Hi all, Security in the MSP world is something that I care about and something that I don't believe is being done well by at least 85% of MSP's. The MSP world is interesting in the fact that you deal with some many different sorts of business that can range from a bakery to construction companies to healthcare providers. Do all of these require the same level of protection? In a perfect world, yes! However in the real world a small mum & dad bakery doesn't have anywhere close to the funds to accomplish this. With Australia recently introducing their mandatory data breach notification laws everyone has had to start looking at their security solution and how best to deal with these threats.
1) Email Security
This is how 95% of attacks affect SMB's (In my experience), There are so many phishing emails, Dodgy attachments, BEC's and Emails "From" the CEO that employees just fall for all day every day. There are multiple filtering options available (Trend HES, Mimecast, Proofpoint etc) that are easy as to setup and just leave everything at default which is where SO many companies go wrong. You need to spend at least a few hours with the customer and find out who the accountants/managers are and add them to the "High profile list" (I only have experience with HES - I assume the other options have the same sort of thing) which then checks the name that the email is "from" and if the address isn't approved then block it. Adding a email filter also helps by changing your MX record from O365/GSuite (If you use it) to the mail filter so you get less targeted phishing emails regarding "your account has been suspended".
The other things that should be configured are SPF/DKIM to help alleviate most of the other email issues that are seen. This is going to have to be another thing that you speak to your clients about and actually find out what email services they use, because if you turn on SPF and they are using another email provider for one of their LoB app's, your customer is not going to be happy. The best way that I have found to do this is by setting up DMARC in monitor mode (Do not even bother trying to set up reject/quarantie across your customer base as you will be dealing with 1000's of LoB vendors who do not know what DMARC is and you will go insane. Trust me!). I personally use DMARC Analyzer to review all of these results and you can generally guess what services your clients are using (I don't mind setting up monitor mode across all of the clients to this service)
2) MFA across public servers (RDGateway/Citrix/OWA etc)
I'm not going to harp on about this topic, Everybody knows that you should have MFA on all external resources that access the companies network. There are multiple options for MFA providers (Azure AD, DUO, Okta) that you can basically take your pick. I personally prefer Duo and use it on my home network as it's just so easy to use! (Click accept/deny as you see fit - Anyone can figure it out). If your remote access solution doesn't offer MFA you need to find another option as it's just not acceptable in this day and age!
3) Configuring basic desktop security
I've noticed a lot of MSP's focus on the "big picture" of "We need to protect the servers, the servers are vital so we need to protect them and if we do that then the world is safe". But the problem with that is, your accounting firm might have 3-4 servers (DC,RDS,SQL,File Server) but what about the 40-60 desktops that connect to them? The desktops usually have a large amount of data on them and are perfect for an attacker to get to and move throughout the network. I believe there are 4 must do things to protect your desktops against most threats directed towards the SMB's. The first thing that enterprise techs will say is remove local admin from all desktops, unfortunately this just isn't possible in the real world. You would have to dedicate a tech for at least a month (If not more) just to do this. I personally don't believe this is worth the effort
a) Deny access to this computer from the network - GPO
I believe this setting should be configured across all desktops (With a custom group for all user accounts so you don't deny Domain Admins - due to most of them also being in domain users group). There is no reason why your users should need to connect to another desktop over the network. This setting can be controlled via a GPO
b) Deny Domain Admins the ability to logon to desktops - GPO
There is no reason why Domain Admins would be logging into a desktop. You should have a local admin account (Either a Domain User looked after by yourself or an actual local admin). This setting can be controlled via GPO
c) Antivirus up to date on PC's
This one is a bit of a pain to monitor due to a few factors
1- If there is no cloud console then there will be a local console on every endpoint and it may be a pain to integrate with your RMM to monitor out of date AV
2- If the AV agent is "broken" they are often a pain to remove, occasionally involving getting into safe mode. However this will still need to be fixed anyway
This one of the main things that do need to be looked after, Even with some people finding AV a little bit dated. It is still 100% required on your network
d) Configuring an Audit Policy
All the above settings do help prevent a compromise but there is no way to 100% prevent a compromise and setting up the above auditing will help determine what has/hasn't been accessed on the network (If mimikatz etc has been ran) and being able to help Incident Response techs to report to your regulatory body (if applicable)
My 2 cents
I would be honestly surprised if someone in the comments says that "Yes we do this for all of our customers", It's just so rare to do and then you also have to deal with client push back believing they aren't a target for hackers - These days everyone's a target.