Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Power of Prevention: What SMBs Need to Know About Cybersecurity
Oldest First  |  Newest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
12/6/2015 | 8:52:49 AM
treating the symptoms
we spend so much effort treating the symptoms: track down this trojan; close this botnet; and patch this hole.   we are only treating the symptoms and all our efforts will go for naught until we summon the courage to correct the root of the problem: (1) insecure operating software, and (2) a general cavalier approach to authentication .   We have to put Security First -- in a Business Environment -- or get robbed blind .    systems that put ease of use and compatibility ahead of security are always going to be vulnerable.    this is actually a financial issue as in a business environment a lot of costs are involved.   this would strongly suggest it's time to address the question of Product Liability:    software builders need to be responsible for that part of the software that is under their control.
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/7/2015 | 2:07:50 PM
Scared yet, Bro?
None of what you say is wrong, just misses the point. Before internet security, new businesses already had a 70-90% fail rate and operated on a shoestring budget, sometimes barely making payroll.

Now there is this added cost of doing business, internet security, which adds as much value to their business as putting a new roof adds to your house appraisal. And it isn't like buying insurance, where you are guaranteed certain benefits if you place burns down. Some small businesses can barely afford that. So now you want to convince them to pay for a service which has absolutely no guarantee it can protect them from anything?

Am I wrong? If someone contracts with your company for security services, is it in the contract that you are liable for any and all costs of a breach? Yeah, I didn't think so. That's why this is such a mess.

As previous poster suggested, until infrastructure is tightened up where these easy to exploit holes exist (think mainframes back in the day before we knew the word hacker, where only an inside job could work), there is no solving this problem. SMB's can slowly bleed to death on this extra cost of doing business or take the risk it may not happen to them. Statistically, they are still in pretty good shape. Not every company has data which can be monetized, leaving ransomware out of it. And you can't fix ransomware, only the Microsoft's of the world who produce o/s which is vulnerable can fix that.

Is there a role for people like you to educate SMB's on best practices? Absolutely. But can most afford to put people like you on retainer to monitor the expensive IDS they bought? Absolutely not.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:27:08 PM
Re: Scared yet, Bro?
You are accurate that very small businesses, especially startups, run on a very tight budget and typically have a "Best Buy" mentality when it comes to network and security products.  While the risk is still present, they chose to accept that risk, spending minimally on security.  Small (25-200 employees) and medium-sized businesses (200 to 1000 employees) are increasingly a target, both for proprietary and PII data as well as direct bank account access.  Yes, there's additional cost to keep up with the changing threat.  But the game has changed, and continues to change.  I liken it to the racing industry.  As cars get more powerful, faster, lighter, the risk to the drive goes up as well.  New protection features, like the tethering of aero components to limit the debris that can hit another driver in Indy Car racing, results in increased cost, but it's necessary to protect both the driver and racing fans.  Security also parrallels racing in that changes are often not made until disaster happens.  

There are no guarntees in racing or security - except that at some point you will be a target.  There is no 100% in security as, for every new stride made in protection, there's a cyber-criminal creating new ways to get around it.  When that happens, monitoring of those infrastructure devices is critical to detect the threat and remediate it in time before damange occurs.   Does this really happen?  In alarming numbers.  Every customer we've turned up this year has had some ongoing infestation or attack - and they had no idea.   

Should anyone be scared?  No.  That's not the message.  Should they take proper precautions?  Absolutely.  
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:39:24 PM
Re: treating the symptoms
Security spend is actually increasing 9% CAGR as a result of the high profile breaches that have made the news.  Businesses have always had to make difficult decisions between security spend and the acceptable level of risk.  Many are realizing that the level of risk has increased and therefore their spend must also increase.  

Vendors are constantly improving the security of their products and services.  While 100% secure is the ultimate goal, it is also extremely difficult, if not impossible, to acheive.  Taking on the liability of a breach would result in significant cost increases across the board.  More sensible and cost effective measures can taken to deliver an acceptable level of protection.
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/15/2015 | 3:19:28 PM
Re: Scared yet, Bro?
I like your racing analogy, it helps point at what I'm talking about. Only the big boys can afford to play in professional racing, for both safety and performance based reasons. Everyone else is priced out. That's exactly a very real scenario for SMB's to do business with the internet involved.

Unless these insecure operating systems that allow installing a RAT into the o/s when a naive user clicks on wrong email attachment or website link are fixed, everything you say is correct. But you predict that will continue forever because your entire business exists because of this. I work on a system everyday where that is impossible.

Check out the IBM i5 (formally AS400) server o/s and you'll see an example of a system that can't be corrupted at that core level. The issue is that is not a client o/s where email and web browsing takes place. If client o/s had a similar design based on old mainframe security, we wouldn't have these issues. People chose these because they were cheap and you could train a monkey to use GUI. Bill Gates got rich on system where security was an afterthought. Connect those to a network designed to easily connect some colleges together, again where security was not a consideration, and you arrive where we are today.

At some point, someone is going to start over on client o/s and harden it. No more installed RATs and keystroke loggers and encrypting your files for ransom. Period. Yeah, we'll still have DoS attacks and account/password cracking if your server exposed to internet. But it's this covert installation of privileged programs that are doing the real damage. And that can be stopped, no question about it.

Something has to give. I'm sure your business has integrity, as do most of security firms like you. But think about it, who gains the most from this insecure world: The bad guys or security firms? From a pure business point of view, you have no motivation to ever see these holes closed anymore than defense contractors want world peace. The solution has to come from people creating the software and protocols that allow the exploits to work in the first place.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40526
PUBLISHED: 2021-10-25
Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead t...
CVE-2021-40527
PUBLISHED: 2021-10-25
Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile applic...
CVE-2021-40371
PUBLISHED: 2021-10-25
Gridpro Request Management for Windows Azure Pack before 2.0.7912 allows Directory Traversal for remote code execution, as demonstrated by ..\\ in a scriptName JSON value to ServiceManagerTenant/GetVisibilityMap.
CVE-2021-21703
PUBLISHED: 2021-10-25
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the ma...
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...