The big question get raised again, how do we get the non-tech savvy to be safe from cyber threats? Banks and tech companies have high security because they know what they are dealing with, pipelines/schools/hospitals/emergency services continue to be easy targets and things we need to pay money quickly for to get back.
Banks and tech companies do not have high security. There are exactly zero deployed commercial IT systems that can prevent a targeted attack by a financially motivated threat actor who stands to gain $11M from a successful attack. In fact, even at the $1M, low end of the ransom demanded in this case, is very unlikely you would find any company who could prevent complete compromise of their critical systems.
The problem is that every single cybersecurity solution in the standard commercial IT space is snake oil. Microsoft, Mandiant, Google, etc. do not know how to make a system secure against this level of threat actor. Despite that, they insinuate that their systems are effective so that they can swindle the non-tech savvy to purchase their solutions.
So, the actual big question is, how do we get the non-tech savvy to be safe from the cybersecurity companies? Until then they will keep flushing money down the drain and be unable to find real solutions in a sea of bullshit.
Maybe true, but I meant good security practices. It’s way easier to find a school or government agency that keeps passwords in plain text in code comments or emails than it would be at Meta.
"Good" security practices mean very little when you are subject to attacks with a financial incentive of $1M. It matters only in the sense that you are the bottom fish in the barrel which is only relevant when dealing with opportunistic attacks sprayed indiscriminately for low upside and if people are not going to eat every fish in the barrel. That was the threat landscape 15 years ago when the hackers were kids asking for $300 to get startup funds. Now the hackers are grownups running mature industrial farming operations seeking to maximize absolute profit and are attacking everybody who is profitable. Increasing the cost to hack from $10K to $100K does not stop them from wanting to profitably harvest you for $1M. Yes, you may have decreased their ROI by a factor of 10, but you only decreased their absolute profit by 10%.
That only matters if the hacking market is not saturated the market which is no longer true. More than 80% of the firms report they have been hacked [1], and as the director of the FBI has said [2] "I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again." As it turns out, only being able to outrun your friend instead of the bear only helps when there are 2 of you and 1 hungry bear instead of 2 of you and 50 hungry bears.
Right but your perception of who is the “bottom fish” is wrong.
The worst tech company is not the bottom fish, schools and hospitals are. You can hold medical records and pipelines hostage and get just as much money as holding Google info hostage.
And I don’t think the “evitabile be hacked” approach is helpful. The harder you make something to hack, the more hackers may turn to other forms of income. Sure we will never be free of them, but the more resources they have to put in to be successful, the less there will be.
Why is there less piracy in the Caribbean? Are there less able-bodied men? Certainly not. It’s harder to get away with robbery on the open seas. (At least off of US shores).
You will inevitably be hacked if you use prevailing commercial IT solutions, period. The absolute "best" solutions they can muster can not make it hard enough to deter financially motivated attackers and the existing attackers already have enough resources to invest to exploit the opportunities that are beyond the limit of the "best" solutions. They can invest anything up to $1M to get $10M paydays like clockwork. If you could do that would you stop before exploiting the entire market? A rhetorical question because that is literally what is happening right now. All raising the cost of attacking every company to the "best practices" limit of $1M is kill all the new entrants and maybe slow the growth rate of the incumbents.
Is there some value in doing that? Sure. But all you are doing is slowing the growth, not fixing the problem. At this point the only way to fix the problem now that there are mature incumbents is to make the upper-end attacks unprofitable or at least make them require more startup capital than they can invest in new exploitation opportunities. This requires making the systems secure against teams of highly skilled attackers with tens of millions of dollars to spend and years to design a successful attack. Literally nobody in the commercial IT sector believes that is even possible but they aggressively insinuate that they can solve your cybersecurity woes.
It is all total bullshit. Literally every single one of them is peddling snake oil, but people believe it solves their problems so they do not need to look any further. The problem will only get solved when they realize they are totally screwed and nothing that the cyber(in)security vendors can sell them will fix it. Only if you understand that your computer systems are trivial to hack by motivated attackers will you do things very differently than if you do not know the truth. It might even lead you to try finding a real solution, but at the very least it will change your behavior to better account for the reality of your situation.
Sell them products that are secure by default. Unfortunately many of them are stuck with Office and Active Directory, so that's a bust. Even if it had secure defaults, it makes it incredibly easy to create huge gaping security holes without realizing.
