30 Apr Who Manages the Managers?
The issue of the integrity of Managed Service Providers (MSP’s) has been raised to a new level.
Indian outsourcing consulting giant Wipro is investigating reports its own internal IT systems have been hacked. It’s believed adversaries are using Wipro’s systems to launch attacks against “at least a dozen” of the firm’s customers. A Wipro executive has told analysts that the attack involved “a few of our employee accounts” who were subjected to “an advanced phishing campaign.”
Many of Wipro’s customers cover industries that would be considered as targets for state-sponsored hackers, including critical infrastructure, aerospace, defence, banking and healthcare organisations among other industries.
Sense of Security Chief Operating Officer, Murray Goldschmidt has come out openly to state “it was only a matter of time. MSP’s are ripe for attack because they control the keys to a multitude of supply chains, corporate operational functions and IP.”
“Of course, there will be potential reputational damage and Wipro will have to combat that, but the real issue is that companies who engage MSP’s will have to be far more vigilant in the way they view their digital security portfolio in the future.”
It seems many companies and organisations who engage a 3rd party/MSP’s relapse into believing these organisations have covered the cyber security issues on their behalf.
“Cyber security is a shared responsibility where clients must be constantly aware and work with their MSP’s to maximise cyber security protection.”
What to do?
Organisations need to be very aware of the level of access that each service provider has, what data they have access to, and how that information is being accessed, stored and protected. IT management is not the only area were MSP’s are engaged. Outsourcing of software development is also commonplace and another area where poor techniques, oversight and management results in unnecessary vulnerabilities, increasing the organisational risk posture and frequently resulting in exploitation and compromise.
Some suggestions to focus on:
Address escrow arrangements for access to source code as appropriate (especially for the licensed product that you have acquired and forked into your own development)
Information security requirements must be included in terms and conditions of third-party agreements. This should include the following information at a minimum:
- Access rights (definition, allocation and revocation) for third parties accessing your information.
- Right to audit and monitor third party.
- Reporting mechanism to your organisation by third party if a breach or incident occurred.
- Service levels and service continuity – all service provider contracts must have SLA and NDA clauses, as well as monitoring and governance practices, specified where applicable.
- Adherence of third party to your security policies.
- Delineation of security responsibilities.
- The type and level of encryption authorised for secure communication between two parties.
Third party security requirements should also be documented in your Information Security Policy. The detailed processes for engaging and managing third parties should be documented and oversight of third-party security practices must be continuously maintained.
Conduct risk assessments regarding the third-party assignment including assessing the risk of using third party service providers based in other countries who have access to private and sensitive customer information and must be assessed against the Australian Privacy Principles (APP) or GDPR.
The security incident response plan should include the third-party supplier notifying you when any actual incidents occur. This should be included within SLAs and contracts that will determine the different types of incidents, their response time and the expected medium for communication.