How Not To Handle a Security Breach as an MSP
The ongoing security and public relations mess at Wipro, a massive IT outsourcing company based in India with many major U.S. customers, provides an object lesson in how not to handle a security incident as a managed service provider (MSP).
The story was broken this week by Brian Krebs at his respected security blog Krebs on Security. Official information from Wipro has been slow to come out and inconsistent, which is part of the problem.
Krebs approached Wipro earlier this month after hearing about a breach from several sources. According to his latest reporting, a first Wipro employee fell victim to a phishing attack on March 11, with another 22 employees falling for a second round of phishing attacks on March 16 to 19. As of Wednesday, the attack was still ongoing with more than 100 Wipro endpoints "seeded with" a ConnectWise product for remote control of client systems, as Krebs phrased it. Using the compromised Wipro systems as a jumping-off point, attacks have been launched against at least 12 clients, Krebs reported.
One Wipro customer source that Krebs spoke to worked at a large retailer and said the attackers used the access for gift card fraud at the retailer's stores.
Yet Wipro at first stonewalled Krebs' requests for comment, then released a non-informative statement before eventually acknowledging the breach to an Indian newspaper after Krebs published his first blog. Additionally, the company contested Krebs' timeline without providing one of its own, and appears to be passing off the forensic work of its customers as its own.
Krebs summarized Wipro's ham-handed public response this way:
- Ignore reporter's questions for days and then pick nits in his story during a public investor conference call.
- Question the stated timing of breach, but refuse to provide an alternative timeline.
- Downplay the severity of the incident and characterize it as handled, even when they've only just hired an outside forensics firm.
- Say the intruders deployed a "zero-day attack," and then refuse to discuss details of said zero-day.
- Claim the [indicators of compromise] you're sharing with affected clients were discovered by you when they weren't.
The PR and communication lessons are important, but the substantive security component is even bigger. A major aspect of the market value of an MSP is the expectation that the MSP will be the strongest link in a customer's security chain and be more aware of security all along the chain than the customer could be. For an MSP to be the weakest link, and have to be alerted to its own security problems by customers, is pretty tough to recover from.
Posted by Scott Bekker on April 18, 2019