Thycotic Telephone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

MSPs and IT Providers: The Three Things Every MSP Must Do

Written by Thycotic Team

May 8th, 2017

Guest post by Ian Trump. Please find his full bio below in the author section.

MSPs and IT providers have a problem, and it’s about to get a whole lot worse. By the time you land your third customer, you need to get a grip on three important things:

  1. Regular Daily Backup
  2. Invoicing and Time Tracking
  3. Password Management

Invoicing and Time Tracking make sense – you’ve got to have those to run your business and get paid. But security is the real, long-term problem. And it’s a problem that continues to grow.

As an MSP or IT provider, your attack surface is drastically bigger than any other company. Your own network is a risk, plus your customers’ networks could be attacked.  And if you are providing managed services, your customers are holding you responsible for keeping them safe.

This means daily backups are critical. A mistake by a too-tired or fast moving employee could have catastrophic consequences, and you need to be able to restore quickly.

But the most important of all three steps is managing passwords properly—and that means using an enterprise-grade password management solution.

Matt Weeks (@scriptjunkie) emphasizes this best. Matt is one of those rare security researchers that gets to the essence of a security problem, and he was one of the first guys to indicate that IT has a big problem. That problem is stolen or poorly protected credentials, and it’s the root cause of small, medium, and mega-hacks.

It turns out passwords & password reuse attacks continue to cause a great deal of havoc:

And many others.

Stolen credentials were also responsible for a major portion of confirmed data breaches in 2016. There were 1,429 incidents of credential theft in 2016, where attackers made off with credentials via hacking and malware. In 2016, the combination of poor password security and the use of default credentials lead to some of the most devastating attacks ever recorded.

MSPs and IT providers are struggling with password management. With the arrival of hosted services, IoT devices, users, and system passwords, MSPs and IT providers are drowning in passwords. For an MSP, keeping track of all these passwords is a security issue, and it’s also a productivity issue. The average small business could have 30 or more devices with unique passwords. That’s a lot of passwords for your MSP team to remember, and if any of them are compromised, the bad guys can gain access.

It’s the Yahoo breach which really deserves some consideration. Cyber criminals want administrator accounts or “Root” access more than any other credential. And obviously, if all devices on a network use the same administrative credentials, that gives the attacker full access to the entire network. When the administrator account is compromised, it’s game over for the customer – and if that customer is yours, well, you are now in the hot seat.

Perhaps the biggest problem with passwords from the MSP and IT provider perspective is managing them at scale. If each customer has between 15 and 20 passwords for systems, devices and services, what happens when you grow your business to 25 or 30 customers? That could be 600 passwords to be manage – we are not even talking about user’s passwords – that’s just the myriad of network devices which the business relies on.

Now given all those passwords you have to manage, what happens to customer security if the MSP or IT provider must terminate an employee? If the circumstances of termination are acrimonious, all the customer’s passwords could have gone with the disgruntled and potentially dangerous ex-employee. Perhaps the employee had an inkling termination was coming, and created backdoor users on the customer’s systems. This could spell disaster if you don’t have a way to automatically change privileged passwords immediately, and can’t easily find back door accounts.

Sadly, many MSPs don’t have a password audit tool, a password complexity testing tool, or a secure way of managing privileged accounts. I think this is because it’s not particularly exciting and many MSPs are using their PSA or a “passwords.xls” spreadsheet to manage passwords, just like Sony did.

Credential and password management is an area which MSPs and IT providers need a tool to manage access, secure and regularly change credentials, and audit access. As more devices – all of which will have passwords – get connected, managing their passwords and access proactively will allow your business to prosper. After all, your job is to secure your customers so they want to keep you around.

Secret Server enables you to store, distribute, change, and audit enterprise passwords in a secure environment.

Secure Vault

Secure privileged account credentials in a centralized vault, where you can adjust permissions and audit all access.

Discovery and Automation

Discover privileged accounts that you didn’t know exist today. Automatically change their passwords on a schedule or when manually requested.

Session Control

Proxy, record, and monitor active sessions to your critical infrastructure.

Access Workflow

Add access approval workflows to your most sensitive accounts.

Behavior Analytics

Alert your security team to unusual behavior on your privileged accounts.

Least Privilege

Tools to help you efficiently operate under least privilege.

Application Control

Allow users to install and update approved software only.

User Management

End user active directory password reset and group self-management.

BIO
Ian Trump

Ian Trump, CD, CEH, CPM, BA is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. Ian previously managed IT projects at the Canadian Museum of Human Rights and is currently Global Cyber Security Strategist at SolarWinds. Ian works across the business to define, create and execute security solutions and promote a safe, secure Internet for Small & Medium Businesses world-wide. As Global Cyber Security Strategist, Ian has deep experience with the threats facing small, medium and enterprise businesses. This research and experience has made him a sought-after cyber security resource for conference presentations, press commentary and keynote addresses world-wide. In recognition of his contribution to IT Security, Ian has been named as an executive council member of the CompTIA IT Security Community.

As Global Cyber Security Strategist, Ian has deep experience with the threats facing small, medium and enterprise businesses. This research and experience has made him a sought-after cyber security resource for conference presentations, press commentary and keynote addresses world-wide. In recognition of his contribution to IT Security, Ian has been named as an executive council member of the CompTIA IT Security Community.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.

Thycotic Team

We deploy smart, reliable, IT security solutions that empower companies to control and monitor privileged account credentials and identities.