On October 3, 2018, the U.S. Department of Homeland Security (DHS) issued a major warning to IT service providers, IT managed services providers (MSPs), and cloud services providers (CSPs) and their customers. The warning came from the National Cybersecurity and Communications Integration Center (NCCIC), which is part of the Office of Cybersecurity & Communications within the U.S. Department of Homeland Security. The warning addressed advanced persistent threat (APT) hackers that exploit information technology (IT) service provider networks.
Businesses should be aware of this warning and take necessary actions to protect their IT environment, including those that have internal IT staff and/or external IT support. This specific warning uniquely includes benefits, risks, and other details regarding the utilization of external IT services providers. Impacts of unauthorized network intrusions can include thing such as:
- Loss of sensitive or proprietary information
- Disruption of regular operations
- Financial losses due to business impact and/or remediation actions
- Harm to the organization’s reputation
Abdul Hammad – Chief Information Security Officer, powersolution.com
Following the release of the advanced persistent threat (APT) warnings, Mr. Abdul Hammad of powersolution.com stated
“It is imperative that businesses utilizing external IT service providers verify that enterprise-level security standards and protocols are being followed — such as from the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). These standards and controls are necessary to maintain a “defense-in-depth strategy” and minimize the risks associated with nefarious advanced persistent threat (APT) activity.”
Abdul Hammad is the Chief Information Security Officer (CISO) at powersolution.com, a leading New Jersey-based IT managed services provider. Armed with B.S. and M.S. degrees in network and security engineering, cybercrime, and computer forensics from the New Jersey Institute of Technology, he is also a member of the United States Secret Service Electronic Crimes Task Force (USS-NYECTF). The USS-NYECTF prioritizes on the top six infrastructure targets for electronic crime or cyber terrorism — financial institutions, telecommunications, the energy industry, transportation, the environment, and emergency services.
U.S. DHS Cites Financial Benefits and Network Security Associated with IT managed services (MSPs) and Cloud services providers (CSPs)
According to the U.S. Department of Homeland Security, the number of organizations using IT service providers (including MSPs an CSPs) has increased in recent years partly because IT service providers enable customers to support network environments at a lower cost than utilizing in-house personnel. Much of this cost advantage is due to the IT service provider supporting a large number of customers, which creates economies of scale. However, IT service providers have access to their customers’ network and may have customer data stored on their own infrastructure. If the IT service provider does not have adequate network security and controls, a compromise associated with one customer could create significant risk and potentially impact other customers utilizing the IT service provider’s network infrastructure. Cybercriminal activity has increased partially due to more customers utilizing IT service providers to support their networks.
Who is the National Cybersecurity and Communications Integration Center (NCCIC)?
The National Cybersecurity and Communications Integration Center’s (NCCIC) is part of the Office of Cybersecurity & Communications, within the U.S. Department of Homeland Security. It coordinates various aspects of the U.S. federal government’s cybersecurity and cyberattack mitigation efforts. This includes coordinating national response to significant cyber incidents in accordance with the National Cyber Incident Response Plan (NCIRP). For over two years, the NCCIC) has been tracking hackers that are using advanced persistent threat (APT) tools to break into networks of MSPs and CSPs and the infrastructure of their customers.
Actions Recommended by National Cybersecurity and Communications Integration Center (NCCIC)
NCCIC recommends that customers of MSPs and CSPs implement a “defense-in-depth strategy” designed to protect their infrastructure assets while increasing the probability of disrupting advanced persistent threat (APT) activity. On October 3, 2018, the NCCIC issued a warning to MSPs and CSPS that cybercriminals are working to exploit their customers’ networks. Consequently, MSPs and CSPs are encouraged to lock down their systems and data. Information was provided to assist MSP customer network and system administrators in detecting and mitigating malicious activity on their networks and systems.
A few of the NCCIC recommendations include:
- Establishing and periodically updating an incident response plan.
- Establishing written guidelines that prioritize incidents based on mission impact.
- Secure endpoint and network infrastructure.
- Refer to NCCIC publications such as weekly vulnerability bulletins, activity alerts.
- Completing NCCIC secure web forms to report cyber-related incidents and indicators including phishing, malicious software, and other activity.
- MSP accounts should not be assigned to enterprise administrator or domain administrator groups.
- MSP accounts should be restricted to only the systems they manage.
- Password policies should be applied to MSP accounts, including complexity, life, lockout, and logging.
- If an MSP installs an agent or other local service, service accounts should be created for this purpose.
- MSP accounts should be restricted by time and date, disabling them when work is completed.
- Utilize a network architecture that provides for account tiering so that higher privileged accounts will not have access or be found on lower privileged layers of the network.
- Customers should work with their MSPs to determine what they can expect in terms of security. This includes items such as terms of service, architecture, security controls, and risks associated with cloud computing and data protection.
- Restrict access to networks and systems to contain APT cybercriminal movement across the network and infrastructure.
- Conduct periodic audits of network and infrastructure access restrictions.
- Use a dedicated Virtual Private Network (VPN) for MSP connection. VPN authentication certificates should be updated annually, with connections logged and centrally managed.
- Internet-facing networks should reside on separate physical systems.
- Firewalls should be used to protect servers and high-risk networks.
- Restrict access to unauthorized public file shares that are not used by the organization – such as Dropbox, Google Drive, and OneDrive.
- Implement appropriate policies for account authentication and authorization.
- Regularly update software and operating systems.
In summary, businesses must be aware of the threats and protective measures highlighted on October 3, 2018 by the U.S. Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Using external IT service providers can be a cost-effective way to ensure appropriate IT security protocols and controls are implemented by qualified IT personnel. However, businesses must review with their IT services providers, including MSPs and CSPs, that recommendations cited by the NCCIC are being implemented properly and reviewed on a regular basis.