RMM liability concerns

[BO Terry]

I have been considering adding RMM for some of my business clients. When I recently discussed this with another local tech, they mentioned liability if my client were compromised in any way. A specific example they used was if they were hacked and they gained access to banking info, the bank would direct the liability to the company who installed/managed the RMM.

Any feedback on this?

 

[Archon Prime]

Have a really good limited liability clause in your RMM terms. Get a Lawyer to take a look at it if you really want to ensure you cover your ass.

 

[OaksLabs]

I'm not sure which scenario you're describing:

• Customer gets breached and blames your RMM
• Your RMM gets breached and lets bad actors access your client

I work at a large MSP. To get around scenario 2 where the RMM gets breached, we operate our RMM servers in an isolated network, and we use 2 factor authentication to log in. Ideally, the isolated network should have different credentials than your primary one, so a breach of your LAN wouldn't mean a breach of your RMM.

In a pratical example, I'd put an Untangle box in router mode in front of the server that runs the RMM back end (assuming that you're using a self-hosted RMM).

 

[freedomit]

Solarwinds RMM has 2factor which helps limit the risk

 

[fencepost]

The risk of #2 (RMM breach --> client breach) is one of the main reasons that I was mostly looking at self-hosted RMM options when we were looking, and is the reason I wouldn't want to jump to a new-to-market RMM.

I still haven't hardened ours as much as I should (e.g. with the router completely blocking all non-US inbound traffic), but when things like the Struts vulnerabilities cropped up it was easy to tweak our router so that the only inbound connections allowed for the RMM were from the static or most recent IPs of our customers' offices. That cost us a few days of connectivity to anyone using laptops outside the offices or possibly from a dynamic IP, but that's only a few systems for a limited time.

For that matter I'd love to see some extra paranoia options - endpoints require pinned certs, ability to have the endpoints port knock if the initial connection fails, etc. I know port knocking isn't really security as such in that it's not encrypted, but if you have a service that accepts reporting from endpoints then by definition you have an open inbound port that can be probed. Port knocking means that it's a lot less likely that someone can start probing that port for issues (e.g. Heartbleed).

 

[Markverhyden]

RMM is part of your MSP offering. So that entire package needs to be evaluated.

Personally I've been involved in a few financial "problems". I've never heard of a bank/financial institution trying to pin things on an MSP provider. After all the banks agreement is with the business and not the MSP. The MSP is NOT responsible for the day to day operations of the business. My experience is that the bank/financial institution will evaluate the breach. They may require a site audit even if the site is under an MSP contract. Once they have that or a belief that the network and computers are OK they will unfreeze the account(s). Now these were all events where something popped up which caused the alarm bells to go off. Suspicious transactions for example. Had one customer who has no idea what is going on and got the typical email "your account has been locked, blah, blah, blah". Her bank was equally clueless which resulted in a massive Chinese Firedrill, all for nothing. Of course those EU who stupidly fall for the bait and perform transfers of their own accord is a completely different animal.

At any rate this is why one should have insurance. Make sure and discuss with the underwriter all of what you are doing. Generally speaking if you are offering MSP and/or working as a BA for a CE (HIPAA) you will need E&O in addition to GL.

 

[Diggs]

I wouldn't be as worried about the bank as the business owner. Even without RMM installed I seem to be implicated in any computer problems they've had since I did work there 9 months ago. Having RMM running (even from my own server) at a business is a liability I prefer to avoid. (...and yes, I'm insured but what's a couple million $ to a business.)