CISA Issues New MSP Supply Chain Security Guidance

Credit: CISA

The Cybersecurity and Infrastructure Security Agency (CISA), working with partners worldwide, has issued a new Cybersecurity Advisory (CSA) that's designed to help MSPs protect themselves and customers from supply chain cyberattacks and other digital threats.

The advisory, paraphrased below, describes 12 steps that MSPs can take to safeguard their businesses and end-customer systems. The advisory was developed by UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities, the CISA indicated.

Here are the 12 tips for MSPs to follow.

1. Prevent initial compromise, including these steps to mitigate brute force and phishing attacks.

2.  Enable/improve monitoring and logging processes by:

  • Storing the most important logs for at least six months.
  • Implementing and maintain a segregated logging regime to detect threats to networks, whether through a security information and event management (SIEM) solution or discrete logging tools.
  • Leveraging this NCSC-UK guidance on the appropriate data to collect for security purposes and when to use it.
  • MSPs should log the delivery infrastructure activities used to provide services to the customer. MSPs should also log both internal and customer network activity, as appropriate and contractually agreed upon.
  • Customers should enable effective monitoring and logging of their systems.
  • Customers that leverage MSPs for logging should:
    • Implement comprehensive security event management that enables appropriate monitoring and logging of provider-managed customer systems;
    • Provide visibility—as specified in the contractual arrangement—to customers of logging activities, including provider's presence, activities, and connections to the customer networks (Note: customers should ensure that MSP accounts are properly monitored and audited); and
    • Notify customer of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks, and send these to a security operations center (SOC) for analysis and triage.

3. Enforce multifactor authentication (MFA). Plus, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.

  • MSPs should recommend the adoption of MFA across all customer services and products. Note: MSPs should also implement MFA on all accounts that have access to customer environments and should treat those accounts as privileged.
  • Customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.

4. Manage internal architecture risks and segregate internal networks. 

  • Organizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.
  • MSPs should review and verify all connections between internal systems, customer systems, and other networks. Segregate customer data sets (and services, where applicable) from each other—as well as from internal company networks—to limit the impact of a single vector of attack. Do not reuse admin credentials across multiple customers.
  • Customers should review and verify all connections between internal systems, MSP systems, and other networks. Ensure management of identity providers and trusts between the different environments. Use a dedicated virtual private network (VPN) or alternative secure access method, to connect to MSP infrastructure and limit all network traffic to and from the MSP to that dedicated secure connection. Verify that the networks used for trust relationships with MSPs are suitably segregated from the rest of their networks. Ensure contractual agreements specify that MSPs will not reuse admin credentials across multiple customers.

5. Apply the principle of least privilege.

  • MSPs should apply this principle to both internal and customer environments, avoiding default administrative privileges.
  • Customers should ensure that their MSP applies this principle to both provider and customer network environments.

6. Deprecate Obsolete Accounts and infrastructure.

  • Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.
  • Customers should be sure to disable MSP accounts that are no longer managing infrastructure.

7. Apply Updates

  • Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities.
  • MSPs should implement updates on internal networks as quickly as possible.
  • Customers should ensure that they understand their MSP's policy on software updates and request that comprehensive and timely updates are delivered as an ongoing service.

8. Backup systems and data.

  • Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt.
  • MSPs should regularly backup internal data as well as customer data (where contractually appropriate) and maintain offline backups encrypted with separate, offline encryption keys.
  • Providers should encourage customers to create secure, offsite backups and exercise recovery capabilities.=
  • Customers should ensure that their contractual arrangements include backup services that meet their resilience and disaster recovery requirements.
  • Specifically, customers should require their MSP to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location, e.g., a cloud-based solution or a location that is air-gapped from the organizational network.

9. Develop and exercise incident response and recovery plans.

  • Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
  • Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible.
  • MSPs should develop and regularly exercise internal incident response and recovery plans and encourage customers to do the same.
  • Customers should ensure that their contractual arrangements include incident response and recovery plans that meet their resilience and disaster recovery requirements. Customers should ensure these plans are tested at regular intervals.

10. Understand and proactively manage supply chain risk.

  • All organizations should proactively manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.
  • MSPs should understand their own supply chain risk and manage the cascading risks it poses to customers.
  • Customers should understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors. Customers should also set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data it houses. Each customer should ensure their contractual arrangements meet their specific security requirements and that their contract specifies whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.

11. Promote transparency.

  • Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities.
  • MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.
  • Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract.
  • Contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment.

12. Manage account authentication and authorization.

  • All organizations should adhere to best practices for password and permission management.
  • Organizations should review logs for unexplained failed authentication attempts—failed authentication attempts directly following an account password change could indicate that the account had been compromised.
  • MSPs should verify that the customer restricts MSP account access to systems managed by the MSP.
  • Customers should ensure MSP accounts are not assigned to internal administrator groups; instead, restrict MSP accounts to systems managed by the MSP. Grant access and administrative permissions on a need-to-know basis, using the principle of least privilege. Verify, via audits, that MSP accounts are being used for appropriate purposes and activities, and that these accounts are disabled when not actively being used.
Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.