A joint advisory from the National Cyber Security Centre (NCSC) – a part of the UK’s intelligence agency GCHQ – and equivalents abroad sets out what managed service providers (MSPs) and their customers can do to protect IT services.
NCSC CEO Lindy Cameron said: “We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that. Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”
MSPs are advised –
Organisations should store their most important logs for at least six months, given incidents can take months to detect.
MSPs should recommend the adoption of multi-factor authentication (MFA) across all customer services and products, while customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive.
Organisations should update software, including operating systems, applications, and firmware, and prioritise patching of known exploited vulnerabilities.
Identify and disable accounts that are no longer in use.
See that contracts between the MSP and the customer transparently identify ownership of IT security roles.
As for what the threat can be, the document points out that whether the customer’s network is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks … with globally cascading effects. MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel leave.
You can view the advisory at the NCSC website.
The release comes on day two of the NCSC’s CYBERUK conference in south Wales, and was issued alongside the United States’s federal Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and in the US the National Security Agency (NSA), and Federal Bureau of Investigation (FBI). More from CYBERUK at the NCSC website – https://www.ncsc.gov.uk/section/keep-up-to-date/cyberuk.
Comments
Jasson Casey, CTO at the authentication product company Beyond Identity says: “Suggesting that MSP’S should rely on MFA as a security step is reckless, because not all MFA is created equal. The industry needs to recognise that some MFAs are extremely weak and fundamentally flawed – most password or legacy 2FA systems can be bypassed using off-the-shelf phishing and MITM exploits so this additional ‘security’ layer isn’t that effective at all. Also, these solutions don’t allow for any device posture information, so there’s no risk policy or continuous authentication happening.
“What the industry needs is stronger, more robust alternatives to legacy MFA solutions, which we have now. The technology exists today to move beyond legacy MFA solutions as an authentication technique and this is in the form of invisible, unphishable MFA solutions.”
And Rick Jones, CEO of cyber firm DigitalXRAID says that in high profile instances, such as the attack on SolarWinds, supply chains have proven to be ‘low-hanging fruit’ for cybercriminals, who are increasingly exploiting smaller organisations to gain access to the wider network.
“The NCSC guidance includes advice for organisations to update software and prioritise the patching of known exploited vulnerabilities. With the fifth anniversary of WannaCry tomorrow (May 12), this is particularly relevant. The 2017 ransomware attack was able to cause such extensive damage to the NHS because Trusts were running Windows machines yet to receive a critical security patch released by Microsoft. Regular patching is therefore a critical part of a strong cybersecurity and supply chain strategy.
“In addition to ensuring that software is up-to-date, businesses that form part of a supply chain can also look to a number of other cybersecurity measures to help protect their organisations and their partners. This includes contractually agreeing liability in the case of a breach, as well as regular cybersecurity training and a Zero Trust architecture to help mitigate against insider threats. However, working with a trusted cybersecurity partner and implementing an outsourced Security Operations Centre (SOC) can provide 24/7/365 threat monitoring and is the best option for supply chain businesses that may not have the resource for in-house teams.”
