It has been confirmed that third-party vendors and service providers used by businesses and organizations continue to be targets of threat actors in order to conduct cyber-attacks such as ransomware attacks, spear-phishing campaigns, business email compromise (BEC) scams, and vendor account compromises.
In a new twist, the New Jersey Cybersecurity and Communications Integration Cell now confirms that the Police have become a target.
This week, the Distributed Denial of Secrets (DDoSecrets) group released 269 GB of sensitive data from many US police departments and fusion centers in a collection dubbed “BlueLeaks .”
The data was stolen via a security breach of a third-party web design and hosting company.
As I wrote last week, third-party vendors and service providers often serve as an entry point for threat actors to target multiple victims in network compromises that could provide an opportunity to exfiltrate sensitive data, conduct social engineering campaigns, and deliver ransomware.
Data stolen from compromised networks can be used to target individuals using their personally identifiable information (PII) in attacks such as identity theft or doxing, which may endanger their lives. Therefore, security protections and controls must be implemented to safeguard client networks and data as well as limit the impact if an incident occurs.
It’s worth repeating what I wrote last week. In fact, I can’t repeat it enough!
Best practices for MSPs:
- Have a well-defined service level agreement
- Ensure remote administration tools are patched and up to date
- Enforce least privilege for access to resources
- Have well defined security controls that comply with end users regulatory compliance
- Perform annual data audits
- Take into consideration local, state, and federal data compliance standards
- Proactively conduct cyber training and education programs for employees
Best practices for MSP Customers:
- Audit Service Level Agreements
- Audit remote administration tools being utilized in your environment
- Enforce two-factor authentication for all remote logins
- Restrict administrative access during remote logins
- Enforce least privilege for access to resources
- Utilize a secure network and system infrastructure, capable of meeting current security requirements
- Pro-actively conduct cyber training and education programs for employees
The NJCCIC (New Jersey Cybersecurity and Communications Integration Cell) is a component organization within the New Jersey Office of Homeland Security and Preparedness. The NJCCIC recommends organizations adopt a third-party management program and implement security protections and controls provided in the NJ Statewide Information Security Manual, and review the NJCCIC product Supply Chain: Compromise of Third-Parties Poses Increasing Risk . NJCCIC also advises users to adopt a defense-in-depth cybersecurity strategy, keep systems patched and up to date, and maintain cybersecurity best practices, including physical security.
Ron Benvenisti
Interesting. We are a service provider for many years. One of our techs has certifications that we paid a lot of money for. Unfortunately, we had an incident between our help-desk and a client. We have insurance however the Insurance denied the claim because we did not have an independent third-party for cyber-security. We checked through the entire policy (good idea to do or discuss with your insurance company directly, not your broker) and they were right. That was a major cost, embarrassment, and damage to our reputation aside from losing that client of many years. The Insurer explained to me (I am the CFO) that the fact that one of our employees holds a certificate is not enough. She told me that we need a third-party agreement with an outside entity who must also be Government-certified with a verifiable State or Federal certification ID to get a renewal. We are trying to find somebody who meets their requirements and they have to approve. It seems there are many people who are getting certificates but can’t get Government credentials. We reached out to recruiters but most of them have foreigners. We definitely cannot afford to have the company close up shop, and we cannot afford another loss. We are afraid that we are going to have to sign up with an expensive corporate provider and eat the expense. We are a small shop but growing over the years and this has become a huge problem for us. Apparently we all MSPs, large and small are now under the microscope of insurers and government agencies. Neither the Insurance Company nor the Government are allowed to make recommendations. We are hesitant to even inquire so as not to call attention to ourselves, apparently the Government regulators that we need to satisfy see us MSPs as cash-cows for fines. Maybe a few of us can get together and split the cost to get a qualified third-party who would give us a “volume” discount.
True. Many insurance companies see certificates as “wallpaper”. Look for consultants with a DOD MURI award number from one of the Military branches, a certified member of the FBI InfraGard, DHS/USSS Electric Crimes Task Force, and possibly has a NIST license, which is extremely hard to get. That will guarantee the highest level of service and satisfy every insurance requirement. Dropping a hint here! Good luck.