12 tips for MSPs from global security agencies

Australian, Canadian, New Zealand, UK and US security agencies have issued new guidelines on how Managed Services Providers (MSPs) can protect themselves and their customers against attacks. 

The Australian Cyber Security Centre and its parallel, international partners such as the US Cybersecurity and Infrastructure Security Agency (CISA) published the advice to MSPs in their ‘Joint Cybersecurity Advisory’, which, “enables transparent discussions between MSPs and their customers on securing sensitive data.”

The advisory made 12 recommendations to MSPs, provided instructions on how to implement them and included cyber agencies’ research and manuals to better understand threats and defences. 

Click through the slides to check out the latest recommendations.

1. Prevent initial compromise

The advisory said MSPs needed to prevent the initial compromise of vulnerable devices and internet-facing services by:

Improving the security of vulnerable devices.

Protecting internet-facing services.

Defending against brute force and password spraying.

Defending against phishing.

2. Enable/improve monitoring and logging processes 

The advisory said organizations should store their most important logs for at least six months through a comprehensive security information and event management solution or discrete logging tools and maintain a segregated logging regime to detect threats to networks. 

MSPs should implement endpoint detection and network defence monitoring capabilities in addition to using application 'allowlisting' or 'denylisting'.

MSPs should log the delivery infrastructure activities used to provide services to the customer. MSPs should also log both internal and customer network activity, as appropriate and contractually agreed upon.

3. Enforce multifactor authentication 

The spy agencies said MSPs should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.

They also noted that Russian state-sponsored APT actors recently demonstrated their ability to exploit default MFA protocols, and advised organizations to review configuration policies to protect against “fail open” and re-enrollment scenarios.

4. Manage internal architecture risks and segregate internal networks 

The advisory advised MSPs to identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization. 

MSPs should review and verify all connections between internal systems, customer systems, and other networks, segregate customer data sets from each other—as well as from internal company networks—to limit the impact of a single vector of attack and not reuse admin credentials across multiple customers.

5. Apply the principle of least privilege 

The advisory recommended MSPs apply the principle of least privilege throughout their network environment and immediate update privileges upon changes in administrative roles and use a tiering model for administrative accounts so that these accounts do not have any unnecessary access or privileges.

6. Deprecate obsolete accounts and infrastructure.

The guidelines said that MSPs should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.

They also said that organizations should audit their network infrastructure—paying particular attention to those on the MSP-customer boundary—to identify and disable unused systems and services. 

“Port scanning tools and automated system inventories can assist organizations in confirming the roles and responsibilities of systems.”

7. Apply updates

The spy agencies said MSPs should update software, including operating systems, applications, and firmware and prioritize applying security updates to software containing known exploited vulnerabilities. 

“Organizations should prioritize patching vulnerabilities included in CISA’s catalogue of known exploited vulnerabilities (KEV) as opposed to only those with high Common Vulnerability Scoring System (CVSS) scores that have not been exploited and may never be exploited.”

8. Backup systems and data

The advisory recommended that MSPs regularly update and test backups and store backups separately from network connections because many ransomware attacks attempt to find and encrypt/delete accessible backups.

9. Develop and exercise incident response and recovery plans

The advisory recommended that MSPs maintain incident response and recovery plans that include roles and responsibilities for all organisational stakeholders, such as executives, technical leads, and procurement officers  Plans should be hard-copy to ensure responders can access them should the network be inaccessible.

10. Understand and proactively manage supply chain risk 

The guidelines said that MSPs should proactively manage ICT supply chain risk across security, legal, and procurement groups and use risk assessments to identify and prioritize the allocation of resources.

11. Promote transparency 

“Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities,” the report stated.

12. Manage account authentication and authorisation 

The spy agencies recommended that MSPs review logs for unexplained failed authentication attempts. 

“Failed authentication attempts directly following an account password change could indicate that the account had been compromised,” the report stated. 

“Network defenders can proactively search for such ‘intrusion canaries’ by reviewing logs after performing password changes—using off-network communications to inform users of the changes—across all sensitive accounts.”