Some two and a half years after the Department of Homeland Security first issued a warning about the phenomenon, MSPs remain high-profile targets for cybercriminals hungry for the rich, conveniently centralized end user data stored in RMM solutions and other MSP business systems.
Indeed, 73% of MSPs surveyed by ConnectWise unit Perch Security in its 2021 MSP Threat Report say they’ve suffered at least one security incident in the last 12 months. They won’t be the last such victims either, according to Tom Greco, who became chief information security officer at ConnectWise in January.
“It’s not going away,” he says of threat activity against MSPs. “It’s getting worse in the sense that actors are definitely emboldened by the successes they’ve had.”
They’re likely to have more successes, predicts Greco, who spoke with ChannelPro at ConnectWise’s IT Nation Secure event in Orlando this week. Software makers and users are both responsible for preventing MSP breaches, he notes, but appreciation of that fact and awareness of the grave dangers they face is far from universal among MSPs at present.
“There’s three camps,” Greco says. “There’s people who are aware. There’s people who maybe think they’re aware, but they’re not doing enough. And then there’s those who really aren’t very aware at all.”
If becoming aware is step one, adopting cybersecurity best practices is an essential follow-up. ConnectWise has long been urging MSPs to use security frameworks like the one it published last year to protect customers. Greco urges MSPs to do the same internally.
“If you look at something like the NIST cybersecurity framework, identify and protect are the first two tenets,” he says. “That really means being aware of what your threats are and how susceptible you are to them, and then understanding what controls do you have to have in place.”
While all of that is easier said than done, Greco acknowledges, it’s often simpler things that trip MSPs up. “A lot of times it comes down to basics,” he says, citing user permissions as an example. “Are you thinking about minimizing the access you provide and making sure that the access you do provide has the least amount of privilege needed?”
Making proper use of the role-based permissions functionality in most IT management tools is often another missed opportunity, according to Greco. “If you create roles that are very broad, then you’re using the control technically but you’re not using it as effectively as you could,” he says.
Requiring use of multifactor authentication when logging into RMM and PSA applications is one of the most basic basics of all, Greco notes, yet while most MSPs do it at present, some still don’t. ConnectWise, for its part, has made MFA mandatory for its Automate and Command RMM solutions as well as its Control remote access system, and is evaluating an extension of that policy to the rest of its products by the end of the year.
Steps like that are among many ConnectWise has taken in response to mounting threat activity against MSPs and media reports in 2019 about vulnerabilities in its software. Other measures include implementing a “shift left” strategy aimed at building security controls deeper into the company’s product development process through enhanced threat modeling and vulnerability testing, training in secure development practices, and automated tools that call attention to potentially insecure code as it’s written.
Late last year, meanwhile, ConnectWise rolled out a bug bounty program in partnership with security services provider HackerOne that rewards “white hat” hackers for identifying flaws in ConnectWise products. Focused initially on Automate, Command, and Control, with the ConnectWise Manage PSA solution just now joining the list as well, that effort quickly exposed a large volume of issues that would have taken ConnectWise far longer to root out on its own.
“In the beginning you see a spike,” says Greco of the bug bounty process. “Maybe you don’t want it, but you hope for it because you want to know if there’s things lurking in there.” At this point, he continues, what’s left are a far smaller number of better hidden and therefore potentially more serious weaknesses. “The low-hanging fruit, I’d say, has gone.”
ConnectWise has further product security measures on its roadmap. Those include completing a SOC 3 audit, making broader use of Perch’s security operations center for internal incident response purposes, and rolling out expanded identity and access management functionality. “We’re advancing our zero-trust strategy down to the endpoint to make sure that we can authorize access to any asset every time,” Greco explains.
Coming up as well is a revised edition of the ConnectWise Trust Site, which displays alerts and vulnerability information about the company’s solutions. The new version will let users search and filter content by product, timeframe, severity, and other variables.
The Cyber Research Unit ConnectWise launched at IT Nation Secure this week is an additional element in ConnectWise’s campaign to help MSPs protect themselves and their clients more effectively.