The news of today’s indictment against two Chinese nationals for a global, state-sponsored cyber campaign should send shivers down the spine of enterprises across the world.
Linked to China’s APT10 group, the two hackers are accused of engaging in a campaign of IP theft dating back to 2006. The most worrying aspect of charges, however, are that from around 2014 the attackers set their sights on major international Managed Service Providers (MSPs).
Targeting MSPs makes a lot of sense from an efficiency standpoint. Once a foothold is gained in an MSP’s environment, attackers can easily move laterally from that system to the systems of their clients – it takes the concept of ‘killing two birds with one stone’ to a whole new level.
The reason today’s news is so troubling is that just about every large enterprise across the globe outsources some aspect of their IT to an MSP. Compounding the issue is the idea that the MSPs are the experts, and therefore the security of their systems is taken for granted.
We’ve learned today they’re just as vulnerable as everyone else.
The Australian Cyber Security Centre has released a guide for how enterprises can safely manage their relationships with an MSP. Although most organisations are getting ready to shut down for the holiday break, I highly recommend you read the guidelines which can be found here.
Tips include ensuring security is front-and-centre during contract negotiations, enabling multi-factor authentication, and only giving MSPs the level of privilege required to effectively carry out their contract – admin rights won’t always be necessary.
Today’s news underscores the need for organisations to have visibility into their networks – if you’ve engaged an MSP to manage your ERP system, for example, you need to know if someone is using their credentials to access areas of the network they have no need to be in, and then have the ability to evict them as soon as this comes to light.
Once IP is gone, it is gone forever. While MSP relationships are built on trust, they can fall victim to advanced attacks just as easily as anyone else. They might be the experts you turn to manage your IT, but they’re not invincible.