First, let’s note a couple things about them:
- paid to secure your infrastructure - can’t even secure their infrastructure a majority of the time
- account for majority of large-scale attacks on FVEY by foreign gov
So can they really be trusted with our nation’s infrastructure?
Cold hard facts produce cold hard cash
- GRU is performing brute force attacks since mid-2019
- incredibly easy to brute force en mass
- Russian General Staff Main Intelligence Directorate(GRU) 85th Main Special Service Center (GTsSS)
- Microsoft advisory - NOBELIUM (pt 1)
- Microsoft blog - NOBELIUM APT (pt 2)
- Phishing is such a massive revenue generator, it’s used against MSPs
MSPs don’t use basic domain protections:
- multi-layer security/restriction approach involving people and processes (OSI Model)
- SSO (application and network layer)
- requirements engineering process 1 [Faroom2019]
- SPF and DMARC (e-mail threats)
- network segregation
- least privilege
- depreciate obsolete accounts and processes
- maintenance and updates regularly
- rolling backups on-prem and in the cloud
- Mandatory Access Controls (SELinux, SSO, network permissions)
These truly are basic fundamentals of security and should be utilized at the bare minimum by companies paid to protect the infrastructure and systems (e.g., applications and controllers) of SMB’s and large companies. But they’re just not. Why?
References
-
Zowghi, Didar & Sahraoui (2023). A Lightweight Workshop-Centric Situational Approach for the Early Stages of Requirements Elicitation in Software Development. ↩