Service Provider Cyber Security Mistakes Can Cost SMBs Millions

Posted by C Jones on Wed, Feb 6th, 2019

Managed service providers are given implicit trust over small business infrastructure to design, maintain and secure it. It’s no surprise that just one mistake on an MSP’s client network can mean millions in damages from a data breach. Knowing that MSPs take care to configure a client’s network with security in mind, attackers have changed focus to MSPs directly. By phishing for credentials or compromising an MSP’s network directly, an attacker has access to a treasure trove of information that can be used to compromise SMBs.

MSPs are the Latest Target for Attackers

It’s not uncommon for MSPs to spend hours on security configurations and appliances that protect their customer environments, but then they become lax on their own security standards. Attackers also know that some employees aren’t familiar with common phishing attacks and could be a good target for an attack.

The rise in MSP attacks has even received attention from the US Computer Emergency Readiness Team. A new alert provided a warning for MSPs that attackers have persistently targeted them in recent months. The attacks target any managed provider across several IT sectors including MSPs, cloud service providers, and security providers. If you store a large stash of client credentials, chances are that attackers could create a phishing campaign to gain access to your local network or your client’s.

What MSPs Can Do

Being lax on cybersecurity standards is never an option, but it happens in some environments where MSP’s manage several clients and cut corners during busy months. Since phishing is one of the most common attacks, it’s important that MSPs are aware of the ongoing campaigns targeting their organizations and take precautions.

Phishing is one of the most difficult attacks to defend against because it just takes one busy employee that doesn’t notice the red flags and access an attacker-controlled web server. Other attacks can also leave the MSP vulnerable such as XSS or SQL injection. Any online forms submitted publicly to internal employees that read content using a web-based interface should be tested for vulnerabilities. By using SQL injection or XSS (or a combination of both), an attacker could trick a targeted user into divulging sensitive information.

Any public applications should be tested for vulnerabilities, and users should be educated in the many ways that attackers send phishing emails and build clone websites that trick users into entering sensitive data. Penetration testing applications should always be done regardless of just how harmless it seems to be. Attackers can use vulnerabilities on a public application to then gain more data from the internal MSP network. The issue with phishing, however, is that attackers send multiple emails and only need one person to fall victim to an email. In many successful attacks, the targeted user was too busy to notice the red flags.

What are the phishing red flags to look out for:

• Email has an attachment you weren’t expecting
• The email includes links to unfamiliar sites (hover over to check)
• The sender address isn’t correct. A universal tactic among scammers is the use of spoofed email or web addresses. Check if this address matches the name of the sender and whether the domain of the company is correct.
• The sender doesn’t address you by your correct name.
• The email requests personal information e.g. Passwords, Bank Information etc.
• Poor spelling and grammar

With phishing attacks becoming so prevalent, MSPs should be vigilant with their cyber security methods that protect users. One way to protect users is to use content filtering. Content filtering blocks certain sites and stops users from accessing websites that are known attack sites.

DNS-based content filtering stops phishing emails that pass through email service filters. A user who receives a phishing email could click a link, but with DNS-based content filtering, they will not be able to reach the website. Since these sites are included in a blacklist set up by the MSP’s network administrator, no user is able to reach the site. This type of content filtering protects the network from downloaded malware, content that could be used to trick users, and websites that look like legitimate sites but are really attacker-controlled applications. 

Some phishing attacks combine social engineering to target specific users on a network. For instance, an attacker might research finance department employees and find ones that could have higher privileges. They can use information found on social media such as LinkedIn or Facebook and use this information to trick an employee within the organization. Attackers sometimes spend weeks researching target users for their phishing campaigns.

MSPs can educate their users, but education alone is not enough to protect the internal network from a data breach due to phishing. DNS-based content filtering can stop successful attacks because users can no longer access these attack sites. This type of content filtering also stops users from browsing these sites should they find them on the Internet. The cyber security overhead for an MSP is difficult already, but DNS-based content filtering can protect from phishing attacks hardening your infrastructure and defenses.