BRUCE MCCULLY has been in the security trenches as a former MSP and now as founder and chief security officer of third-party security auditor Galactic Advisors. From his “both sides of the fence” perspective, he identifies three key mistakes with backup as the prime way MSPs are making themselves and their customers vulnerable.
First is shared accounts. Galactic recently helped an MSP recover data for a new customer that was hit with ransomware. The customer’s previous MSP used a backup tool that required a local copy that was backed up to the cloud, which McCully says is “pretty standard,” but made a mistake by backing up to a Windows Server with a shared account. “It was actually domain joined,” McCully notes, “so the attackers, once they got to the domain, they just used that machine to then destroy the cloud backup.”
Second is putting RMM software on the backup device. “Think about that for a second. If you have an event where your RMM becomes the attack vector ... now they've dropped ransomware on the backups and on the original data set at the same time. So we have a complete loss and we're not able to recover,” McCully notes.
Third is allowing users to login to their backup device from a computer that's being backed up. “You're running the risk that the attacker has gathered your credentials and is now able to get to that backup,” McCully says.
The remedy, he adds, is to implement the following best practices:
- Build a special, micro-segmented “red” network just for your backups. There should be no shared accounts or shared passwords on that domain.
- Only use backup tools that require multifactor authentication.
- Designate responsibility for backup to one technician.
“When I was running my MSP, we had somebody that was responsible for backups. They were the only one logging into the backup, so the only one with the keys to the kingdom.”
In addition to backup mistakes, according to McCully, many MSPs fail to implement least privilege and zero trust. For instance, he says, the average MSP gives their engineers global admin rights, including full domain and RMM access.
Solo MSPs should create two admin accounts that are separate from what they use for email and other daily tasks, McCully recommends. One admin account should use SMS-based MFA from a cellphone; this is what he calls your “break glass” account that you typically will never use. Your working admin account, which you only log into through a private browser, should use app-based MFA.
Larger MSPs should restrict global admin rights to just a few trusted individuals, who follow the same steps as above, McCully advises.