Kaseya provides remote IT management software, most notably used recently in a large ransomware attack.

Schadenfreude? Not much.

Kaseya's problem reduces to monoculture remote access across many different organizations that have gone IT-light.

Of course, this applies to most organizations nowadays, since the amount of computing deployed by any org is going up by more than their clueful tech count. And lest the anti-Windows crowd chortle, almost every unix install runs OpenBSD's OpenSSH for remote admin access.

Only two remote holes in the default install, in a heck of a long time!
-- OpenBSD

OpenSSH supports a lot of possibilities, and that shows up in the codebase. Just looking at the C files, openssh is roughly 4x the size of dropbear.1

 § loc() { find "$@" -name '*.c' | xargs wc -l | tail -1; }
 § loc openssh-portable
 135429 total
 § loc dropbear-git  -not -path '*/libtommath/*' -not -path '*/libtomcrypt/*'
 30093 total

Or just peruse the documentation, OpenSSH just supports way more options that distributions enable by default. The only consolation is that any vulnerability in OpenSSH will be used against high value targets first, leaving lower-value targets to hope they will survive to fight the next round.

The problem with sshd's is that their functionality just seems to grow, eg. even dropbear now supports X11 forwarding and SFTP. The amount of feature creep in the sshd world compares poorly against stunnel + libressl + telnetd with client certs.2


The crux of any MSP's security policy details how to prevent cross-contamination, ie. are admins and technology assigned per customer, so that no admin or tech has access to other customers?

Full compartmentalization is expensive, which incentivizes the aggregation of customers into groups. In Kaseya's case, all the cloud product customers were in a single group. To illustrate the problem, average costs to support each customer increase as the number of customers per group decrease, with the limit being the delta at which a customer is indifferent between in-sourcing and out-sourcing.

Since the MSPs know their business and its aggregation while the tech-lite customers do not, this leads to an information asymmetry that imperils the market for MSPs.

Lemon Market for MSPs

Say there are two MSPs in the market. A firm comparing them will only have two variables: reputation and price. The shoddier MSP can always undercut the other by simply aggregating more customers (ie. not investing in security).

In theory, the reputation of the shoddier firm should suffer over time. Does it? Or do firms just keep on purchasing because they views hacks like bad weather, "happens to everyone..."?

Market Discipline

Ultimately, this market can only avoid becoming infested with shoddy firms by either: (a) customers firing MSPs that fail to maintain security, or (b) security auditors usefully reducing the information asymmetry. Unfortunately, the 2007 Mortgage crisis shows that auditors have their own lemon market concerns.

Firing MSPs for failing to perform is then the only way this market works.