THE UK and its international partners have jointly issued advice to IT service providers and their customers as part of wider efforts to protect organisations in the wake of Russia’s invasion of Ukraine.
The joint advisory from the National Cyber Security Centre (NCSC) and its partners sets out a series of practical steps for managed service providers (MSPs) and their customers.
The advisory has been issued alongside the US’ Cyber Security and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC) and the National Security Agency (NSA) as well as the Federal Bureau of Investigation (FBI), the latter duo in the United States, of course.
MSPs provide IT support to their customers in various ways, for example through software or cyber security services. In order to do so, they are granted privileged access to a customer’s network. This can create opportunities for attackers, who may be able to gain access to an organisation’s network by compromising their MSPs.
One of the most significant examples of these supply chain attacks was that carried out in 2020 against US software company Solarwinds, which impacted customers throughout the world.
Organisations are being encouraged to consider the advisory, published under the heading ‘Shields Up Guidance for Managed Service Providers and Their Customers’, in conjunction with guidance from the NCSC and others in relation to the heightened tensions as a result of events in Ukraine.
NCSC CEO Lindy Cameron noted: “We are committed to further strengthening the UK’s resilience. Our work with international partners is a vital part of that commitment. Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”
CISA director Jen Easterly commented: “I strongly encourage MSPs and their customers to follow this and our wider guidance. Ultimately, doing so will help to protect not only themselves, but also organisations globally.”
Easterly continued: “As this advisory makes clear, malicious cyber actors continue to target MSPs. It’s critical that MSPs and their customers take recommended actions to protect their networks. We know that MSPs being vulnerable to exploitation significantly increases downstream risks to the businesses and organisations whom they support. Securing MSPs is critical to our collective cyber defence.”
Abigail Bradshaw, head of the ACSC, stated: “MSPs are vital to many businesses and, as a result, they can be a major target for malicious cyber actors. These actors use them as launchpads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business e-mail compromises and other malicious methods. Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this advisory.”
Damage of cyber compromise
Sami Khoury, head of the CCCS, observed: “We’ve seen the damage and impact cyber compromises can have on supply chains, MSPs and their customers. These compromises can result in costly mitigation activities and lengthy downtime for clients. We strongly encourage organisations to read this advisory and implement the guidelines as appropriate.”
Lisa Fong, director of the NZ NCSC, added: “Supply chain vulnerabilities are among the most significant cyber threats facing today’s organisations. As they strengthen their own cyber security, organisations’ exposure to cyber threats in their own supply chain increasingly becomes their weakest point. Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as MSPs. They also need to be prepared to effectively respond when issues do arise.”
Rob Joyce, director at the NSA, explained: “This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data. Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorisation.”
Bryan Vorndran, assistant director of the Cyber Division for the FBI, said: “Through this joint advisory, the FBI, together with its federal and international partners, aims to encourage action by MSPs and their customers at a point in time when malicious cyber actors continue to target this vector for entry to threaten networks, businesses and organisations globally. These measures and controls should be implemented to ensure the hardening of security and minimise potential harm to victims.”
Range of steps
Many steps are set out for MSPs and their customers in the latest advisory, including the following:
*Organisations should store their most important logs for at least six months, given that incidents can take months to detect
*MSPs should recommend the adoption of multi-factor authentication (MFA) across all customer services and products, while customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive
*Organisations should update software, including operating systems, applications and firmware, while at the same time prioritising the patching of known exploited vulnerabilities
The advisory also makes it clear that organisations should implement these guidelines as appropriate to their unique environment, in accordance with their specific security needs and in compliance with applicable regulations.