Managed services providers (MSPs) hold access credentials for hundreds of thousands of customer systems. These credentials are “keys to the kingdom” and provide access at various levels to networks, devices, applications, and even data.
Malicious actors understand the importance of the access granted to MSPs, and also recognize the value of obtaining multiple credentials in as few attacks as possible. MSPs and IT service providers in general may be an example of “shoemaker’s children”—although they are experts in recommending and implementing risk management strategies for their customers, they may not have looked after their own house.
For attackers, this is a potential for a perfect storm: large volumes of credentials, concentrated in the hands of very few organizations with potentially poor risk management protection.
In fact, both HPE and IBM, two of the world’s largest MSPs, were breached last year in focused attacks. So this definitely isn’t just an issue for smaller MSPs.
How can you ensure your customers’ credentials are protected? Let’s start with a look at the types of password attacks that breach systems.
Malicious actors use a variety of password-based attacks to gain access to systems.
- Password spraying is an automated attack using known email addresses and a list of common passwords. It’s a guessing game with a high-degree of success against weak passwords.
- Credential stuffing is an automated attack using known username/password combinations targeted at new sites. This type of attack works well for people who reuse passwords.
- Brute-force attacks are automated attacks using email addresses and high-volume guessing of passwords based on dictionaries of passwords, words, and word variations. They are time and resource intensive but yield fast results against weak passwords.
These attacks used to require specialist expertise. Today, tools and password lists are readily available free of charge. A June 2019 Google search for “Passwords.txt” yields 10.3 million results, with link titles like “10-million-password-list,” “500-worst-passwords,” “10k-most common,” and “Large Password Lists: Password cracking Dictionary’s download.” This shows that the means to drive these attacks is within easy reach. A second search for tools designed for use by white hat/ethical hackers returns a large number of downloadable tools ready for use.
As a best practice, strong passwords offer the best defense against all three types of attack.
However, strong passwords are hard to remember and hard to manage without purpose-built tools.
Commonly used spreadsheets facilitate the use of strong passwords but present challenges in terms of operation:
- Mistyping errors
- Copy/paste errors
- Increased search times
- Out-of-date version of the sheet
- Multiple copies exacerbate maintenance
- Insecure storage
- Revocation is impossible
Why password management matters
These challenges mean that eventually users fall back to reusing old passwords or creating weak passwords and the risk of breach increases. This is where a purpose-built password management solution can help, providing you with a way to:
- Facilitate the creation of strong passwords
- Securely store credentials of all types
- Seamlessly inject password into systems when needed
- Enable vaults to be configured by role, providing access based on expertise and seniority
- Grant or revoke access with a single click
- Auto-capture new credentials
- Expire passwords
- Measure and report on password strength and age
- Rotate existing credentials automatically
- Provide an audit capability to help meet compliance requirements for credential creation, usage, and storage
For most compliance requirements, it’s important that passwords are changed regularly; this is something that is easily demonstrated with a purpose-built solution.
However, probably the best aspect of all from a technician perspective is that you only need to remember a single password to access the secure vault.
If you haven’t yet implemented a purpose-built solution at your MSP you could well be putting both yourselves and your customers at risk.
Built for MSPs by MSPs, SolarWinds Passportal + Documentation Manager is an encrypted and efficient password and credential management solution, offering credential injection, reporting, auditing, password change automation and privileged client documentation capabilities—designed to streamline the technicians’ day by providing essential documentation at their fingertips to standardize service delivery and expedite issue resolution.
SolarWinds Passportal can help you manage risk, shorten incident resolution times, meet compliance for credential creation, usage, and storage. To find out more click here.