Comment by bigfatkitten
3 days ago
It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
> Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
AFAIK the idea is to have backups so good, that restoring them is just a minor inconvenience. Then you can just discard encrypted/infected data and move on with your business. Of course that's harder to achieve in practice.
If the important data is in a web app and the Windows PC is effectively a thin client, this lowers the ransom value of the local drive. Of course business disruption in the form of downtime, overtime IT labor cannot be mitigated by just putting everything online.
The next step is just to move to security by design operating systems like ChromeOS where the user is not allowed to run any non-approved executables.
If tricking a single employee can cause an entire company to stall out, it's a process issue. Just like how a single employee should not be able to wire out $100,000.
4 replies →
Sleeper agent malware is a thing especially in high risk situations. If somebody has a dormant RAT installed since year X-1 it’s going to be impossible to solve that in year X by using backups
2 replies →
In the end the limiting factor will be the bandwidth of your disk arrays... enough compromised machines and they will get overwhelmed.
That does not work. They just infect you and do not demand a ransom for a few months as they encrypt all your data going to the backup. Now your backups are also encrypted going back multiple months and you have to discard months of work.
1 reply →
Modern ransomware are not just encrypting data but uploading them somewhere too, the victim is then threatened with a leak of the data. A backup does not save you from that.
2 replies →
> all mounted network shares where the user has write permissions
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
"Insider threat model".
Basic security hygiene in the modern world is "assume your employees can be a threat", either because they're incompetent ("I accidentally deleted the shared spreadsheet, I thought it was my copy"), malevolent ("I will show them all!") or compromised ("I clicked a link in my email and now my computer is slow.")
If you aren't designing your systems to be robust against insider threats, they will fail.
(If you design them to be robust against insider threats, they will probably also fail, so you have to be constantly working to understand how to limit the consequences of any individual failure.)
> It does not.
Yes it does. A little bit of application control, network segmentation and credential hygiene (including phishing resistant MFA) go a long way.
> The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware,
Why are you letting employees execute arbitrary software in the first place? Application allowlisting, particularly on Windows is a well solved problem.
> not to mention AI agents.
Now this is possible only through criminal incompetence.
> And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
Relatively rare, likely to be caught by publisher rules in application control and even if not, if the compromise of a handful of endpoints can take down the entire business then you have some serious, systemic problems to solve.
> And no, backups aren't the solution either, they only limit the scope of lost data. In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
Why are you giving individual employees such broad access to so many file shares in the first place? We’re in basic hygiene territory again.
Er… Linux has pretty good isolation of users who don’t have super user privileges.
https://xkcd.com/1200/
[dead]
Basic hygiene security hygiene pretty much removes ransomware as a threat.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
OK I agree basic security hygiene removes ransomware as a threat.
Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees.
If you can do that let’s see how it goes with 1000 employees.
I'm not really sure what point you're making. Is the point that it is harder to to secure more things? Is it that security events happen more frequently the higher your number of employees goes?
If so, I bristle at this way that many developers (not necessarily you, but generally) view security: "It's red or it's green."
Attack surface going up as the number of employees rises is expected, and the goal is to manage the risk in the portfolio, not to ensure perfect compliance, because you won't, ever.
Point is: basic things at scale are hard.
And just as dangerous: 50 employees. Because quite frequently these 50 employee companies have responsibilities that they can not begin to assume on the budgets that they have. Some business can really only be operated responsibly above a certain scale.
Depends on the organisation.
A law firm with 50 employees who use nothing but Microsoft Word, Outlook and a SaaS practice management application is really easy to button up tight, though they probably don’t have any inhouse IT and the quality of MSPs varies wildly.
A company of 50 software developers is an enormous headache.
It's not often presented as "we should be spending more", but it's absolutely true that cybersecurity is predominated by a reflexive "more is better" bias. "Defense in depth" is at least as often invoked as an excuse to pile on more shit as it is with any real relation to the notion of boundaries analogous to those in the context from which the metaphor is drawn.
The security industry absolutely has a serious "more is better" syndrome.