Bekker's Blog

Blog archive

How Not To Handle a Security Breach as an MSP

The ongoing security and public relations mess at Wipro, a massive IT outsourcing company based in India with many major U.S. customers, provides an object lesson in how not to handle a security incident as a managed service provider (MSP).

The story was broken this week by Brian Krebs at his respected security blog Krebs on Security. Official information from Wipro has been slow to come out and inconsistent, which is part of the problem.

Krebs approached Wipro earlier this month after hearing about a breach from several sources. According to his latest reporting, a first Wipro employee fell victim to a phishing attack on March 11, with another 22 employees falling for a second round of phishing attacks on March 16 to 19. As of Wednesday, the attack was still ongoing with more than 100 Wipro endpoints "seeded with" a ConnectWise product for remote control of client systems, as Krebs phrased it. Using the compromised Wipro systems as a jumping-off point, attacks have been launched against at least 12 clients, Krebs reported.

One Wipro customer source that Krebs spoke to worked at a large retailer and said the attackers used the access for gift card fraud at the retailer's stores.

Yet Wipro at first stonewalled Krebs' requests for comment, then released a non-informative statement before eventually acknowledging the breach to an Indian newspaper after Krebs published his first blog. Additionally, the company contested Krebs' timeline without providing one of its own, and appears to be passing off the forensic work of its customers as its own.

Krebs summarized Wipro's ham-handed public response this way:

  • Ignore reporter's questions for days and then pick nits in his story during a public investor conference call.
  • Question the stated timing of breach, but refuse to provide an alternative timeline.
  • Downplay the severity of the incident and characterize it as handled, even when they've only just hired an outside forensics firm.
  • Say the intruders deployed a "zero-day attack," and then refuse to discuss details of said zero-day.
  • Claim the [indicators of compromise] you're sharing with affected clients were discovered by you when they weren't.

The PR and communication lessons are important, but the substantive security component is even bigger. A major aspect of the market value of an MSP is the expectation that the MSP will be the strongest link in a customer's security chain and be more aware of security all along the chain than the customer could be. For an MSP to be the weakest link, and have to be alerted to its own security problems by customers, is pretty tough to recover from.

Posted by Scott Bekker on April 18, 2019 at 10:55 AM


Featured

  • Fiber Cable Maker Lumenisity Acquired by Microsoft

    Microsoft is in agreement to buy Lumenisity, a maker of hollowcore fiber cable for global networking infrastructure, according to an announcement made on Friday.

  • Linux Apps Support Comes to Cameyo Virtual App Delivery Service

    Cameyo on Wednesday announced that its Virtual App Delivery service now supports Linux applications, expanding from Windows apps support.Cameyo's Virtual App Delivery service has extended its support to Linux applications, the company announced on Wednesday.

  • Rackspace-Hosted Exchange Service Gets Hit with Ransomware Attack

    Managed services provider Rackspace issued an announcement on Tuesday confirming that its hosted Microsoft Exchange e-mail service was disrupted by a ransomware attack. Rackspace's hosted Microsoft Exchange e-mail service was disrupted by a ransomware attacks, the managed services provider confirmed on Tuesday.

  • Microsoft Turns to Partners for Azure Kubernetes Service Boost

    In a joint statement by Microsoft and Isovalent on Monday, the two companies announced that Microsoft's Azure Kubernetes Service (AKS) will be receiving eBPF capabilities.