Cyber actors are accessing the data of one managed service provider (MSPs) to gain access to their whole database of customers, with malicious activity expected to increase, according to the ACSC.

Its Cybersecurity Advisory outlines various measures to implement appropriate strategies and preventable measures to ensure MSPs are not experiencing cyberattacks.

What is a managed service provider?

MSPs are third-party companies that remotely manage IT services for customers. They provide services that usually require trusted network connectivity and privileged access to their customers system.

Most businesses use MSPs to manage ICT systems, store data, or support sensitive processes. They often provide services in conjunction with other providers such as platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services.

These providers have login details to hundreds of small/medium business customers, so one victim being compromised can lead to access to many others.

“Managed Service Providers are vital to many businesses and as a result, a major target for malicious cyber actors,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre.

“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods.

“Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this Advisory.”

Advisory information

The joint advisory outlines cybersecurity best practices, enabling transparent discussions between MSPs and their customers on securing sensitive data. The advisory provides actions that organisations can take to reduce the risk of falling victim to malicious cyber activity.

MSP customers can ensure contractual arrangements specify that their MSP acts on measures and controls in the advisory, such as:

• Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.
• Enable monitoring and logging, including storage of most important logs for at least six months, and implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.
• Secure remote access applications and enforce multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems.
• Develop and exercise incident response and recovery plans, which should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
• Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritise the allocation of resources.

Organisations should review their contractual arrangements with their provider to ensure it includes cybersecurity measures in line with particular security requirements.

You can access the advisory here.