Chris Swagler | January 13th, 2022

MSP Security

Why is Cyber Security Important to MSPs?

During this ongoing and unrelenting cyberattack epidemic, cyber security is vitally important to MSPs because they are at the forefront of protecting clients.  MSP clients, particularly those in the small and medium-sized business (SMB) community, rely on their MSP for all technical or computer-related issues. Regardless of how the services contract is written, they will contact the MSP if there is a breach. Additionally, if an MSP doesn’t provide cyber security services to its clients, another company will.

What is MSP Security?

When anyone in today’s technology world mentions “security,” it inevitably refers to cyber security. The phrase “MSP Security” refers to the cyber security of the MSP itself, that of the MSP’s clients, or both. The protection of data throughout an MSP’s client network is typically the responsibility of the MSP. However, the security of the MSP’s infrastructure may be more critical because a compromise of an MSP’s network could lead to unauthorized access to the MSP’s clients’ data. Cybercriminals can compromise one entity and potentially access others. Therefore, MSP security combines both protection of its infrastructure and the protection of the MSP’s client base.

The Key Elements of MSP Security

It’s easy for people to assume that an MSP’s key security elements are the same as other businesses, however, that isn’t the case. Many MSPs help small businesses, including medical practices, accounting firms, small law firms, and title companies, that can’t afford cyber security solutions designed for larger companies with large budgets and teams of cyber security analysts. As a result, MSP security must be extremely prudent, selecting cyber security products that match the threats posed to the SMB community and remain aware of the cost associated with the security products, the complexity and ease of installation, and maintenance requirements. Cyber security solutions are designed for a specific market, therefore, those designed for large companies and reconfigured for the SMB community can present mounting challenges for an average MSP customer, or even smaller MSPs themselves.

How is MSP Security Different from Enterprise Security?

Given enough time and dedication, an experienced burglar can undoubtedly breach a home security system. However, most thieves would rather rob a house without a security system, rather than expend significant effort to rob a house with an alarm system. Given enough time and resources, experienced penetration testers can breach almost any network, however, even those with little experience can utilize freely available tools to penetrate poorly protected enterprises.

Over the years, we have learned that cybercriminals see the world through an opportunistic lens, especially when it comes to attacking the SMB community. Professional cyber attackers from Russia’s GRU, China’s PLA Unit, or North Korea’s Bureau 121 are looking to compromise any enterprise network and are unlikely to be stopped indefinitely. If enterprises spending hundreds of millions of dollars are still vulnerable, then local roofing supply companies, regional trucking providers, and attorney laws firms have no chance.

Numerous cybercriminal entrepreneurs view the SMB as a potential cash cow, unprotected and easy to target with broad, commoditized automated attacks that wouldn’t work against larger companies. If cybercriminals can use the same server to target thousands of businesses and have a 10% success rate, they can profit tremendously without any effort; the logic is disturbing for the SMB community, but solid for the threat actors. Returning to the alarm system analogy, this means that houses without an alarm system are easy targets and will be exploited.

What Does an Attack on an MSP’s Client Look Like?

A cyberattack involving a nation-state threat actor targeting a large business or government organization can take months to plan and require multiple, highly skilled cyber operators. If you haven’t read the MITRE ATT&CK Framework, you should; it details attack methodologies used by cyber threat actors over time. The same processes exist in cyberattacks on the SMB, which makes success easier to achieve in that community, as evidenced by numerous incidents seen every day.

SMB systems and networks are easy targets because they’re never defended the same way as enterprise networks. It comes down to the basic economics of time, money, and people. Building a sophisticated security program that considers all stages of the attack lifecycle is a difficult task. Cybercriminals can be highly successful, because of the economic challenges, leveraging available tools to identify targets with obvious vulnerabilities; in the largely unprotected SMB world, the bad guys have no shortage of options. Consider Masscan, a free port scanning tool available on Github that can “scan the entire Internet in 5 minutes.” Cybercriminals can utilize tools like this to identify open ports on any network, essentially unlocked gates that can serve as the foundation of successful attacks.

What are MSP Security Vulnerabilities?

No software contains flawless coding. Security flaws or gaps are unavoidable as applications become integrated with other complex software systems. The flaws are known as Common Vulnerabilities and Exposures (CVEs), and the United States government’s National Institute of Standards and Technology (NIST) tracks them. They are widespread and growing, with over 18,000 reported in 2021, or about 50 per day. When “exploits” for CVEs (small executable software programs that exploit vulnerabilities) are created and sold, often on the dark web, they can serve as the starting point for cyberattacks.

Port scanners like Masscan are essential tools in a threat actor’s toolkit because many CVE exploits require exposed ports to be executed. Threat operators identify a vulnerability, often those recently discovered and unlikely patched by their targeted victim, scan for the port or ports running the vulnerable software, and attack the companies that meet the criteria, a nearly 100% automated process.

When you learn that ransomware breached a local lumberyard chain, it’s not because threat operators surveilled the lumberyard’s network or researched its employees to exploit a guessable password. The lumberyard was simply one of several entities that had deployed the vulnerable software version, and its network configuration provided the port scanning characteristics that allowed the chosen exploit to be effective.

As an SMB or an MSP that serves SMBs, companies must deal with some harsh realities. With thousands of vulnerabilities in today’s deployed software and 50 new CVEs introduced every day, it’s impossible to close all the gaps. If companies are connected to the Internet, they’re probably being scanned and probed for open ports and the vulnerabilities lurking behind them more frequently than expected.

The SpearTip Difference

With more ransomware increasingly targeting MSPs with exposed security vulnerabilities, it’s critical for companies to stay current with the latest threat landscape and always update their vulnerability patches to prevent potential threats. At SpearTip, our certified engineers assist MSPs in protecting themselves and their clients from cyberattacks and other threats. We work closely with our partner companies’ internal teams, ensuring their clients are defended against potential attacks. ShadowSpear, our endpoint detection and response platform, is a flexible resource that integrates with existing IT technology investments and continuously monitors across their client base, significantly reducing response times, regardless of what infrastructure is in place.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.