James Steidl - Fotolia
Managed service provider security may not be quite as good as owners would like to believe, if the experience of one penetration testing organization is any indication.
Infogressive Inc., a managed security services provider (MSSP) based in Lincoln, Neb., asked one of its largest managed service provider (MSP) customers if it could conduct a pen test. The companies agreed to a challenge: Infogressive would set a 20-hour time limit to gain a foothold in the MSP's network, gain domain admin access and let the MSP know pen testers were there.
The MSSP's pen testers conducted reconnaissance using BuiltWith, a website profiling tool, to gather information on the technologies used to build the MSP's site; InSpy, a LinkedIn enumeration tool to discover employees by title, role or department; and Recon-ng to uncover sub-domains to help reveal the attack surface. The pen testers used a phishing attack to obtain credentials and used them to get into the MSP's corporate email and onto its VPN, creating a foothold.
Next, the Infogressive testers, while on the VPN, used the Nmap network scanning tool to search for available hosts and were able to find the MSP's remote monitoring and management (RMM) tool. The testers used the same credentials and a company ID code, which they obtained from one of the RMM vendor's support staffers via social engineering, to access the RMM system. With access to the RMM tool, Infogressive had access to all of the MSP's customer and domain admin credentials -- all readable in clear text. The testers created an Infogressive domain admin account as a sign of their presence.
The entire process took less than 10 hours and didn't require any techniques, such as buffer overflow attacks, that would call for significant security training, according to Infogressive's CEO Justin Kallhoff, who discussed the pen testing scenario at last month's MSPWorld conference. What's more, the targeted MSP was not a tiny company, but a service provider with more than 100 employees and $60 million in revenue.
MSPs increasingly targeted
Easily exploited vulnerabilities are particularly troubling as more hackers target MSPs.
"MSPs are just beginning to be really targeted," Kallhoff said, noting the increased frequency of activity over the last 12 to 24 months.
Justin KallhoffCEO, Infogressive
An October 2018 alert from US-CERT, the U.S. Department of Homeland Security's Computer Emergency Readiness Team, put MSPs on notice regarding advanced persistent threat activity. Attackers are "using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks," according to the alert. An alert from the Australian government's cybersecurity center also cited MSP security, stating service providers "have been targeted in a global cyber campaign since at least mid-2016."
MSPs' remote management of numerous clients makes the industry "a big target," said Robin Chow, founder and president of Xbase Technologies, a Toronto-based MSP. A cybercriminal can "hack one [MSP] and get access to hundreds of different clients all at once," he said.
MSPs are also being targeted by specific types of cyberattacks, such as ransomware. An MSP has a greater capacity to pay ransom than an individual small business client, a fact that is not lost on attackers, said Chow, who also spoke at the MSPWorld conference.
Improving managed service provider security
Infogressive's Kallhoff offered the following suggestions for MSPs:
- Make sure you are doing all the things you tell your best customers to do regarding security.
- Don't provide corporate email addresses on LinkedIn or other social networking sites.
- Don't store credentials in an RMM tool -- it's not a password vault.
- Use multifactor authentication everywhere.
- Select technology tools based on security efficacy, not on their ability to integrate with RMM tools.
- Start learning about endpoint detection and response technology.
Some industry executives suggested MSPs should pursue tighter vendor management to protect themselves from security lapses. Customers expect MSPs to protect the tools they use to provide managed services, host applications and offer cloud services, said Robert Scott, managing partner at Scott & Scott LLP, a law firm in Southlake, Texas, that specializes in the MSP market.
"You have to be thinking in terms of vendor management," he said. MSPs should perform due diligence when selecting tool vendors, examining their security policies and determining who pays if something goes amiss, Scott said.
"You have to be prepared to switch tools sometimes," said John Burgess, co-founder and president of Mainstream Technologies, a managed services, software development and infrastructure provider in Little Rock, Ark.
Kallhoff, however, questioned the viability of vendor management for MSPs, noting the difficulty of forcing RMM vendors to perform a full code review for application vulnerabilities.
More security pressure
While MSPs face their own security challenges, they must also deal with the risks their customers face. Scott said one of the biggest changes in the MSP market in recent years has been customer expectations regarding security.
Years ago, MSPs offered no warranties or indemnities. Today, in contrast, customers expect MSPs to ensure their data is safe, take financial responsibility should anything go wrong, and abide by all the applicable laws and regulations, Scott said.
"I have seen a complete sea change," he said, noting that MSPs must now anticipate some degree of risk transfer from the customer to the service provider.