New cyber advisory:  MSPs and customers urged to adopt a shared commitment to security and implement baseline measures and controls

New cyber advisory:  MSPs and customers urged to adopt a shared commitment to security and implement baseline measures and controls

The Cybersecurity and Infrastructure Security Agency (CISA) announced a joint Cybersecurity Advisory that urges managed service providers (MSPs) and customers to adopt a shared commitment to security and implement baseline measures and controls. Published in partnership with cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand, Federal Bureau of Investigation (FBI), and National Security Agency (NSA), with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC), this advisory warns that malicious cyber actors continue to target MSPs, which is why organizations should implement the recommended actions, as appropriate for their unique environment and security needs, to strengthen protection of sensitive data and networks.

CISA, NCSC-UK, ACSC, CCCS, NZ-NCSC, NSA, and FBI expect malicious cyber actors, including state-sponsored advanced persistent threat (APT) groups, to continue their targeting of MSPs. Some tactical actions to improve security that MSPs and their customers can take today are:

• Identify and disable accounts that are no longer in use.
• Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication.
• Ensure MSP-customer contracts transparently identify ownership of ICT security roles and responsibilities.

The advisory provides several measures that organizations can take to reduce their risk of becoming a victim to malicious cyber activity. Additionally, MSP customers should verify their contractual arrangements with the provider include measures and controls in this advisory according to their security requirements, such as:

• Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.
• Enable monitoring and logging, including storage of most important logs for at least six months, and implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.
• Develop and exercise incident response and recovery plans, which should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
• Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.

In addition to reviewing the advisory for complete list of recommended measures and controls, CISA reminds critical infrastructure executives and senior leaders to review our “Shields Up” webpage at cisa.gov/shields-up.

Also, organizations should share information on incidents and unusual activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

We appreciate you sharing this information and/or amplifying with your cybersecurity community. CISA and other partners are posting information about our joint advisory on their social media platforms.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity & Infrastructure Security Agency
U.S. Department of Homeland Security
217-299-3954/ steven.lyddon@cisa.dhs.gov