Analysis: The Top 4 Security Worries of MSPs
The No. 1 reason for a customer to fire you, the partner, is loss of data. Here's how to make sure that doesn't happen.
- By Ian Trump
- October 19, 2015
Congratulations, you're onboarding a new customer for your managed services provider (MSP) practice. Here are four security concerns you should worry about every time you sign up a customer.
1. The bad guys are already in the network -- you need a strategy to get them out.
When you're lucky enough to land a new customer, assume the customer's network is poisonous and treat it accordingly. The horrific reality is that you often gain new business because the customer has either neglected the network or fired a grossly incompetent previous IT services provider. You need to make a difference right away. Get your agents in place on servers and workstations, drop in managed anti-virus and fire up Web protection. Your next step is to find and kill malware on all the devices. Pull a software asset list, put that into Excel, de-duplicate it and start asking the business if it really needs all that software.
Pro Tip: See if the customer will let you uninstall Adobe Flash, Silverlight, Shockwave, QuickTime and Java, if at all possible. Getting rid of these apps is a huge security win.
2. The bad guys will compromise the network -- you need to make your customer hard to hack.
The No. 1 thing you can do here is roll out your patches -- patch the OS and those remaining third-party applications. Removing old, unused and possibly vulnerable software is a great first step, and this will actually reduce the number of apps you'll have to patch in the future. Also, you're soon going to start seeing "interesting things." Hopefully, most of your workstations took the patches well, but if a machine didn't, you can be assured it's probably broken in some way and might come back to haunt you. This would be a great time to re-image or clone the machine from a known good, and fully patched, machine. If the image doesn't take or the cloning fails, there's a strong chance you have a hardware issue.
3. The bad guys are going to cost the customer's business a lot of money -- you need to protect high-value targets inside the network with multiple security layers and network segregation.
Now that you're patched and updated and have layers of defense in place, it's time to start really locking things down.
Start with an external vulnerability scan for open ports on the outside of the customer's network. Hopefully the ports that are open make sense and are mapped to business services. If not, well, you have some work to do. Start investigating any strangeness and figure out the firewall rules. Does everything really need to be open to the entire Internet? Great opportunities exist to move mail protection into the business if they are hosting their own mail server. Now is the time to roll out all your SNMP, event log, performance monitoring and Windows Service checks into the infrastructure.
Pro Tip: Your workstations generally only need to talk to your DNS server. So lock port 53 outbound to the IP of your DNS server. This is a great way to catch messed up malware-infected workstations in the firewall log.
4. The bad guys are attacking with ransomware -- you need great backups.
OK, you just spent a lot of effort getting this customer cleaned up and locked down and the backups are...suspect. You need to fix this immediately. The only thing that allows an MSP to sleep at night is backups that are running successfully.
What's better than a backup? Two backups. Cloud-based and local are a must-have requirement. Here's why: If you get hit by ransomware you might lose the locally attached USB drive backup, for example, and you'll be glad you have cloud-based backup. On the other hand, if you have a physical failure you'll be glad you're restoring data from a local source.
The No. 1 reason a customer will fire you is for losing their data. Get great at backup and restore.
Ian Trump is an IT consultant with 20 years experience in IT security. He is security lead at LogicNow, and a regular presenter at industry security conferences. Follow him on Twitter: @phat_hobbit.