Comment by alopha
3 days ago
The idea that the spending needs to grow linearly with the growth is a damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry.
3 days ago
The idea that the spending needs to grow linearly with the growth is a damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry.
> damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry
Cybersecurity is not about stopping issues but about compliance and liability. Attend RSA once, and you will see it yourself.
It makes sense when you consider the main threat you are protecting yourself from is lawsuits.
The lawsuits come from the issues though.
2 replies →
It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
> Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
AFAIK the idea is to have backups so good, that restoring them is just a minor inconvenience. Then you can just discard encrypted/infected data and move on with your business. Of course that's harder to achieve in practice.
14 replies →
> all mounted network shares where the user has write permissions
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
1 reply →
> It does not.
Yes it does. A little bit of application control, network segmentation and credential hygiene (including phishing resistant MFA) go a long way.
> The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware,
Why are you letting employees execute arbitrary software in the first place? Application allowlisting, particularly on Windows is a well solved problem.
> not to mention AI agents.
Now this is possible only through criminal incompetence.
> And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
Relatively rare, likely to be caught by publisher rules in application control and even if not, if the compromise of a handful of endpoints can take down the entire business then you have some serious, systemic problems to solve.
> And no, backups aren't the solution either, they only limit the scope of lost data. In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
Why are you giving individual employees such broad access to so many file shares in the first place? We’re in basic hygiene territory again.
Er… Linux has pretty good isolation of users who don’t have super user privileges.
1 reply →
[dead]
Basic hygiene security hygiene pretty much removes ransomware as a threat.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
OK I agree basic security hygiene removes ransomware as a threat.
Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees.
If you can do that let’s see how it goes with 1000 employees.
I'm not really sure what point you're making. Is the point that it is harder to to secure more things? Is it that security events happen more frequently the higher your number of employees goes?
If so, I bristle at this way that many developers (not necessarily you, but generally) view security: "It's red or it's green."
Attack surface going up as the number of employees rises is expected, and the goal is to manage the risk in the portfolio, not to ensure perfect compliance, because you won't, ever.
1 reply →
And just as dangerous: 50 employees. Because quite frequently these 50 employee companies have responsibilities that they can not begin to assume on the budgets that they have. Some business can really only be operated responsibly above a certain scale.
1 reply →
It's not often presented as "we should be spending more", but it's absolutely true that cybersecurity is predominated by a reflexive "more is better" bias. "Defense in depth" is at least as often invoked as an excuse to pile on more shit as it is with any real relation to the notion of boundaries analogous to those in the context from which the metaphor is drawn.
The security industry absolutely has a serious "more is better" syndrome.
Serious professionals use one or more spending models to determine budget.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
[0] https://en.wikipedia.org/wiki/Gordon%E2%80%93Loeb_model
This is a similar fact in government. For instance in the UK with the NHS and other services, we often look at total spending and assume that spending has to stay at least constant in real terms or grow, when in reality you want some metric of spending per outcome.
Ideally you want spending to go down as we get more efficient, and up as we find new treatments that work (we often add cost effective treatment as well, but that should make everyone uncomfortable no matter what side you argue)
Apply that to any other war or arm's race. "The fact that the US' defense spending needs to grow linearly with China's is a damning indictment of the mindset of the vast ineffectual mess that is the defense industry".
Do you just expect one side to magically be more dollar-efficient than the other? I'm confused.
Was looking for the comment that addresses the clickbait-y headline, found this top comment by you, was not disappointed.