (Reddit)
“MSPs don't need to be secure to conduct business. Security gets in the way of productivity and with AYCE productivity = profit. Just like a car salesman doesn't have to know how to fix cars to sell them. People just want their car to get from A to B and don't care if you can open the door with a coat hanger. That's what insurance is for.” - striker1211 (Reddit)
As pentesters, we go up against MSP “security” controls on a regular basis. About 3% of the time the client will get a notification that suspicious activity has been seen. Those notifications are related to roughly 1% of the malicious activity conducted.
Just to reiterate: 97% of the time the MSP catches nothing and the other 3% they miss 99% of malicious activity.
Are those stats really acceptable to your risk appetite?
In addition to not securing the environment to the level they assure, often they will connect their clients back to the MSP’s office with VPNs for management convenience. Combined with poor security practices, this results in MSP client networks having a bridge between them. Meaning when Company A get infected with malware, Company B gets infected as well.
Additionally, the reuse of administrative credentials across multiple customers on a shared VPN also introduces the ability for data from Company A to be exfiltrated through the network of Company B. This introduces potential competitive disadvantages and loss of intellectual property.
This does not mean you shouldn’t use MSP services. It means you shouldn’t exclusively rely on them to protect your environment or data. You wouldn’t trust a plumber to repair your circuit breaker and you wouldn’t consult an electrician about a septic tank issue. They’re both critical to the maintenance of the building, but they have completely different focuses and areas of expertise.
This does mean you should communicate with your MSP to determine what they are and what they aren’t doing. Request compliance reports such as: PCI DSS, NIST, ISO 27001, ITIL, SOC. Request to see their latest penetration test report. Confirm what, if any, security certifications the engineers and technicians hold.
An MSP should be more than an outside vendor to the organization. They will effectively become employees and custodians of your organization's most valuable assets. They should be proactive in planning and executing clear strategies that provide greater ROI and reduce the TCO by providing sufficient defensive capabilities, implementing proper access control, and avoiding common errors, such as lack of patching and leaving default credentials in place.
If you feel as though, or know for a fact that:
- Your MSP preached security during the sales process but has not reported on or discussed actions taken for the sake of security since,
- Your MSP only communicates regarding financial matters,
- Your MSP doesn’t have any security certifications,
- Your MSP only provides remote support after on-boarding,
- Your MSP has left default credentials on devices,
- Your MSP tells you they’ve never suffered a breach or incident,
- Your MSP cannot provide you with copies of their Information Security Policies, or
- Your MSP is not constantly monitoring your company’s growth and direction to mirror their support strategy to your needs
Feel free to reach out to us and we will help you uncover the reality of your network’s exposure to malicious activity.