| ▲ | bigfatkitten 6 hours ago |
| It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies. Basic hygiene security hygiene pretty much removes ransomware as a threat. |
|
| ▲ | dec0dedab0de 2 hours ago | parent | next [-] |
| Basic hygiene security hygiene pretty much removes ransomware as a threat. I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat. Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore. |
|
| ▲ | pxc an hour ago | parent | prev | next [-] |
| It's not often presented as "we should be spending more", but it's absolutely true that cybersecurity is predominated by a reflexive "more is better" bias. "Defense in depth" is at least as often invoked as an excuse to pile on more shit as it is with any real relation to the notion of boundaries analogous to those in the context from which the metaphor is drawn. The security industry absolutely has a serious "more is better" syndrome. |
|
| ▲ | ozim 3 hours ago | parent | prev | next [-] |
| OK I agree basic security hygiene removes ransomware as a threat. Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees. If you can do that let’s see how it goes with 1000 employees. |
| |
| ▲ | devin 2 hours ago | parent | next [-] | | I'm not really sure what point you're making. Is the point that it is harder to to secure more things? Is it that security events happen more frequently the higher your number of employees goes? If so, I bristle at this way that many developers (not necessarily you, but generally) view security: "It's red or it's green." Attack surface going up as the number of employees rises is expected, and the goal is to manage the risk in the portfolio, not to ensure perfect compliance, because you won't, ever. | | | |
| ▲ | jacquesm 2 hours ago | parent | prev [-] | | And just as dangerous: 50 employees. Because quite frequently these 50 employee companies have responsibilities that they can not begin to assume on the budgets that they have. Some business can really only be operated responsibly above a certain scale. |
|
|
| ▲ | mschuster91 6 hours ago | parent | prev [-] |
| > Basic hygiene security hygiene pretty much removes ransomware as a threat. It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets. And no, backups aren't the solution either, they only limit the scope of lost data. In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution. |
| |
| ▲ | ArcHound 6 hours ago | parent | next [-] | | AFAIK the idea is to have backups so good, that restoring them is just a minor inconvenience. Then you can just discard encrypted/infected data and move on with your business. Of course that's harder to achieve in practice. | | |
| ▲ | supertrope 2 hours ago | parent | next [-] | | If the important data is in a web app and the Windows PC is effectively a thin client, this lowers the ransom value of the local drive. Of course business disruption in the form of downtime, overtime IT labor cannot be mitigated by just putting everything online. The next step is just to move to security by design operating systems like ChromeOS where the user is not allowed to run any non-approved executables. If tricking a single employee can cause an entire company to stall out, it's a process issue. Just like how a single employee should not be able to wire out $100,000. | | |
| ▲ | Ajedi32 2 hours ago | parent [-] | | Getting rid of Windows in favor of an OS with a proper application sandbox like Android would solve so, so many security issues, but that's not viable in most cases because so much software depends on the outdated user-based permissions model most desktop OSs are built around. |
| |
| ▲ | finghin 5 hours ago | parent | prev | next [-] | | Sleeper agent malware is a thing especially in high risk situations. If somebody has a dormant RAT installed since year X-1 it’s going to be impossible to solve that in year X by using backups | | |
| ▲ | BenjiWiebe 4 hours ago | parent [-] | | What about non executable backups? Backup data but not programs? Not applicable everywhere, but I think it's applicable most places. | | |
| |
| ▲ | billypilgrim 2 hours ago | parent | prev | next [-] | | Modern ransomware are not just encrypting data but uploading them somewhere too, the victim is then threatened with a leak of the data. A backup does not save you from that. | | | |
| ▲ | mschuster91 6 hours ago | parent | prev [-] | | In the end the limiting factor will be the bandwidth of your disk arrays... enough compromised machines and they will get overwhelmed. |
| |
| ▲ | mhurron 2 hours ago | parent | prev | next [-] | | > all mounted network shares where the user has write permissions This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job. | | |
| ▲ | saalweachter 2 hours ago | parent [-] | | "Insider threat model". Basic security hygiene in the modern world is "assume your employees can be a threat", either because they're incompetent ("I accidentally deleted the shared spreadsheet, I thought it was my copy"), malevolent ("I will show them all!") or compromised ("I clicked a link in my email and now my computer is slow.") If you aren't designing your systems to be robust against insider threats, they will fail. (If you design them to be robust against insider threats, they will probably also fail, so you have to be constantly working to understand how to limit the consequences of any individual failure.) |
| |
| ▲ | trollbridge 4 hours ago | parent | prev | next [-] | | Er… Linux has pretty good isolation of users who don’t have super user privileges. | | | |
| ▲ | jamiemallers 2 hours ago | parent | prev [-] | | [dead] |
|
