Top 10 Security Recommendations
What we can learn from the MOVEit attack
Ofcom, BBC, British Airways, and Boots discovered on June 5th that they are suffering data breaches caused by their service provider Zeillis who was impacted by the MOVEit attack. Later this month, other companies such as Siemens Energy, Shneider Electric, the Union Bank and other organizations has been affected by the attack. The date of the attack is still unknown, but it is believed that it happened between late winter and early spring 2023. By 18th of June, 3 patches were released to cover the vulnerabilities found in the MOVEit system.
The MOVEit attack shows us the huge impact a supply chain attack can have, and it highlights the importance of securing third party and MSP access.
“A third party is a third attack surface” – states Andrew A in his article Using MSPs to administer your cloud service
Third Parties & MSPs: The security Compromise
The MOVEit attack serves as a wake-up call for organizations to remain vigilant when involving third parties and MSPs. Outsourcing is an efficient way to delegate business operations when a company doesn’t have the resources internally. However, it comes with a compromise: Security.
What are the risks of a compromised third party?
> Cybersecurity risks:
Hackers may use your third-party entry point to acquire your critical data. In the MOVEit attack, hackers were able to steal data from hundreds of businesses and threatened to publish their identities in a data leak website.
> Operational risks:
An attack can have damaging impact on companies and can cause significant disruption. This was the case when SolarWinds (vendor of IT management solutions) suffered from a cyberattack back in 2021. 18k organizations were affected including government agencies creating disruption and chaos.
> Compliance risks:
Regulations set security criteria for organizations and their third party. Your organization can be fined for working with non-compliant partners.
How to secure third party access?
Andrew A in his article Using MSPs to administer your cloud service propose 5 things to check sooner than later when you work with an MSP. These rules should be applied whether the MSP manages cloud services (IaaS, PaaS, SaaS) or on-premises software.
> Apply the principle of least privilege:
Only give access to what is needed when it is needed. Avoid giving your MSPs and their administrators privileges that are not required to get their job done.
> Have full visibility of MSP actions on your SOC:
Ensure that each administrator uses a different account, and they are not sharing one general account. This will allow you to have detailed traceability of their actions.
> Make sure that your MSP follow secure administration practices:
Given the fact that MSPs are privileged targets to hackers, MSPs should have high security standards that goes beyond what you have in place. Their administrators should use a separate privileged access workstation when performing administration actions. They should also authenticate using a Multi-Factor Authentication solution.
> Check if your MSP is outsourcing the administration of your services:
If your MSP is outsourcing the services, you need to make sure that the security of their third-party is included in your contract with your MSP.
> Verify that the contract requires your MSP to inform you of any data breach:
It should include any data breach on the MSPs supply chain.
> Make sure your MSP never exposes your IT assets to “the world”. Hackers use online scanning tools to identify any open port and use it to gain access unauthorized assets. Therefore, your MSP should never open a port to your IT resources.
> Keep in mind that MSPs manage your infra and other clients’ infra: you need to guarantee an absolute segmentation and isolation among all the MSP’s customers.
> Your MSPs can impose their remote access tool, or you can impose yours to your MSPs: in either case, make sure you use a Zero Trust remote access tool.
> Have full control on your MSP’s staff access to your critical assets and leave no privilege or connection open: by using least privilege connections, JIT connections, zero standing connections, etc.
> If the MSP needs to deploy a component in your infrastructure, make sure its footprint is minimal, and investigate the supply chain of the component.
In the MOVEit attack, hackers managed to access the MOVEit servers only and yet, the impact was huge on companies all over the world. Meaning that if the hackers managed to access MOVEit clients IT systems, the consequences would have been of a greater devastation.
With the rise of software supply chain dependencies, it is crucial to have full control over your IT/OT systems. We should go beyond securing access by implementing privileged access management solutions that allow real time analysis and which automatically blocks suspicious actions.