Is Your MSP Vulnerable to This Simple, Yet Fatal Flaw?
Whoa! Did he just say MSP and “Fatal Flaw” in the same sentence? Unfortunately, yes and I am “dead” serious. There is an well-known practice every MSP must do, but is often left seldomly remediated, and it's not pretty.
Has your MSP taken a honest self-assessment on:
- How and where are you storing your passwords?
- How and where are you storing your clients’ passwords?
If you are an MSP owner, the odds are you just got a sick feeling in your stomach. This question has been brought up in the past, but there simply has never been “enough time” to address it. The phrase, “the cobbler’s kid always wears the worst shoes” chimes in your heart and helps you sleep at night. However, it's time to ditch this mindset and get with the program. Now is the time to boost your operational maturity and protect your MSP from going down like a lead zeppelin (Lead (Pb), not Led).
MSP to IT Services
Having worked in the MSP realm for years and then leaping across the IT matrix to the security services world, I have a unique insight to this problem. Through roles that ranged from Business Development to Executive Leadership, I walked into Infogressive, and on my first day I thought to myself, "this looks and feels just like an MSP.” Then suddenly, someone spoke. I realized that I was in an entirely different world. A world that most MSP people wouldn’t think or believe existed. A world where your networking-guy is not the security-guy, and likely, wouldn’t make the intern seat. I hate to say that, but it's true.
MSPs are great at managing networks and their users, where in my new world, Master MSSPs, such as Infogressive, employ legitimate hackers to ensure safety. I am talking about the type of hackers municipalities call when they get breached; not the technician that does hacking measely on the side.
Don't let this happen to your MSP
We approached a mature MSP and asked if we could take a crack at breaking into their network. Long story short, the paperwork and legal documents were signed, and the green light was given. We were allotted 20 man-hours.
Our guys spent some time on social media, Google, LinkedIn, and other public facing channels to decide on how to approach it. Just like any other hacker, they connected some dots, used some social engineering, and deployed their strategy. Only the CEO knew we were doing this, but didn't know when exactly. The CEO ranked their MSP’s security posture a 9 out of 10.
This rating didn't stand a chance. When the CEO’s teenager grabbed the company laptop at home on a Sunday morning and fired it up, a pink unicorn was the new background with a little note saying, “Infogressive was here!”
In less than 20-man hours
The Infogressive team was able to gain full control over their entire network and move around at will. The absolute "death-blow" for this MSP (as we had been the bad guys) was that we had full access to the Domain Admin credentials to all of their clients. Full on “God Rights” to their entire revenue base. This happened in less time than spent binge watching three seasons of your favorite show on a Saturday afternoon. We could have put this MSP out of business, forever. Period.
How to protect your MSP
The simple step of getting a holistic password management solution would have stopped us from getting the real treasure trove. Password security should be taken seriously by every MSP owner on the planet. The cybersecurity world is not James Bond and spy gadgets all the time. Sometimes we just lean over the fence and pluck a password out of your environment and it's game over.
Password management solutions also allow your end users to reset their own passwords without having to call in to your desk. You can cross off this necessity and reduce demand on your service desk at the same time. If you don’t have a solution in place, hurry and pick up the phone to tell your engineering team to set this as priority. You have been warned. Now, you have heard it from the horse’s mouth and “not enough time” is no longer going to cut it.
Finally, in case you were thinking that the odds of this happening to you are so low that you don’t need to worry about it - you are wrong. It can happen to anyone at any time. Do your due diligence and take care of the problem today.
Look up “APT10” and tell Operation CloudHopper I said, "hello" when they stop by...