It seems like everything is getting hacked these days. Cybercrime is on the rise, which causes a lot of sleepless nights, especially for MSPs. How can you ensure that a hacker won’t have easy access to everything you manage?
Well, there are a few answers to that.
One of the things that is clear from recent events is that you really can’t put all your eggs in one basket. No one single solution is a silver bullet in the constant battle of securing your customers.
For example, if we look at authentication, we still have passwords for better or worse and then we have MFA. In the context of your privileged accounts for AD or O365 if you think MFA on its own is 100% bulletproof there are the following exploits just as a start:
- Man-in-the-endpoint attacks
- SIM swapping attacks
- SMS-based MFA attacks
- Duplicate Code Generator Attacks
- Hijacking Shared Auth & APIs
Thus, MFA alone is not a silver bullet and MSPs and IT departments should consider it as one layer in a layered security strategy.
If you keep your privileged account passwords static, that’s one less factor of protection you have to protect yourself. Leaving the passwords for privileged accounts static and configuring them to never expire is convenient and ensures that any system that depends on these accounts will continue to run without any intervention. For MSPs, doing this can leave your company and your customers at risk from credential theft. On the flip side if you rotate passwords, but don’t have MFA/2FA, then you have no other mechanism to protect yourself if your password gets hacked.
Then we have local admin accounts on workstations. Most MSPs, including myself, had a set backdoor account with the same or similar password formula on all customer workstations in case Active Directory trust relationships went south. If a hacker got your set username and password, it’s game over.
Same thing goes with backups. Using a domain joined Windows server as a backup server is a good invitation to not being able to recover from a ransomware attack vs having a backup and disaster recovery solution with a different operating system that is not joined to your production Active Directory or Identity Management system for your backups.
Now, what’s the next step?
Obviously, you’ll always want to keep your MSP as safe as possible, but what should you be implementing as additional layers of security to ensure this safety? The quickest solution is to implement solutions to 3 often overlooked areas:
- Privileged Account Password Rotations
- Local Account Password Solution (LAPS)
- End-User Identity Verification
We go into much more detail in an article I just put together in light of these recent, high-profile attacks in the industry. Each of these solutions will add additional and extremely important security layers to your MSP so you can feel confident with your MSP’s safety.
Our company, CyberQP, was created to mitigate attacks by securing overlooked vulnerabilities that substantially increase your organizations security posture and protecting your customers. If you haven’t already, I encourage you to take a look at our toolbox.