Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Power of Prevention: What SMBs Need to Know About Cybersecurity
Newest First  |  Oldest First  |  Threaded View
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/15/2015 | 3:19:28 PM
Re: Scared yet, Bro?
I like your racing analogy, it helps point at what I'm talking about. Only the big boys can afford to play in professional racing, for both safety and performance based reasons. Everyone else is priced out. That's exactly a very real scenario for SMB's to do business with the internet involved.

Unless these insecure operating systems that allow installing a RAT into the o/s when a naive user clicks on wrong email attachment or website link are fixed, everything you say is correct. But you predict that will continue forever because your entire business exists because of this. I work on a system everyday where that is impossible.

Check out the IBM i5 (formally AS400) server o/s and you'll see an example of a system that can't be corrupted at that core level. The issue is that is not a client o/s where email and web browsing takes place. If client o/s had a similar design based on old mainframe security, we wouldn't have these issues. People chose these because they were cheap and you could train a monkey to use GUI. Bill Gates got rich on system where security was an afterthought. Connect those to a network designed to easily connect some colleges together, again where security was not a consideration, and you arrive where we are today.

At some point, someone is going to start over on client o/s and harden it. No more installed RATs and keystroke loggers and encrypting your files for ransom. Period. Yeah, we'll still have DoS attacks and account/password cracking if your server exposed to internet. But it's this covert installation of privileged programs that are doing the real damage. And that can be stopped, no question about it.

Something has to give. I'm sure your business has integrity, as do most of security firms like you. But think about it, who gains the most from this insecure world: The bad guys or security firms? From a pure business point of view, you have no motivation to ever see these holes closed anymore than defense contractors want world peace. The solution has to come from people creating the software and protocols that allow the exploits to work in the first place.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:39:24 PM
Re: treating the symptoms
Security spend is actually increasing 9% CAGR as a result of the high profile breaches that have made the news.  Businesses have always had to make difficult decisions between security spend and the acceptable level of risk.  Many are realizing that the level of risk has increased and therefore their spend must also increase.  

Vendors are constantly improving the security of their products and services.  While 100% secure is the ultimate goal, it is also extremely difficult, if not impossible, to acheive.  Taking on the liability of a breach would result in significant cost increases across the board.  More sensible and cost effective measures can taken to deliver an acceptable level of protection.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:27:08 PM
Re: Scared yet, Bro?
You are accurate that very small businesses, especially startups, run on a very tight budget and typically have a "Best Buy" mentality when it comes to network and security products.  While the risk is still present, they chose to accept that risk, spending minimally on security.  Small (25-200 employees) and medium-sized businesses (200 to 1000 employees) are increasingly a target, both for proprietary and PII data as well as direct bank account access.  Yes, there's additional cost to keep up with the changing threat.  But the game has changed, and continues to change.  I liken it to the racing industry.  As cars get more powerful, faster, lighter, the risk to the drive goes up as well.  New protection features, like the tethering of aero components to limit the debris that can hit another driver in Indy Car racing, results in increased cost, but it's necessary to protect both the driver and racing fans.  Security also parrallels racing in that changes are often not made until disaster happens.  

There are no guarntees in racing or security - except that at some point you will be a target.  There is no 100% in security as, for every new stride made in protection, there's a cyber-criminal creating new ways to get around it.  When that happens, monitoring of those infrastructure devices is critical to detect the threat and remediate it in time before damange occurs.   Does this really happen?  In alarming numbers.  Every customer we've turned up this year has had some ongoing infestation or attack - and they had no idea.   

Should anyone be scared?  No.  That's not the message.  Should they take proper precautions?  Absolutely.  
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/7/2015 | 2:07:50 PM
Scared yet, Bro?
None of what you say is wrong, just misses the point. Before internet security, new businesses already had a 70-90% fail rate and operated on a shoestring budget, sometimes barely making payroll.

Now there is this added cost of doing business, internet security, which adds as much value to their business as putting a new roof adds to your house appraisal. And it isn't like buying insurance, where you are guaranteed certain benefits if you place burns down. Some small businesses can barely afford that. So now you want to convince them to pay for a service which has absolutely no guarantee it can protect them from anything?

Am I wrong? If someone contracts with your company for security services, is it in the contract that you are liable for any and all costs of a breach? Yeah, I didn't think so. That's why this is such a mess.

As previous poster suggested, until infrastructure is tightened up where these easy to exploit holes exist (think mainframes back in the day before we knew the word hacker, where only an inside job could work), there is no solving this problem. SMB's can slowly bleed to death on this extra cost of doing business or take the risk it may not happen to them. Statistically, they are still in pretty good shape. Not every company has data which can be monetized, leaving ransomware out of it. And you can't fix ransomware, only the Microsoft's of the world who produce o/s which is vulnerable can fix that.

Is there a role for people like you to educate SMB's on best practices? Absolutely. But can most afford to put people like you on retainer to monitor the expensive IDS they bought? Absolutely not.
macker490
50%
50%
macker490,
User Rank: Ninja
12/6/2015 | 8:52:49 AM
treating the symptoms
we spend so much effort treating the symptoms: track down this trojan; close this botnet; and patch this hole.   we are only treating the symptoms and all our efforts will go for naught until we summon the courage to correct the root of the problem: (1) insecure operating software, and (2) a general cavalier approach to authentication .   We have to put Security First -- in a Business Environment -- or get robbed blind .    systems that put ease of use and compatibility ahead of security are always going to be vulnerable.    this is actually a financial issue as in a business environment a lot of costs are involved.   this would strongly suggest it's time to address the question of Product Liability:    software builders need to be responsible for that part of the software that is under their control.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...