MSPs have transformed how small and midsized businesses operate. An estimated 88% of SMBs use or are considering using an MSP, allowing these companies to focus on delivering business solutions without having to manage their IT infrastructure in house.
However, one of the most challenging security problems MSPs face today is the use of insecure legacy protocols. Secure versions of these protocols are available but not consistently used. There are several reasons for this, including:
- Misconfigured systems
- Legacy applications or scripts that still use older protocols
- Devices running older version of software that have not been updated to use secure protocols
- Legacy devices that do not support newer protocols, especially IoT devices, control devices, or other closed systems
In many cases, MSPs are not even aware that outdated protocols are being used, or dramatically underestimate their usage.
Risks of Using Insecure Protocols
Insecure protocols either don’t use strong authentication or don’t encrypt the data being transmitted. This leaves systems vulnerable to:
- MITM (man-in-the-middle) or replay attacks
- Packet sniffing attacks, allowing attackers to steal data, usernames, and passwords
- Unauthorized access by hackers disguised as valid users or endpoints.
Some protocols, such as LDAP, send usernames and passwords in the clear. This allows hackers to steal these credentials and use them to gain elevated privileges or access to other systems.
Lack of authentication leaves systems open to connections from hackers masquerading as valid users. Once they have access, hackers can steal data, reconfigure the system, create new user accounts allowing persistent access, or install malware.
Lessons From the Field
In recent deployments with several companies, there’s been widespread use of insecure protocols, even though IT teams claim that insecure protocols are not used.
In the case of a large financial institution, we discovered unencrypted communication with a database server. Any attacker who penetrated the corporate network could record network traffic and harvest account information. This could have resulted in a devastating data breach.
In another case, we found widespread use of LDAP instead of LDAPS, the latter of which encrypts the connection from the start. This resulted in usernames and passwords being sent in the clear.
When companies begin to measure the security of their networks, we consistently find insecure protocols being used.
Cyber Insurance Creates a False Sense of Security
Companies are increasingly turning to cyber insurance as part of their risk management strategy, which is prudent. But cyber insurance, when insecure legacy protocols are being used, provides a false sense of security to policyholders. It may also create a risk of lawsuits for MSPs.
MSPs often complete cyber insurance questionnaires for their customers. They also ensure ongoing compliance with cyber insurance mandates.
Too often, MSPs fill out the cyber insurance questionnaire based on what they believe is occurring in the network, saying that they are using strong authentication and secure protocols.
If a cyber incident occurs and a claim is filed, the insurance company will engage an incident response company to determine the cause of the breach. If the breach was the result of an insecure legacy protocol, the insurance company may deny the claim, citing failure to follow cyber insurance mandates, or with providing false information on the insurance application.
According to a report from Blackberry, the denial rate for cyber insurance claims is over 20%.
Should a claim be denied, the policyholder will hold its MSPs responsible. MSPs will face the risk of lawsuits, as happened with Involta, an MSP who was sued by its customer in 2020 after a cyber incident.
The Solution
Eliminating insecure protocols requires visibility into protocols and devices in use. An automated cyber insurance compliance monitoring platform can provide detailed reports on protocol usage, as well as compliance with other mandates such as MFA usage, endpoint detection and response usage, and identity management usage.
Once an issue is found, MSPs can address it. Ongoing monitoring ensures networks are compliant. MSPs can use this platform to show history of compliance and generate reports that can be shared, reducing their risk of a lawsuit while protecting their clients.
Conclusion
Some companies will ignore security risks and hope their cyber insurance policy pays out in the event of a cyber incident. But given the devastating nature of many cyberattacks, there is a better approach for security-minded companies and MSPs.
Finding and eliminating insecure legacy protocols closes a major security gap. To achieve this, MSPs can adopt an automated cyber insurance compliance platform. By measuring compliance with cyber insurance mandates, MSPs can improve their service and ensure they won’t be found liable for denied insurance claims. Automated monitoring ensures that companies comply with cyber-insurance requirements. Without it, organizations are at risk.
Brett Helm is the co-founder and chairman of Dragonfly Cyber, a cyber insurance compliance platform provider.
Image: iStock