By Ian Trump
Guest post by Ian Trump. Ian Trump, CD, CEH, CPM, BA is an ITIL certified IT professional with 20 years of experience in IT security and information technology. Please find his full bio below in the author section.
MSPs and IT providers have a problem, and it’s about to get a whole lot worse. By the time you land your third customer, you need to get a grip on three important things:
- Regular Daily Backup
- Invoicing and Time Tracking
- Password Management
Invoicing and Time Tracking make sense – you’ve got to have those to run your business and get paid. But security is the real, long-term problem. And it’s a problem that continues to grow.
As an MSP or IT provider, your attack surface is drastically bigger than any other company. Your own network is a risk, plus your customers’ networks could be attacked. And if you are providing managed services, your customers are holding you responsible for keeping them safe.
This means daily backups are critical. A mistake by a too-tired or fast moving employee could have catastrophic consequences, and you need to be able to restore quickly.
But the most important of all three steps is properly managing passwords properly.
Matt Weeks (@scriptjunkie, blog) emphasizes this best. Matt is one of those rare security researchers that gets to the essence of a security problem, and he was one of the first guys to indicate that IT has a big problem. That problem is stolen or poorly protected credentials, and it’s the root cause of small, medium, and mega-hacks.
It turns out passwords & password reuse attacks continue to cause a great deal of havoc:
And many others.
Stolen credentials were also responsible for a major portion of confirmed data breaches in 2016. There were 1,429 incidents of credential theft in 2016, where attackers made off with credentials via hacking and malware. In 2016, the combination of poor password security and the use of default credentials lead to some of the most devastating attacks ever recorded.
MSPs and IT providers are struggling with password management. With the arrival of hosted services, IoT devices, users, and system passwords, MSPs and IT providers are drowning in passwords. For an MSP, keeping track of all these passwords is a security issue, and it’s also a productivity issue. The average small business could have 30 or more devices with unique passwords. That’s a lot of passwords for your MSP team to remember, and if any of them are compromised, the bad guys can gain access.
- Compromise of DNS lead to a complete hijack of a Brazilian Bank
- The largest breach every recorded – Yahoo – was because an employee’s password was compromised
It’s the Yahoo breach which really deserves some consideration. Cyber criminals want administrator accounts or “Root” access more than any other credential. And obviously, if all devices on a network use the same administrative credentials, that gives the attacker full access to the entire network. When the administrator account is compromised, it’s game over for the customer – and if that customer is yours, well, you are now in the hot seat.
Perhaps the biggest problem with passwords from the MSP and IT provider perspective is managing them at scale. If each customer has between 15 and 20 passwords for systems, devices and services, what happens when you grow your business to 25 or 30 customers? That could be 600 passwords to be manage – we are not even talking about user’s passwords – that’s just the myriad of network devices which the business relies on.
Now given all those passwords you have to manage, what happens to customer security if the MSP or IT provider must terminate an employee? If the circumstances of termination are acrimonious, all the customer’s passwords could have gone with the disgruntled and potentially dangerous ex-employee. Perhaps the employee had an inkling termination was coming, and created backdoor users on the customer’s systems. This could spell disaster if you don’t have a way to automatically change privileged passwords immediately, and can’t easily find back door accounts.
Sadly, many MSPs don’t have a password audit tool, a password complexity testing tool, or a secure way of managing privileged accounts. I think this is because it’s not particularly exciting and many MSPs are using their PSA or a “passwords.xls” spreadsheet to manage passwords, just like Sony did.
Credential and password management is an area which MSPs and IT providers need a tool to manage access, secure and regularly change credentials, and audit access. As more devices – all of which will have passwords – get connected, managing their passwords and access proactively will allow your business to prosper. After all, your job is to secure your customers so they want to keep you around.
Secret Server enables you to store, distribute, change, and audit enterprise passwords in a secure environment.
Secure privileged account credentials in a centralized vault, where you can adjust permissions and audit all access.
Discovery and Automation
Discover privileged accounts that you didn’t know exist today. Automatically change their passwords on a schedule or when manually requested.
Proxy, record, and monitor active sessions to your critical infrastructure.
Add access approval workflows to your most sensitive accounts.
Alert your security team to unusual behavior on your privileged accounts.
Tools to help you efficiently operate under least privilege.
Allow users to install and update approved software only.
End user active directory password reset and group self-management.