MSP Cloud Presence Concerns


With the recent barrage of cyber attacks against managed service providers (MSPs) / managed security service providers (MSSPs), it’s only a matter of time until their Cloud presence puts other customers at risk, too. Cybercriminals are realizing that they can have a bigger impact if they can compromise service providers and in turn infect their supported clientele. We’ve seen this time and time again with the Sodinokibi attack in the first half of 2019 and more recently in a string of dental offices being compromised through their service provider.

Emil Hozan, Security Analyst, WatchGuard Technologies.
Author: Emil Hozan, security analyst, WatchGuard Technologies.

It’s not uncommon for these service providers to have shared virtual private servers (VSPs) in Cloudland with other tenants sharing the same physical server. With all the recent CPU vulnerabilities being released, such as Foreshadow, Meltdown, and Spectre, attackers may very well be plotting ways on how to exploit these vulnerabilities and affect the other tenants sharing those servers. More concerning is that unless there is constant network log monitoring, it’s not always apparent that they’ve been hacked. If that’s not enough, there could be dormant remote access tunnels that cybercriminals are selling on the dark web to the highest bidder.

There have been several research reports detailing threats in this realm. One such research paper was released by Jacobo Ros back in 2012. Another research paper was released by Abdul Ali in April 2013. The threat is real and the financially motivating incentives of threat actors are unknown. Further, in whose hands does security fall? Is it the responsibility of Cloud service providers (CSPs) or does security fall into the hands of the tenants renting space on the physical hosts?

As you’re building or growing your managed security offering, make sure you’re working with vendors that have security at the top of their minds. Furthermore, you’ll want to make sure that you’ve taken the steps to protect your business and your customer with strong security solutions. It is believed that the threat actors in the previously mentioned attacks leveraged already compromised credentials. Using multi-factor authentication (MFA) as an additional security step would have prevented the login request despite the reuse of the credentials. The MSP/MSSP administrators would have received a notification, raising alarm and suspicion, and then allowed for further investigation. WatchGuard’s AuthPoint MFA solution sends push notifications directly to users’ cell phones, thus expediting the awareness of someone trying to log into a protected system.

Further, tying in network log monitoring, WatchGuard Cloud is a leading and trusted platform used for the delivery of managed security services. It eliminates the cost and complexity typically required to manage, log, and report on all security services by consolidating them all into one Cloud platform. There's no need for any physical or virtual infrastructure, no maintenance costs, no downtime, and no jumping back and forth between security service platforms. It's a simple solution to advance your business, help you more effectivity deliver security services to customers, and free up time for you to focus on the work that matters most.

Emil Hozan is a security analyst at WatchGuard Technologies. Emil’s responsibilities include quantifying threat data for WatchGuard’s quarterly Internet Security Report, contributing to WatchGuard’s security blog Secplicity, analyzing trends in network and malware attacks, sandboxing and testing new products and exploits, and reverse engineering malware samples.