funsec mailing list archives
Small companies ignorant of security?
From: "Gary Funck" <gary () intrepid com>
Date: Mon, 20 Nov 2006 18:22:48 -0800
And big companies aren't? Look at how many data breeches there have been at very large companies and government institutions. The author makes the following points (my comments are marked by REPLY:): 1) Ninety percent of small businesses and consumers install antivirus, but 10 percent never update the software's signatures. Schmitt goes on to say: "SMEs (small and midsized enterprises) are not aware of being a potential victim--spending 40 pounds per year on antivirus is not a high priority," REPLY: There are a few problems here. First, why is the OS and the application infrastructure so vulnerable to viruses? Could proper security and authorization policies eliminate the need for antivirus entirely? The author's claim of 40 pounds per year for antivrius software should read: "40 pounds per workstation and personal computer per year" Including the admin. costs, that stacks up to quite a bit of money. Perhaps roughly 100 BP, or approx. $200 USD/year per employee? And, what percentage of data breeches, and/or service outages have been attributed to virus versus other attack vectors? 2) The author seems to focus on P2P programs as a primary weak link in the security infrastructure: Schmitt says: "Individuals working on peer-to-peer networks often don't realize they're sharing the whole contents of their drive. You can find Homeland Security vulnerability assessment documents online from employees (using P2P)." REPLY: If the security policies on computers that connect to the network were sufficiently restrictive, the users would not be able to install P2P programs, or modify the firewall filter to open up P2P ports. 3) Schmitt's solution: "Eventually, we'll move to a model of software as a service, with a low-cost environment of managed security services," he said. REPLY: Eh? How does a "managed security service" fix the problems mentioned above, and others mentioned in the article. URL: http://news.zdnet.com/2100-1009_22-6137381.html Small companies ignorant of security? 11 / 20 / 06 | Small businesses must become more aware that they are the potential victims of cybercrime, former White House security adviser Howard Schmidt has urged. Speaking at an IT security event at London's House of Lords on Monday, Schmidt said all businesses are at risk through a lack of proper configuration of security equipment, or through not taking proper security precautions. [...] Schmidt is on the board of directors for Fortify, which sells source code analysis tools. Tom Espiner of ZDNet UK reported from London. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Small companies ignorant of security? Gary Funck (Nov 20)