Category: Uncategorized

February 13, 2023
A data breach is a security incident where an organization’s data is illegally stolen, copied, viewed, or released by an unauthorized individual or group. Common forms of targeted data include personally identifiable information (PII), proprietary information, financial information, and other sensitive material.
Any organization with sensitive data can be the subject of a data breach regardless of size or industry sector. Attack methods vary, but all data breaches follow four broad steps:
To complete this cycle, threat actors leverage numerous tactics to obtain data. Common methods include:
Stolen or compromised credentials: The threat actor uses a legitimate user’s credentials such as their login and password to access a target system.
Phishing: A malicious email using social engineering to manipulate the reader into giving the sender sensitive information such as credentials or access to a larger computer network.
Breach of third party software: Exploiting a flaw in a software used by the target organization. For example, leveraging a flaw in Microsoft Word’s code to access a company’s network.
Malicious insider: A person within the target organization who intentionally uses their access to steal data or help others steal data.
Accidental data loss: Can include the accidental publishing of sensitive data to the internet, a legitimate user unintentionally releasing their credentials, loss of equipment, and other mishaps.
According to research from the Ponemon Institute, the most common breach methods were:
Many data breaches can go months before the victim organization detects the intrusion and often costs millions of dollars in recovery. Some of the major consequences from a data breach include:
Yahoo, August 2013: Widely considered the biggest data breach of all time with 3 billion accounts impacted. In 2013, the company announced an initial estimate of 1 billion, then in 2017, increased the number to 3 billion demonstrating the difficulty of accurately assessing the damage of a breach immediately after it occurs. Hackers stole account information such as names, email addresses, birth dates, passwords, and more.
Solar Winds, April 2021: A routine update for the Company’s Orion software turned out to be a malicious intrusion tactic by hackers supporting the Russian intelligence service. Solar Winds estimated 18,000 personnel downloaded the false update leading to an estimated compromise of about 100 companies and a dozen government agencies.
LinkedIn, June 2021: The professional networking social media company found 90% of its user base impacted when data associated with 700 million of its members was posted to a dark web forum. A hacker group executed data scraping tactics to exploit LinkedIn’s API and retrieve information such as email addresses, phone numbers, geolocation records, and more.
There’s no better time than the present to start securing and preparing your organization to prevent a data breach. It’s not a question of if you’ll be targeted but when.
An effective plan should establish best practices, define key roles and responsibilities, and define a process for the organization’s response. Focus on restoring data and systems’ confidentiality, integrity and availability, and external requirements such as contacting an insurance carrier or law enforcement entity.
Once you understand the risks to your organization and the gaps within your cybersecurity defenses, set goals to mitigate risk. These efforts should be prioritized as part of a strategic roadmap to improve your overall cybersecurity.
Cyber talent is hard to find and expensive to retain. Professional security consultants have access to the latest threat intelligence to guide your cybersecurity and response to any intrusions or detected events.
Focus your limited resources on those areas of the network that are most critical to your business. Determine where your most  sensitive data or networks are located and implement increased logging and network monitoring. Actively monitor network access.
Patching operating systems and third-party applications is one of the most inexpensive, yet effective ways to harden a network. Build a strong patch management process and ensure that critical security patches are installed as soon as  possible. Update legacy software and systems.
The news is littered with companies that didn’t adequately protect their user accounts. Passwords are consistently reported as being offered for sale on the darknet. If your organization maintains user accounts, audit your password storage functions.
Remote access into your network should always require two-factor authentication. Consider also requiring 2FA for sensitive administrative accounts.
One of the simplest attacks is to use a default password that is shipped out-of-the-box by a vendor. Default passwords, especially for hardware devices (e.g., Wi-Fi routers), can allow direct access to critical data.
Testing readiness with tabletop exercises offers immense benefits when it comes to being operationally ready for a data breach. Working through roles, responsibilities and the steps of a complete incident response plan prepares a team for action and identifies weaknesses.
Training and educating your staff enhances and expands cybersecurity abilities. Consider classes on threat hunting to ensure a proactive approach to detecting intrusion attempts.
Organizations that are better able to detect and respond to breaches often have integrated fraud and IT security departments. Encourage regular information sharing in your organization.
Data breaches are prolific and your organization’s security will only be as strong as your personnel and their ability to detect threats. Try the industry leading software platform with a free trial. Start protecting your data today.
Start Free Trial

source

Official websites use .mass.gov
A .mass.gov website belongs to an official government organization in Massachusetts.

Secure websites use HTTPS certificate
A lock icon ( ) or https:// means you’ve safely connected to the official website. Share sensitive information only on official, secure websites.
Top-requested sites to log in to services provided by the state
Top-requested sites to log in to services provided by the state
BOSTON — A Georgia-based home health and hospice care company will pay $425,000 after it failed to implement proper security measures to protect the personal information of patients and employees, Attorney General Maura Healey announced today.
The complaint and consent judgment against Aveanna Healthcare, LLC, entered today in Suffolk Superior Court, follows a series of phishing attacks that impacted more than 4,000 Massachusetts residents. Aveanna is a national provider of pediatric and adult home health care, operating in 33 states with Massachusetts offices located in Brockton, Plymouth, Shrewsbury, Springfield, Waltham, West Springfield, and Worcester. The AG’s Office alleges that in July 2019, Aveanna employees began receiving fraudulent “phishing” emails designed to cause the recipient to provide credentials, money, or sensitive information.
“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said AG Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and the take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”
The private information, which may have included social security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment records, of more than 4,000 Massachusetts residents, including patients and employees, was potentially accessed by the hackers.
In one instance, a phishing email was sent to employees that appeared to come from Aveanna’s president. The attacks continued into August 2019, by which point more than 600 phishing emails were sent to employees. Employees’ responses to these emails resulted in hackers obtaining access to portions of Aveanna’s computer network. The hackers also tried to defraud employees by logging into Aveanna’s human resources system and altering individual employees’ direct deposit information. In response to the incident, Aveanna provided affected Massachusetts residents with two years of free credit monitoring.
 The AG’s Office alleges that Aveanna was aware that its cybersecurity required improvement but had not implemented new changes to improve it by the time the phishing attacks occurred. Among the problems Aveanna identified were a lack of sufficient tools and employee training to stop phishing attacks, and a lack of the use of multi-factor authentication, which can also help to stop phishing attacks. Additionally, the AG’s Office alleges that Aveanna’s security program failed to meet the minimum required safeguards to protect personal information under the Massachusetts Data Security Regulations. The complaint also alleges that Aveanna failed to meet the standards for security of protected health information that are required by Federal HIPAA regulations.
 Under the terms of the consent judgment, Aveanna will pay $425,000 to the AG’s Office. Additionally, the company will be required to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. 
Aveanna must also continue to train its employees on data security, keep them up to date on security threats, and do an annual independent assessment of its compliance with the consent judgment and the Massachusetts Data Security Regulations for a period of four years.
If you believe that you have been the victim of a data breach, you may need to take steps to protect yourself from identity theft. For additional information, consumers may visit the AG’s website. Guidance for businesses on data breaches can be found here.
This case was handled by Division Chief Jared Rinehimer, of the AG’s Data Privacy and Security Division.
###
The feedback will only be used for improving the website. If you need assistance, please Contact the Attorney General’s Office at (617) 727-2200. Please limit your input to 500 characters.
Thank you for your website feedback! We will use this information to improve this page.
If you would like to continue helping us improve Mass.gov, join our user panel to test new features for the site.

source

Samsung has warned its US customers that their data may have been accessed following a hack in July of this year.
In a statement the technology company said it had discovered a “cyber security incident” which may have led to the sharing of customer information including “name, contact and demographic information, date of birth and product registration information”.
The breach was the result of an unauthorized third party gaining access to Samsung’s US systems in late July, and “acquir[ing] information” from them. It was confirmed on August 4, 2022 via an internal investigation at Samsung that personal customer information was accessed during the breach.  
Samsung noted that they have taken steps to secure the affected systems and has employed the use of a “leading outside cyber security firm” as well as notifying law enforcement of the breach. The company also assured customers that confidential information like social security numbers or credit or debit card details were not accessed during the breach.
Samsung did not disclose how many users were affected by the breach but did confirm that they will be notifying all those whose data was accessed. 
01 March, 2023
Online
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-12
10:00 AM – 11:00 AM EST
2023-03-15
10:00 AM – 11:00 AM EST
2023-03-15
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

How To Prepare Your Organization For The Future Of Cybercrime  Forbes
source

No products in the cart.
The Odisha government is intensifying its efforts to combat the increasing number of cyber crimes in the state by launching a special phone number, “1930,” for victims and the general public. The move comes in response to the growing number of cyber crimes involving financial offenses and sexual abuse of women and children.
Chief Secretary Suresh Chandra Mahapatra emphasized the need to check any illegal activities using computers, communication devices, or computer networks. To raise awareness, the government has planned to deploy 34 “Sachetanata Rath” vehicles equipped with audio and visual materials throughout the state. The campaign will target various groups, including elderly individuals, students, health workers, and members of self-help groups.
Through the initiative, people will be educated on the importance of verifying authenticity before conducting financial transactions, avoiding friendship with unknown individuals, and not clicking on links, SMSs, or apps from suspicious sources. Regular symposiums, seminars, quiz competitions, debates, and essay competitions will be held, especially in schools.
According to statistics, the number of cybercrime cases has been on the rise in Odisha, with 1485 cases registered in 2019, 1931 in 2020, 2037 in 2021, 3402 petitions received in 2022, and 7700 petitions received in 2022 through the cyber help desk.
This anti-cyber crime campaign in Odisha is a groundbreaking initiative and the first of its kind in the country, according to Chief Secretary Mahapatra.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.

© 2013–2021 | My City Links – Moving Ahead Together…
Our website uses cookies to improve your experience. Learn more about: cookie policy

source

Three Chandigarh residents fall prey to cyber crimes  Hindustan Times
source

The advent of ChatGPT has cybersecurity experts spooked. Some fear the powerful chatbot will make it far easier for non-coders to create malware and become cybercriminals. But so far, one cybersecurity company says, ChatGPT may be having a counterintuitive effect on hacking: supercharging scams that don’t rely on any sort of malicious code at all.
Max Heinemeyer, the chief product officer at the U.K.-based cybersecurity firm Darktrace, says that looking at the one-month period since ChatGPT attained 1 million users in early December, there has been little change in the total number of attempted cyberattacks targeting Darktrace customers. But Darktrace has seen a distinct shift in the tactics used by cybercriminals.
Malicious links in phishing emails declined from 22% of cases to just 14%, Heinemeyer says. But the average linguistic complexity of the phishing emails encountered by Darktrace jumped 17%.
The company’s working theory: Cybercriminals are starting to use ChatGPT to craft much more convincing phishing emails—ones that are so good that cybercriminals don’t even need to rely on embedding malware in attachments or links. After all, malicious links or embedded malware can often be detected and stopped by cybersecurity software such as Darktrace’s.
What’s much harder to stop are attacks that rely completely on old-fashioned deception, or “social engineering.” An email that is so convincingly written that the recipient believes it’s from a trusted source is a great to way pull off an authorized push payments fraud, for example. The victim is fooled into sending funds to pay for what they think is a legitimate transaction or invoice, but is in fact sending the money straight to a fraudster’s account.
In some cases, Heinemeyer says, criminals may be setting the stage for longer cons that involve winning the victims’ trust over a period of time and might involve sophisticated impersonations of real executives or customers.
In addition to A.I. writing tools such as ChatGPT, other new generative A.I. tools could be used to abet such scams. A.I. software, such as that from nascent startup Eleven Labs, can now create realistic voice clones after having been trained on recordings of a target’s voice that might only be a few seconds long. Meanwhile, text-to-image generation software, such as Stable Diffusion, can create increasingly realistic deepfakes with a fraction of the training data previously required for other deepfake methods.
Frauds based on compromised business emails have been on the rise for the past four to five years, Evan Reiser, the founder and CEO of cybersecurity Abnormal says. And while he says that his company has not yet seen any increase in these kinds of attacks since ChatGPT debuted, he thinks it is possible criminals, especially those whose native language is not English, may be tempted to use the tool to craft emails that are less likely to raise red flags with potential victims due to ungrammatical or uncolloquial expressions. “Any tool that is perceived by humans as authentic will make [fraud] worse,” Reiser says.
He says this is especially true of systems where they are explicitly trained to produce text in a particular style, synthesized voices, or images with the intent of fooling people. But he also says that often the simplest tricks—just a very short email that seems to come from a trusted person—works well enough and that criminals generally gravitate towards whatever methods are simplest and require the least effort. “You can send silly, stupid emails and make millions of dollars,” he says. “Why go through the trouble and effort to train [A.I.] models to do that.”
In the wake of the release of ChatGPT, some cybersecurity firms raised the alarm that the A.I. might make it fiendishly easy to pull off a cyberattack. Maya Horowitz, the vice president of research at cybersecurity firm Checkpoint, says that her team was able to get ChatGPT to generate every stage of a cyberattack, starting with a better-than-average phishing email, but then carrying on to actually writing the software code for a malware attack and being able to figure out how to embed that code into an innocuous-looking email attachment. Horowitz said she feared ChatGPT and other generative language models would lead to many more cyberattacks.  
But the same kind of large language models that power ChatGPT can also be used to help cybersecurity companies defend against attacks. Abnormal uses some language models, such as Google’s BERT language model, to help determine what the intent of an email is. If an email is aksing a person to pay for something and putting that person under time pressure, saying it is urgent, or needs to be done ASAP, then that could be a red flag, Reiser says. Language models can also read attachments and see if they match the form and style of previous invoices—or if the invoicing company is one that business has interacted with before. It can even see if the account numbers seem to match ones that have been used previously. (Abnormal even analyses things such as whether an email attachment has fonts that match those previously seen from that company and looks at the meta data of documents for potential signals that something fishy is going on, Reiser says.)
Much of what Abnormal does though is look at patterns across a huge number of features and use machine learning models to figure out if they rise to the threshold where the email should be blocked and a company’s security team alerted. There’s almost always something that will give away a phishing attempt if you know where to look, Reiser says. Even in the case where a legitimate business email account has been compromised, the attacker will often take actions, such as running multiple searches through the account’s history, or using an API to control the account rather than a PC keyboard, that will provide a signal that something isn’t right.
Nicole Eagan, Darktrace’s chief strategy officer, says Darktrace itself has been using the same kind of large language models that underpin to ChatGPT to create more believable spear phishing emails that the compay uses in internal “red teaming” excercises to test its own cybersecurity practices. Eagan says she recently fell for one of these, which was inserted directly into the actual email chain she was having with an outside recruiter Darktrace used.
(Darktrace spent much of the past week trying to prove a different sort of pattern didn’t indicate anything fishy was going on: the company’s share price dropped dramatically after short seller Quintessential Capital Management issued a report claiming it had found evidence that the cybersecurity company might have engaged in dubious accounting practices to try inflate its revenues and profitability ahead of its 2021 initial public offering. Darktrace has denied the accusations in the report, saying that the hedge fund never contacted it before publishing its report and that it has “full confidence” in its accounting practices and the “integrity of our independently audited financial statements.”)
 
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.
© 2023 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information | Ad Choices 
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions.

source

Topics
NHRC | Internet | cyber crime
Press Trust of India  |  Ahmedabad 
Last Updated at February 2, 2023 21:00 IST
https://mybs.in/2cCHwDs

National Human Rights Commission (NHRC) chairperson Justice (Retd) Arun Kumar Mishra on Thursday called for a stringent law to deal with "unlawful Internet behaviour and cyber crimes."

He was speaking after the inauguration of the 25th All India Forensic Science Conference at the National Forensic Sciences University in Gandhinagar. "It is necessary to promote cyber ethics. And there should be stringent legislation by the government to penalise and punish unlawful Internet behaviour and cyber crimes," the former Supreme Court judge said. Many countries have amended their laws "specifically to deal with cyber crimes along with the advent of newer kinds of crimes," he said. Freedom of expression applicable for "social media and cyber space" is not "larger" than what is granted to individuals or the media, Mishra said. "Freedom of expression under Article 19 of the Constitution given to the media or individuals is the same as that given to the social media or the cyberspace, it is not larger than that…So there should be stringent legislation to deal with cyber crime. We need to deal with misuse very sternly," he said. Cyberspace was being used for infringing civil and human rights and violating individual privacy, the former judge added. "Cyber space is causing breach of privacy of online personalities and infringing the right to live with dignity. Cyber security is the key to fight cyber crime and preservation of human rights. Global studies indicate India is third in cyber threats and second in targeted attacks," he said.
(Only the headline and picture of this report may have been reworked by the Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)
Exclusive Stories, Curated Newsletters, 26 years of Archives, E-paper, and more!
Insightful news, sharp views, newsletters, e-paper, and more! Unlock incisive commentary only on Business Standard.
Download the Business Standard App for latest Business News and Market News .
First Published: Thu, February 02 2023. 21:00 IST

source

Today, February 28, 2023
14 c^° / clear sky
By Rana Tayseer – Feb 01,2023 – Last updated at Feb 01,2023
Representative image (Photo courtesy of unsplash)
AMMAN —  Parental awareness along with strict government policies hold key to preventing children from falling prey to cyber crimes, say experts.
The Cybercrime Unit of the Public Security Directorate on Tuesday said that cybercrimes have increased six-fold since 2015, attributing the surge to the widespread use of technology, smartphone applications and social media.
Hussam Khattab, a cybersecurity expert, highlighted the need for a comprehensive awareness, inclusive of all age groups.
“Parents must play an important role in monitoring children, their behaviour and the sites they use. There are options to protect children from cybercrimes and parents can download apps that are made only for children,” Khattab told The Jordan Times.
Tareq Al Qudah, a lawyer and cybersecurity expert, stressed the need for a deterrent punishment for perpetrators of cybercrimes.
“If the judiciary keeps applying the minimum punishment, people will keep committing cybercrimes,” Qudah told The Jordan Times.
“Children must be taught how to deal with the digital world and how to protect themselves, he added.
In its report, the Cyber Crime Unit said that due to a growing understanding of rights and ability to litigate, the number of registered crimes increased, as victims are encouraged to file legal complaints.
According to the 2022 report, cybercrimes rose six-fold over the last seven years, jumping from 2,305 cases in 2015 to 16,027 cases in 2022, according to the report.
The unit affirmed that it continues to implement educational campaigns on the dangers of cybercrime in light of the widespread use of social media, which has facilitated the disruption of societal peace through a number of issues, including child abuse.
Calling on social media users to exercise caution when using these platforms, the unit also urged the public to avoid filling in or sending any personal information to unreliable websites, and refrain from clicking fake links that are sent to them for the purposes of hacking their personal accounts, according to the report.
 
Thursday 09 February 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Feb 25, 2023
Feb 27, 2023
Feb 27, 2023
Feb 27, 2023
Get top stories and blog posts emailed to you each day.
The Jordan Times is an independent English-language daily published by the Jordan Press Foundationsince October 26, 1975. The Jordan Press Foundation is a shareholding company listed on the Amman Stock Exchange.
To send your articles , please do email : [email protected]
call us : +962 6 5600-800
ext. 2392
Copyright © 2023 The Jordan News. All Rights Reserved.Powered By: AccuSolutions Web Development & Mobile Applications

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Tactical actions for MSPs and their customers to take today:
• Identify and disable accounts that are no longer in use.
• Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication.
• Ensure MSP-customer contracts transparently identify ownership of ICT security roles and responsibilities.
The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.
The guidance provided in this advisory is specifically tailored for both MSPs and their customers and is the result of a collaborative effort from the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC). Organizations should read this advisory in conjunction with NCSC-UK guidance on actions to take when the cyber threat is heightened, CCCS guidance on Cyber Security Considerations for Consumers of Managed Services, and CISA guidance provided on the Shields Up and Shields Up Technical Guidance webpages.
This advisory defines MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer’s network environment—either on the customer’s premises or hosted in the MSP’s data center. Note: this advisory does not address guidance on cloud service providers (CSPs)—providers who handle the ICT needs of their customers via cloud services such as Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service; however, MSPs may offer these services as well. (See Appendix for additional definitions.)
MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations—ranging from large critical infrastructure organizations to small- and mid-sized businesses—use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally. 
Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.
The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers.[2],[3],[4],[5],[6],[7],[8] This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community. 
Download the Joint Cybersecurity Advisory: Protecting Against Cyber Threats to Managed Service Providers and their Customers (pdf, 697kb).
The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend MSPs and their customers implement the baseline security measures and operational controls listed in this section. Additionally, customers should ensure their contractual arrangements specify that their MSP implements these measures and controls.
In their efforts to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their customers should ensure they are mitigating these attack methods. Useful mitigation resources on initial compromise attack methods are listed below:
It can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend all organizations store their most important logs for at least six months. Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks. Organizations can refer to the following NCSC-UK guidance on the appropriate data to collect for security purposes and when to use it: What exactly should we be logging? Additionally, all organizations—whether through contractual arrangements with an MSP or on their own—should implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting. 
Organizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.[9],[10] Note: Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols; organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.[11] 
Organizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.[12],[13]
Organizations should apply the principle of least privilege throughout their network environment and immediate update privileges upon changes in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have any unnecessary access or privileges. Only use accounts with full privileges across an enterprise when strictly necessary and consider the use of time-based privileges to further restrict their use. Identify high-risk devices, services and users to minimize their accesses.[14]
Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.[15] (Note: although sharing accounts is not recommended, should an organization require this, passwords to shared account should be reset when personnel transition.) Organizations should also audit their network infrastructure—paying particular attention to those on the MSP-customer boundary—to identify and disable unused systems and services. Port scanning tools and automated system inventories can assist organizations in confirming the roles and responsibilities of systems.
Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. Note: organizations should prioritize patching vulnerabilities included in CISA’s catalogue of known exploited vulnerabilities (KEV) as opposed to only those with high Common Vulnerability Scoring System (CVSS) scores that have not been exploited and may never be exploited.[16],[17],[18],[19]
Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt (Note: organizations should base the frequency of backups on their recovery point objective [20]). Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups. Isolating backups enables restoration of systems/data to their previous state should they be encrypted with ransomware. Note: best practices include storing backups separately, such as on external media.[21],[22],[23] 
Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers. Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).[24]
All organizations should proactively manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.[25],[26]
Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. 
All organizations should adhere to best practices for password and permission management. [28],[29],[30] Organizations should review logs for unexplained failed authentication attempts—failed authentication attempts directly following an account password change could indicate that the account had been compromised. Note: network defenders can proactively search for such “intrusion canaries” by reviewing logs after performing password changes—using off-network communications to inform users of the changes—across all sensitive accounts. (See the ACSC publication, Windows Event Logging and Forwarding as well as Microsoft’s documentation, 4625(F): An account failed to log on, for additional guidance.) 
This advisory was developed by UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities in furtherance their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities would like to thank Secureworks for their contributions to this CSA.
The information in this report is being provided “as is” for informational purposes only. NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favouring.
United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. 
In addition to the guidance referenced above, see the following resources:
[1] State of the Market: The New Threat Landscape, Pushing MSP security to the next level (N-able) 
[2] Global targeting of enterprises via managed service providers (NCSC-UK)
[3] Guidance for MSPs and Small- and Mid-sized Businesses (CISA)
[4] Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers (CISA) 
[5] APTs Targeting IT Service Provider Customers (CISA)
[6] MSP Investigation Report (ACSC)
[7] How to Manage Your Security When Engaging a Managed Service Provider
[8] Supply Chain Cyber Security: In Safe Hands (NCSC-NZ)
[9] Multi-factor authentication for online services (NCSC-UK)
[10] Zero trust architecture design principles: MFA (NCSC-UK)
[11] Joint CISA-FBI CSA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols and “PrintNightmare” Vulnerability
[12] Security architecture anti-patterns (NCSC-UK)
[13] Preventing Lateral Movement (NCSC-UK)
[14] Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK)
[15] Device Security Guidance: Obsolete products (NCSC-UK)
[16] Known Exploited Vulnerabilities Catalog (CISA)
[17] The problems with patching (NCSC-UK)
[18] Security principles for cross domain solutions: Patching (NCSC-UK)
[19] Joint CSA: 2021 Top Routinely Exploited Vulnerabilities
[20] Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files (NIST)
[21] Stop Ransomware website (CISA)
[22] Offline backups in an online world (NCSC-UK)
[23] Mitigating malware and ransomware attacks (NCSC-UK)
[24] Effective steps to cyber exercise creation (NCSC-UK)
[25] Supply chain security guidance (NCSC-UK)
[26] ICT Supply Chain Resource Library (CISA)
[27] Risk Considerations for Managed Service Provider Customers (CISA)
[28] Device Security Guidance: Enterprise authentication policy (NCSC-UK)
[29] Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK)
[30] Implementing Strong Authentication (CISA)
This advisory’s definition of MSPs aligns with the following definitions.
The definition of MSP from Gartner’s Information Technology Glossary—which is also referenced by NIST in Improving Cybersecurity of Managed Service Providers—is:
A managed service provider (MSP) delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.
MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded to include any continuous, regular management, maintenance and support.
The United Kingdom’s Department of Digital, Culture, Media, and Sport (DCMS) recently published the following definition of MSP, which includes examples: 
Managed Service Provider – A supplier that delivers a portfolio of IT services to business customers via ongoing support and active administration, all of which are typically underpinned by a Service Level Agreement. A Managed Service Provider may provide their own Managed Services or offer their own services in conjunction with other IT providers’ services. The Managed Services might include:
The Managed Services might be delivered from customer premises, from customer data centres, from Managed Service Providers’ own data centres or from 3rd party facilities (co-location facilities, public cloud data centres or network Points of Presence (PoPs)).
May 11, 2022: Initial version

source