Skip to main content
Passportal Insights

Is Your MSP Vulnerable to This Simple, Yet Fatal Flaw?

By Brian F. Cerny

Whoa! Did he just say MSP and “Fatal Flaw” in the same sentence? Unfortunately, yes and I am “dead” serious. There is an well-known practice every MSP must do, but is often left seldomly remediated, and it's not pretty.

Has your MSP taken a honest self-assessment on:

If you are an MSP owner, the odds are you just got a sick feeling in your stomach. This question has been brought up in the past, but there simply has never been “enough time” to address it. The phrase, “the cobbler’s kid always wears the worst shoes” chimes in your heart and helps you sleep at night. However, it's time to ditch this mindset and get with the program. Now is the time to boost your operational maturity and protect your MSP from going down like a lead zeppelin (Lead (Pb[82]), not Led).

MSP to IT Services

Having worked in the MSP realm for years and then leaping across the IT matrix to the security services world, I have a unique insight to this problem. Through roles that ranged from Business Development to Executive Leadership, I walked into Infogressive, and on my first day I thought to myself, "this looks and feels just like an MSP.” Then suddenly, someone spoke. I realized that I was in an entirely different world. A world that most MSP people wouldn’t think or believe existed. A world where your networking-guy is not the security-guy, and likely, wouldn’t make the intern seat. I hate to say that, but it's true.

MSPs are great at managing networks and their users, where in my new world, Master MSSPs, such as Infogressive, employ legitimate hackers to ensure safety. I am talking about the type of hackers municipalities call when they get breached; not the technician that does hacking measely on the side.

Don't let this happen to your MSP

We approached a mature MSP and asked if we could take a crack at breaking into their network. Long story short, the paperwork and legal documents were signed, and the green light was given. We were allotted 20 man-hours.

Our guys spent some time on social media, Google, LinkedIn, and other public facing channels to decide on how to approach it. Just like any other hacker, they connected some dots, used some social engineering, and deployed their strategy. Only the CEO knew we were doing this, but didn't know when exactly. The CEO ranked their MSP’s security posture a 9 out of 10.

This rating didn't stand a chance. When the CEO’s teenager grabbed the company laptop at home on a Sunday morning and fired it up, a pink unicorn was the new background with a little note saying, “Infogressive was here!”

In less than 20-man hours

The Infogressive team was able to gain full control over their entire network and move around at will. The absolute "death-blow" for this MSP (as we had been the bad guys) was that we had full access to the Domain Admin credentials to all of their clients. Full on “God Rights” to their entire revenue base. This happened in less time than spent binge watching three seasons of your favorite show on a Saturday afternoon. We could have put this MSP out of business, forever. Period.

How to protect your MSP

The simple step of getting a holistic password management solution would have stopped us from getting the real treasure trove. Password security should be taken seriously by every MSP owner on the planet. The cybersecurity world is not James Bond and spy gadgets all the time. Sometimes we just lean over the fence and pluck a password out of your environment and it's game over.

Password management solutions also allow your end users to reset their own passwords without having to call in to your desk. You can cross off this necessity and reduce demand on your service desk at the same time. If you don’t have a solution in place, hurry and pick up the phone to tell your engineering team to set this as priority. You have been warned. Now, you have heard it from the horse’s mouth and “not enough time” is no longer going to cut it.

Finally, in case you were thinking that the odds of this happening to you are so low that you don’t need to worry about it - you are wrong. It can happen to anyone at any time. Do your due diligence and take care of the problem today. 

Look up “APT10” and tell Operation CloudHopper I said, "hello" when they stop by...

Your call.


Written by:


Brian F Cerny, Channel Account Manager at Infogressive Inc.

Twitter | Facebook | LinkedIn

Welcome to the Passportal Blog

Into cybersecurity? Read up on current trends in IT Services and ensure you’re up to speed on best practices on how to grow your business.

Want to stay up to date?

Get the latest N-able tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Automated password protection with documentation management integrated with the MSP tools you already use

Manage passwords with ease