ConnectWise Control Security Issues Are Tip Of Iceberg For MSPs Using RMM Tools
“We’re always worried. We hold 450 customers’ data. Very important data. That’s one of those things, where anytime you hear about a vulnerability with any product it makes you think ‘I hope we’re secure,’” Zac Paulson, CEO of West Fargo, N.D.-based MSP TrueIT.
The ConnectWise Control security vulnerabilities disclosed this week by security researcher Bishop Fox are the tip of the iceberg for MSPs using Remote Monitoring and Management (RMM) tools, according to MSPs.
“There is going to be a mad scramble for MSPs to properly secure themselves against this type of threat,” said Allen Falcon, founder and CEO of Cumulus Global, a Westborough, Mass.-based cloud solution provider. “It’s a race against cybercriminals and a race against time.”
Falcon said he sees the ConnectWise Control security issues as just the start of something bigger. “I think MSPs should be really nervous,” he said. “We know there is a vulnerability with ConnectWise and their toolset. I would expect similar vulnerabilities across the RMM marketplace. Every RMM manufacturer and PSA provider should be scrambling to test and validate that they don’t have similar issues.”
Bishop Fox indicated that it is also looking for potential security flaws in other remote monitoring and management tools for MSPs. If RMM tools are not architected or configured properly, MSPs can expose themselves and their customers to a “whole bunch of different security concerns,” said Bishop Fox.
Zac Paulson, CEO of TrueIT, a West Fargo, N.D.-based MSP that has been a ConnectWise partner since 2007, said even in the wake of the disclosed vulnerabilities, he is overall satisfied with the company, adding that every tool solution providers use comes with risks.
“No matter what, we’re always worried,” he said. “We hold 450 customers’ data. Very important data. That’s one of those things, where anytime you hear about a vulnerability with any product it makes you think, ‘I hope we’re secure,’” said Darin Harris, chief operating officer and co-founder of Remote Techs in Tarzana, Calif., who explained his company was hit by ransomware last year through ConnectWise’s unpatched vulnerability with a Kaseya plug in. After weeks of mitigation that spiraled costs into the hundreds of thousands of dollars, he said they are in the process of switching their ticketing system to a rival.
“If they had patched the application correctly, it would not have happened,” he said of the ransomware outbreak that left his network with as many as 40 customers and 200 endpoints infected.
Remote Techs did not close shop thanks to a robust cyber insurance policy through Lloyd’s of London – which gave the firm lawyers, a security expert, and even local counsel to handle a lawsuit brought by an unhappy customer. Additionally, Harris said his company’s back-up and recovery plan worked as expected, giving them a leg-up in getting customers online, Harris said.
“That made all the difference for us,” he said. “We found out on a Sunday and by Monday noon, we had our biggest clients up and running … We had about 10 percent of our total environment that was affected. We were upset, but we felt pretty lucky.”
Ben Niernberg, executive vice president of MNJ Technologies in Buffalo Grove, Ill,. – No. 163 on the CRN 2019 Solution Provider 500 – said the security vulnerabilities found by Bishop Fox are not a “run of the mill problems.”
“We were on ConnectWise for about two and a half, three years and recently we ended our relationship with ConnectWise and moved to a different provider for our tool,” he told CRN. “Some of that was based on forms and functionality. But part of that was based on security vulnerabilities. Our customers are trusting us as an MSP that we are securing their information.”
Both Niernberg and Harris called switching MSP tool vendors one of the most difficult tasks their businesses have had to undertake.
“Losing 10 to 15 years of ticketing, and resolutions and billing information out of your system is the worst,” Harris said. “It’s irreplaceable information that you use all the time.”
Niernberg said in addition to the lost data, the firm had to change internal processes around ticketing, the way they pulled reporting and integrations into their ERP systems, among other issues.
“You live and breathe these RMM tools, so it was about re-looking at all of our workflow and a lot of times we had to change the decisions we made three years prior because the data is handled differently,” he said. “It was a very long, painful and arduous process for sure.”
MSPs need to realize that when they are establishing remote connections they are opening the door for potential cybercriminals, said Falcon. “MSPs have access to their customer’s data and have the legal, moral and ethical responsibility to protect that data,” he said.