MSPs: Security ‘Almost Pointless’ If IT Service Management Tools Compromised
“Of the vendors we use we've heard pretty much nothing. It keeps me up at night, that's for sure,” said one frustrated MSP who wants to hear about security from their providers, not from the news, after they have been breached.
MSPs told CRN that while they spend thousands to arm themselves with the best tools and processes to fight cyber criminals and defend their systems, all of that effort is in vain if their IT service management tools suffer a security breakdown.
“As an MSP, we have to trust that the tools that we're using are secure, but also do what we can to further secure them,” an MSP told CRN. “Things like only allowing access from our office LAN, implementing [multi-factor authentication] for all of our [Professional Services Automation] and [Remote Monitoring and Management] tools, and using complex rotating passwords all go a long way to making our MSP as secure as it can be … All that is almost pointless when the applications themselves have security flaws built in.”
News last week that the cybercriminals who carried out an advanced phishing campaign against Wipro’s network, also used ConnectWise Control (formerly Screen Connect) tool to penetrate further into Wipro’s customer accounts has MSPs worried that if their IT service management tools are not safe, nothing is.
“In light of the warnings, I would expect regular communication from the big players on the security of their products, whitepaper briefs, security best practices for their platforms, etc.,” said another MSP. “Of the vendors we use we've heard pretty much nothing. It keeps me up at night, that's for sure.”
[RELATED: The Wipro Breach: Why Managed Service Providers Are At Risk]
KrebsOnSecurity—which first broke the story on the Wipro breach last week — reported that the ConnectWise Control remote support and remote access tool had been used to take control of more than 100 Wipro endpoints as part of an advanced phishing campaign that was used to capture customer data to perpetrate a gift card fraud exploit.
ConnectWise Chief Product Officer Jeff Bishop told CRN on Friday that the breach of IT outsourcing behemoth Wipro appears to be a "legitimate use" of the ConnectWise Control remote support and remote access tool.
"Something like what was described sounds a lot like legitimate use," said Bishop, who was previously vice president of ConnectWise Control. "Deploying agents within a company, logging in and getting connected to machines, and performing activity on those machines— that's kind of what remote control is designed to do. That would potentially look like legitimate use."
Bishop said his understanding is that the hackers were supposedly authenticating through a legitimate instance of the remote control machine, meaning the product wasn't hacked or accessed improperly.
For MSPs this means they not only have to managed and mitigate threats outside their system, but also be vigilant for risks inside of it as well. This latest news -- as well as the report in February that cybercriminals exploited a flaw with ConnectWise’s integration with Kaseya – is increasing tension around the tools they use to manage customer networks.
“Everyone in the IT services space and the national security space is telling us that MSPs are a target for hackers and intrusions, but the big players, ConnectWise in particular, really aren't communicating about it,” another MSP told CRN. “It was only after the information was available from other sources that ConnectWise started discussing the Kaseya issue.”
When asked to address solution provider concerns surrounding ConnectWise technology’s role in the Wipro breach, the Tampa, Fla.-based company provided a statement from ConnectWise CEO Jason Magee that said, in part, that the company is committed to helping MSPs prevent and mitigate security threats (see ConnectWise’s full statement here.)
“MSPs are increasingly being targeted by bad actors and are experiencing malicious attacks. Like many of the leading vendors, ConnectWise is committed to helping MSPs prevent and mitigate these threats. We know that sometimes our remote monitoring tools can be used by these bad actors,” he said.
Magee in the statement pointed to ConnectWise’s recent investment in Perch Security and purchase of Sienna Group as part of its efforts to help MSPs combat cyber threats. The company also launched a “Protect Your House” campaign in 2018 to help MSPs recognize and respond to cyber attacks, he said.
“ConnectWise takes cyber security seriously and we realize that rumored and confirmed security incidents create stress and concern for our partners. Once we become aware of an issue, we are proactive in taking steps to resolve and/or make our partners aware of the risk. This is often accomplished via our in-app messaging capabilities,”Magee said.
While ConnectWise is not the only IT Service Management company to find itself embroiled in a high-profile security scare, customers said as one of the largest players it should be leading the conversation on security, rather than acting only after a threat is uncovered.
“I’ve received no notification from ConnectWise about a potential risk or a proposed solution for that risk,” said one of the larger members of IT Nation regarding the Wipro news.
MSPs said the consolidation that has happened in the service management space has left them with fewer options, and they are concerned that the companies which remain are in a battle for profits above product.
“This is especially concerning when you look at all the new acquisitions ConnectWise has done recently along with their new investors coming in,” one MSP said. “My fear is that this will lead them down the road many companies go down when the number-one concern in investor profits, which will lead to more products being patched together rather than investing in proper integrations and testing.”