Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Power of Prevention: What SMBs Need to Know About Cybersecurity
Newest First  |  Oldest First  |  Threaded View
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/15/2015 | 3:19:28 PM
Re: Scared yet, Bro?
I like your racing analogy, it helps point at what I'm talking about. Only the big boys can afford to play in professional racing, for both safety and performance based reasons. Everyone else is priced out. That's exactly a very real scenario for SMB's to do business with the internet involved.

Unless these insecure operating systems that allow installing a RAT into the o/s when a naive user clicks on wrong email attachment or website link are fixed, everything you say is correct. But you predict that will continue forever because your entire business exists because of this. I work on a system everyday where that is impossible.

Check out the IBM i5 (formally AS400) server o/s and you'll see an example of a system that can't be corrupted at that core level. The issue is that is not a client o/s where email and web browsing takes place. If client o/s had a similar design based on old mainframe security, we wouldn't have these issues. People chose these because they were cheap and you could train a monkey to use GUI. Bill Gates got rich on system where security was an afterthought. Connect those to a network designed to easily connect some colleges together, again where security was not a consideration, and you arrive where we are today.

At some point, someone is going to start over on client o/s and harden it. No more installed RATs and keystroke loggers and encrypting your files for ransom. Period. Yeah, we'll still have DoS attacks and account/password cracking if your server exposed to internet. But it's this covert installation of privileged programs that are doing the real damage. And that can be stopped, no question about it.

Something has to give. I'm sure your business has integrity, as do most of security firms like you. But think about it, who gains the most from this insecure world: The bad guys or security firms? From a pure business point of view, you have no motivation to ever see these holes closed anymore than defense contractors want world peace. The solution has to come from people creating the software and protocols that allow the exploits to work in the first place.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:39:24 PM
Re: treating the symptoms
Security spend is actually increasing 9% CAGR as a result of the high profile breaches that have made the news.  Businesses have always had to make difficult decisions between security spend and the acceptable level of risk.  Many are realizing that the level of risk has increased and therefore their spend must also increase.  

Vendors are constantly improving the security of their products and services.  While 100% secure is the ultimate goal, it is also extremely difficult, if not impossible, to acheive.  Taking on the liability of a breach would result in significant cost increases across the board.  More sensible and cost effective measures can taken to deliver an acceptable level of protection.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:27:08 PM
Re: Scared yet, Bro?
You are accurate that very small businesses, especially startups, run on a very tight budget and typically have a "Best Buy" mentality when it comes to network and security products.  While the risk is still present, they chose to accept that risk, spending minimally on security.  Small (25-200 employees) and medium-sized businesses (200 to 1000 employees) are increasingly a target, both for proprietary and PII data as well as direct bank account access.  Yes, there's additional cost to keep up with the changing threat.  But the game has changed, and continues to change.  I liken it to the racing industry.  As cars get more powerful, faster, lighter, the risk to the drive goes up as well.  New protection features, like the tethering of aero components to limit the debris that can hit another driver in Indy Car racing, results in increased cost, but it's necessary to protect both the driver and racing fans.  Security also parrallels racing in that changes are often not made until disaster happens.  

There are no guarntees in racing or security - except that at some point you will be a target.  There is no 100% in security as, for every new stride made in protection, there's a cyber-criminal creating new ways to get around it.  When that happens, monitoring of those infrastructure devices is critical to detect the threat and remediate it in time before damange occurs.   Does this really happen?  In alarming numbers.  Every customer we've turned up this year has had some ongoing infestation or attack - and they had no idea.   

Should anyone be scared?  No.  That's not the message.  Should they take proper precautions?  Absolutely.  
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/7/2015 | 2:07:50 PM
Scared yet, Bro?
None of what you say is wrong, just misses the point. Before internet security, new businesses already had a 70-90% fail rate and operated on a shoestring budget, sometimes barely making payroll.

Now there is this added cost of doing business, internet security, which adds as much value to their business as putting a new roof adds to your house appraisal. And it isn't like buying insurance, where you are guaranteed certain benefits if you place burns down. Some small businesses can barely afford that. So now you want to convince them to pay for a service which has absolutely no guarantee it can protect them from anything?

Am I wrong? If someone contracts with your company for security services, is it in the contract that you are liable for any and all costs of a breach? Yeah, I didn't think so. That's why this is such a mess.

As previous poster suggested, until infrastructure is tightened up where these easy to exploit holes exist (think mainframes back in the day before we knew the word hacker, where only an inside job could work), there is no solving this problem. SMB's can slowly bleed to death on this extra cost of doing business or take the risk it may not happen to them. Statistically, they are still in pretty good shape. Not every company has data which can be monetized, leaving ransomware out of it. And you can't fix ransomware, only the Microsoft's of the world who produce o/s which is vulnerable can fix that.

Is there a role for people like you to educate SMB's on best practices? Absolutely. But can most afford to put people like you on retainer to monitor the expensive IDS they bought? Absolutely not.
macker490
50%
50%
macker490,
User Rank: Ninja
12/6/2015 | 8:52:49 AM
treating the symptoms
we spend so much effort treating the symptoms: track down this trojan; close this botnet; and patch this hole.   we are only treating the symptoms and all our efforts will go for naught until we summon the courage to correct the root of the problem: (1) insecure operating software, and (2) a general cavalier approach to authentication .   We have to put Security First -- in a Business Environment -- or get robbed blind .    systems that put ease of use and compatibility ahead of security are always going to be vulnerable.    this is actually a financial issue as in a business environment a lot of costs are involved.   this would strongly suggest it's time to address the question of Product Liability:    software builders need to be responsible for that part of the software that is under their control.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...