MSPs and customers recommended to adopt a shared commitment to security and implement baseline measures and controls
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an advisory today with cybersecurity best practices for information and communications technology (ICT), focusing on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. CISA, NCSC-UK, ACSC, CCCS, NZ-NCSC, NSA, and FBI expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks.
The advisory provides several actions that organizations can take to reduce their risk of becoming a victim to malicious cyber activity. Additionally, MSP customers should ensure their contractual arrangements specify that their MSP implements the measures and controls in this advisory, such as:
- Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.
- Enable monitoring and logging, including storage of most important logs for at least six months, and implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.
- Secure remote access applications and enforce multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems.
- Develop and exercise incident response and recovery plans, which should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
- Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”
“We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that,” said NCSC CEO Lindy Cameron. “Our joint advisory with CISA is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk. I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.”
“Managed Service Providers are vital to many businesses and as a result, a major target for malicious cyber actors,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods. Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSP’s to review their cyber security practices and implement the mitigation strategies outlined in this Advisory.”
“We’ve seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers,” said Sami Khoury, Head, Canadian Centre for Cyber Security. “These compromises can result in costly mitigation activities and lengthy downtime for clients. We strongly encourage organizations to read this advisory and implement these guidelines as appropriate.”
“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today,” said Lisa Fong, Director of New Zealand’s National Cyber Security Centre. “As organisations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point. Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as managed service providers. They also need to be prepared to effectively respond to when issues arise.”
"This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data," said Rob Joyce, NSA Cybersecurity Director. "Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization."
“Through this joint advisory, the FBI, together with our federal and international partners, aims to encourage action by MSPs and their customers, as malicious cyber actors continue to target this vector for entry to threaten networks, businesses, and organizations globally,” said FBI's Cyber Division Assistant Director Bryan Vorndran. “These measures and controls should be implemented to ensure hardening of security and minimize potential harm to victims.”
All organizations are encouraged to review the advisory for complete list of recommended security measures and operational controls. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations.
Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities. When cyber incidents are reported quickly, it can contribute to stopping further attacks. In the U.S., organizations should inform CISA’s 24/7 Operations Center at firstname.lastname@example.org or (888) 282-0870.
As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day. Visit CISA.gov for more information or visit www.CISA.gov/shields-up for information on how to protect your networks.
Visit CISA on Twitter, Facebook, LinkedIn, Instagram