Who watches the watchers? You expect a managed service provider to protect your security, but it has to protect its own as well. MSPs are targets because they’re a gateway to many clients’ systems. At Kraft Technology Group, we take the strongest precautions to protect both our own systems and yours.
Attacks with strong backing
The attempts to penetrate MSPs are sometimes high-powered and international in scope. The Department of Justice recently unsealed an indictment against members of the APT10 Hacking Group, a China-based gang with connections to the government. This group has been active since 2006, breaking into computers in at least 12 countries. Its alleged crimes include stealing sensitive personal data on over 100,000 personnel in the U.S. Navy.
In 2014, APT10 launched what the DoJ calls the MSP Theft Campaign. It targeted MSPs in order to get access to their clients’ systems. The victims included businesses in telecommunications, electronics, manufacturing, healthcare, and other areas. One unnamed victim was “a global financial institution.” The Wall Street Journal reported that computer services operations of IBM and HP Enterprise were among those breached.
The MSP Theft Campaign used a three-step approach:
- APT10 got access to computers belonging to MSPs and installed hard-to-detect malware. It used the malware to steal administrative credentials.
- The group used the credentials to gain access to other machines on the MSP’s network and on clients’ networks. It then installed malware on these machines.
- Using the malware, it identified valuable data and packaged it in an encrypted archive. To better cover its tracks, it moved these archives between machines it had compromised before downloading them.
According to the DoJ report, the members of APT10 worked for a company called Huaying Haitai Science and Technology Development Company, in association with the Tianjin State Security Bureau. They gave stolen business information to China’s intelligence service. This level of support let the attackers use intrusion methods and computing power which are very difficult to defend against.
Why MSPs are targets
Managed services have grown in popularity in recent years. Businesses look for greater expertise than their own for their increasingly complex networks. This is a sensible approach. However, it makes the service providers attractive targets, and it creates new ways to go after the clients’ systems. MSPs need to take great care not to open their clients’ networks to new risks.
An alert by US-CERT notes that “MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure.” It further warns that “a compromise in one part of an MSP’s network can spread globally.” If its network has weak security, criminals can use it to gain access to many clients with one attack. Criminals, like everyone else, favor economy of effort.
This doesn’t mean that managed services are inherently unsafe. It means that the MSP’s systems are part of a client’s attack surface and need to be as thoroughly defended as the client’s own computers. The service provider needs to configure its access in a way that minimizes the damage hijacked accounts can do.
Communication between the MSP and its clients can leak information if done carelessly. Interception or spoofing of email could give valuable information to criminals, making it easier for them to break into systems.
The currently favored approach is advanced persistent threats, or APTs. These are malware programs which stay on the victim’s computer for weeks or months, quietly collecting information and sending it to gangs such as APT10. The aim is espionage rather than quick one-time income. Trade secrets bring money on the black market. Large sets of personally identifiable information, such as credit card and bank account numbers, likewise bring in substantial profits.
Choosing your MSP wisely
While these risks exist, choosing a good managed service provider increases a business’s security. Only the largest businesses can afford specialized IT and security staffs to hold off the many threats that their networks face. Working with a business whose specialty is system management and security is better than winging it internally.
What’s important is to make the right choice. Anyone can offer managed services. Not everyone does the job right. A good MSP has the right PPT: People, Processes, and Technology.
From the top management down, everyone at a high-quality MSP takes their responsibilities seriously. They’re well trained, and they have passed background checks. When signs of a problem arise, they respond quickly. They’re always looking for ways to improve, and they communicate clearly with clients.
When evaluating a service provider, you want people who can talk intelligently about technical issues. You want a plain statement of how they will manage your systems. If all that you get is a sales pitch, keep looking.
Quality service requires not just good people but a consistent set of processes that they follow.
Accounts need to be strongly protected. Each account should have access only to the systems it manages. Wild-card accounts let intruders penetrate many systems if they get access. Administrative accounts, the ones that create new accounts and grant access, should reside only on the most protected parts of the network. Agents installed on client systems, such as ones for network monitoring, should run as service accounts that can’t use interactive logins.
Logging is important for detecting and diagnosing intrusion attempts. The service provider should retain its logs for at least 30 days and have a review procedure.
The provider should use the latest, strongest technology for protecting its clients’ systems, as well as its own.
All connections between the MSP and the client systems must be encrypted. A VPN is one of the best ways to ensure a secure connection.
The service provider should be diligent in keeping both its own software and its clients’ software updated with all security patches. Known vulnerabilities in old operating systems and applications are a favorite avenue of attack.
The provider should use host-level firewalls to keep each client’s systems isolated from each other. They also protect the clients from inappropriate access from the provider’s own systems.
We take our commitments seriously
Kraft Technology Group treats your security and our own with equal vigilance. We meet all applicable compliance standards and will spell out exactly how we guard your systems. To make sure we live up to our own standards, we submit to an annual audit of our practices.
When you work with Kraft Technology Group, you have constant protection for your network and data. Talk with us, and we’ll answer all your questions about our services.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.