Launches alert website, improves security tools, expands developer training in wake of vulnerability report
ConnectWise is taking steps to assure partners and customers of the security of ConnectWise Control, which came under scrutiny this month when security consultant Bishop Fox outlined eight security flaws in the remote desktop software that is popular with MSPs and enterprises.
The Lowdown: In a Jan. 22 blog post, Bishop Fox researchers said they alerted ConnectWise to the vulnerabilities last year and the company has said it has fixed six of the vulnerabilities, with others being addressed later, ConnectWise has said.
The Details: Another security firm, Huntress Labs, at the request of CRN confirmed Bishop Fox’s findings and spoke with ConnectWise officials about the vulnerabilities and ConnectWise’s response. ConnectWise also hired cybersecurity firm GuidePoint to validate the patches made by the company and to confirm the remediation efforts.
Bringing on GuidePoint was among several steps ConnectWise CEO Jason Magee outlined in an open letter posted to the company’s website. Here are other moves ConnectWise made to improve security and transparency:
>Passed an independent SOC 2 Type 2 audit, continued running regular penetration tests and vulnerability assessments on systems and products, and implemented ethical hacker training.
>Implemented tools to automatically evaluate behavior to protect against product misuse, began using machine learning techniques to detect anomalies in log-ins, and will launch a bug bounty program.
>Started rolling out multi-factor authentication (MFA) and single sign-on (SSO) across the platform.
>Invested in developer security training to increase skills and ensure they know the most recent application security coding practices.
>Launched the ConnectWise Security Trust site, where partners can find information on security incidents, alerts, critical patches, and product updates.
ConnectWise also has published a matrix outlining its response to the vulnerabilities outlined by Bishop Fox.
The Impact: Hackers increasingly are targeting MSPs, given the access that the managed security advisers have to a broad array of companies. The FBI and Department of Homeland Security in 2018 warned MSPs and cloud providers that bad actors are trying to exploit them to get to their customers. DHS also has a site listing security alerts. A range of vendors and groups, including Continuum, Blackpoint Cyber, and MSPAlliance, also are putting a spotlight on the threat to MSPs.
Background: The issue of the security of ConnectWise control is in the middle of a blockbuster deal to buy rival Continuum, a longtime provider of managed services platforms. The proposal was announced in October, months after private equity firm Thoma Bravo – which also owns Continuum – bought ConnectWise.
The Buzz: “While the threat landscape is ever changing, we seek to constantly and proactively manage security efforts not only through the updating of our products, but through the education of our team and collaboration with third-party security experts,” Magee wrote in his letter. “I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously.”
“Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen,” Magee says Huntress CEO Kyle Hanslovan told him. “We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”