back to article Pretty much all the headaches at MSPs stem from cybersecurity

Managed Service Partners (MSPs) say cybersecurity dwarfs all other main concerns about staying competitive in today's market. Adding to the already notoriously strained existence of an MSP is work that even folk in the infosec industry struggle to keep up with, and leaves those looking after client systems and IT struggling to …

  1. Doctor Syntax Silver badge

    Obvious question:

    "nearly a third of all ransomware attacks (29 percent) last year began as a result of miscreants acquiring login credentials"

    How are these credentials acquired?

    1. Our Lord and Savior Rahl

      Re: Obvious question:

      Because many people use the same passwords for everything and post about where they work on social media, it's not hard to join the dots

      1. Doctor Syntax Silver badge

        Re: Obvious question:

        I'd hope their employers don't expect them to sign on with their private email addresses as IDs which is what is likely to be harvested along with the password. Also require a minimum password complexity greater than what they'd use elsewhere.

        Also an easily guessed users ID such as initial and name is not good for more than one reason http://www.bloodwolf.org/~rulnak/jdr/jokes/Dilbert/Dilbert_pictures/dilbert_BrendaUtthead.gif

        1. Filippo Silver badge

          Re: Obvious question:

          I would like for every person who thought that email addresses make for good user IDs to have just one face, so that I could slap them all at once.

          Some ten years ago I had to get rid of my primary email address. It was a nightmare. Some services contemplate the notion that a user may need to change email address. Many don't.

          Some services I just had to shut down and restart with the new email. One service that was too critical to do that, I spent days with customer support, and it still sometimes exhibits signs of login-related borkage to this day.

    2. Anonymous Coward
      Anonymous Coward

      Re: Obvious question:

      If I had a dollar for all of the excel spreadsheets of passwords I have seen exposed publicly. A simple google search for "passwords filetype:xls" or "passwords filetype:txt". I see less exposed than I did a few years ago. Not sure if that can be attributed to better security or poor results.

  2. Dave 126 Silver badge

    I saw the headline and thought: "Not according to Private Eye", but realised that MSP probably didn't stand for Minister of Scottish Parliament in this context.

    1. Handlebars

      There's 5 weeks to go and you've already got electile dysfunction

  3. EricM

    And Level Zero Challenge: Keep it simple

    As an architect I find it pretty hard a) to achieve and b) to keep a solution simple over time - even if this strategy is very successful in terms of factual security achieved.

    Components that are not active, cannot be attacked - components that are not even installed are even better.

    Simple components with fewer bugs are harder to attack than large, complex components with may bugs.

    Simple components are easier to fully understand and defend for your own staff.

    So solving this "Level Zero Challenge" will help in resolving important aspects of challenges 1-3 from the article.

    However, selecting the fewest, most simple, most stripped-down components for a given task often frustrates developers, as it means they often cannot use whatever code they are used to or example code they found on the Internet (often promoting certain products) to solve a problem.

    It also frustrates customers as well, as not grabbing the next-best, halfway fitting COTS-product/library and "add it to the mix" will result in longer development time for new features and potentially higher inital cost.

    And arguing with security still often is an uphill battle against cost and features...

    1. Mike 137 Silver badge

      Counter trends

      M$ used to provide detailed server hardening guides. Then they moved to instead providing scripts that could be run blind. Now we have auto-update. So as the threat landscape has become more severe we've been granted progressively less control over our attack surface. This doesn't seem the ideal way to go.

      1. EricM

        Re: Counter trends

        > This doesn't seem the ideal way to go.

        The Microsoft way is pretty much the opposite of "keep it simple" - and, I agree, pretty much the opposite of an ideal way to achieve high security.

    2. sitta_europea Silver badge

      Re: And Level Zero Challenge: Keep it simple

      Funnily enough, just yesterday I gave to my wife the one remaining clutch pencil in the top left drawer of my desk.

      With that pencil, and several others very like it, in the 20th century I and the staff of my drawing office produced thousands of engineering drawings and documents.

      Those documents are still safe in the cabinets and on the shelves in my office, still completely unaffected by any and all network-borne attacks.

    3. Anonymous Coward
      Anonymous Coward

      Re: And Level Zero Challenge: Keep it simple

      "Components that are not active, cannot be attacked"

      Yes, they can.

      1. EricM

        Re: And Level Zero Challenge: Keep it simple

        True in the sense that components, that are not active (e.g. services that are not started or modules that are not loaded) can still be exploited as part of a local attack path for example to elevate access after any initial successful attack makes these components available to an attacker.

        However, as installed, but inactive components they do not create any additional remotely exploitable attack surface on their own, which was what I meant.

  4. PenfoldUK

    TLAs

    When I saw MSPs in the headline I thought you meant Members of the Scottish Parliament.

    Who have unique cybersecurity issues.

    Such as telling the difference between work and streaming football matches...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like