Joint Cyber Security Advisory: Protecting against cyber threats to managed service providers (MSPs) and their customers

Summary

New Zealand’s National Cyber Security Centre (NCSC) has issued a cyber security advisory in conjunction with its international partners the Cybersecurity and Infrastructure Security Agency (CISA(external link)), National Security Agency (NSA(external link)), Federal Bureau of Investigation (FBI)(external link), Australian Cyber Security Centre (ACSC(external link)), Canadian Centre for Cyber Security (CCCS(external link)), and the United Kingdom’s National Cyber Security Centre (NCSC-UK(external link)).

The joint cyber security advisory(external link) focuses on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. The advisory provides several actions that organisations can take to reduce their risk of becoming a victim to malicious cyber activity. It recommends MSP customers ensure their contractual arrangements specify that their MSP implements measures and controls including: 

 

  • Preventing initial compromise by implementing mitigations against attack methods exploiting vulnerable devices and internet-facing services, brute-force attacks, password spraying, and phishing. 
  • Enabling monitoring and logging, including storage of most important logs for at least six months, and implementing endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.  
  • Securing remote access applications and enforcing multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems. 
  • Developing and exercising incident response and recovery plans, which should include roles and responsibilities for all organisational stakeholders, including executives, technical leads, and procurement officers. 
  • Understanding and proactively managing supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritise the allocation of resources.  

 

Read the full cyber security advisory on CISA’s website(external link).

Read the full media statement on CISA’s website(external link).