Security Update from Syncro

In recent years, we have all read the stories of RMM tools as an attack vector for criminals and cyber terrorism. This topic continues to come up, particularly in light of the Russian invasion of Ukraine and the concern of increased state-sponsored cyber attacks. I would like to give you an update on the Syncro approach to these challenges.

I know that you have placed a lot of trust in us at Syncro. The security of systems and data - both yours and your end clients’ - is a responsibility I take incredibly seriously. I believe security is not a thing you can ever finish working on. Good security practices require a state of constant evolution, improvement, and monitoring. Syncro has a dedicated and empowered team of security experts working continuously to evaluate and improve our multiple and robust layers of security to protect you and your customers. In recent months, some of their actions include hardening our software supply chain, conducting additional penetration testing and implementing automated code security and compliance scanning.

In Feb 2022, an independent security firm completed an audit of the agent codebase. The audit performed checks against the agent to confirm protection from common attack vectors such as: account takeover, remote execution, dumping of account or system information, and other vectors.

The Syncro web portal requires MFA on all user accounts and implements account lockout for multiple failed attempts from the same or multiple IP addresses. User accounts can enable IP allowlisting. In addition, at the infrastructure level, there’s a built-in Web Application Firewall (WAF), TLS/HTTPS for all traffic, and SSO for internal access with MFA mandatory. Our databases are encrypted and backed up.

Although we are confident in the security infrastructure for all of our accounts, there are additional measures that you, as a Syncro customer, can take. In order to secure your Syncro account, here are some Best Practices for your consideration:

  • Ensure MFA on user accounts
  • Enable IP allow lists for user accounts
  • Use unique, strong passwords for each account
  • Keep security group permissions for each user restricted to only what the user needs
  • Set MFA timeouts to as small a timeframe as is feasible
  • Set a user session timeout to as small a timeframe as is feasible
  • Limit admin account usage, and create an elevated user account for day to day activities
  • Limit and protect API tokens, removing them from your account whenever they are no longer needed
  • Revoke mobile app tokens when access is no longer required

For more information please refer to our Security FAQ:

Rajesh Agarwal
VP of Engineering