On MSPs

First, let’s note a couple things about them:

  1. paid to secure your infrastructure - can’t even secure their infrastructure a majority of the time
  2. account for majority of large-scale attacks on FVEY by foreign gov

So can they really be trusted with our nation’s infrastructure?

Cold hard facts produce cold hard cash

MSPs don’t use basic domain protections:

  • multi-layer security/restriction approach involving people and processes (OSI Model)
  • SSO (application and network layer)
  • requirements engineering process 1 [Faroom2019]
  • SPF and DMARC (e-mail threats)
  • network segregation
  • least privilege
  • depreciate obsolete accounts and processes
  • maintenance and updates regularly
  • rolling backups on-prem and in the cloud
  • Mandatory Access Controls (SELinux, SSO, network permissions)

These truly are basic fundamentals of security and should be utilized at the bare minimum by companies paid to protect the infrastructure and systems (e.g., applications and controllers) of SMB’s and large companies. But they’re just not. Why?

References

  1. Zowghi, Didar & Sahraoui (2023). A Lightweight Workshop-Centric Situational Approach for the Early Stages of Requirements Elicitation in Software Development