We have talked in the past about the weak link in security chain, and after law firms and third parties, it may seem that the small and medium business (SMB) sector may be an easy target.
Research by McAfee
deemed SMBs to be “suffering from a false sense of security”, as 80 per cent of 1,000 respondents to its survey admitted to not using data protection and 91 per cent said that they do not use endpoint or mobile device security, while 14 per cent said they have not implemented security measures of any kind in their environment. Deluded, or suffering? It could be argued that they are simply not advised well enough, after all if these companies are under 500 people (I am assuming) then if there is an IT department; it is most likely one person or one person who has another job.
In a previous job, IT responsibilities were handled by one of the senior editors who ran a busy monthly magazine and managed the server on the side. Now restarting the server and dealing with email outages is one thing, but fighting off denial of service attacks and training on awareness of spear phishing scams is another, and that is where I suspect McAfee’s survey is scarily accurate.
A similar survey was also released this week, which found that the majority of the retail sector does not meet new PCI standards. That research of 1,320 by Tripwire and Ponemon Institute found that 41 per cent of the retail sector uses penetration testing to identify security risks, 34 per cent measure the reduction in access and authentication violations to assess risk management efforts, and 44 per cent has fully or partially deployed file integrity monitoring.
Again this comes down to the challenge of communication of risk to SMBs, who may well fully understand the challenge and threats posed, but are not fully protected for reasons of finance and personnel. The Tripwire survey found that 62 per cent of IT professionals in the retail sector say that “negative facts about security risks are filtered before being communicated with senior executives”. So is security all FUD, or is it best to take baby steps with senior executives to make sure they understand the threat?
In other news, Microsoft
announced an “evolution” of its bug bounty program with everyone (once registered) able to submit bugs for evaluation and potential reward. Previously open to the anointed few, it now allows the likes of you and I to stake a claim in a potential $100,000 if you can find the next mitigation bypass bug.
Also in bug bounty news, Yahoo finally
rolled out its bug bounty program with a hall of fame, full payments and recognition offered. Yes it was late to the game and it suffered a PR nightmare when it was revealed that there was no program to reward researchers, but its response to the community in what I imagine was a fire fight is pretty commendable and I expect that they will be laughing about the incident one day. Once they have dealt with all of the reports that is.
Naturally you can still win a Yahoo T-shirt if you want, possibly with the slogan “I spent a weekend pe
netration testing Yahoo Mail to find a series of zero-days which I could have sold to the NSA, and I all got was this lousy T-shirt”.
If a T-shirt isn’t your bag, what about a share in a company? The Register
reported that the Hungarian start-up MySecureZone has spent months putting together a browser-based encryption system and it is offering five per cent of its company to anyone who manages to crack its system.
Now in its second day, wannabe participants apply to the firm for access to the encrypted email and the first person to break it open can claim a five per cent share of the firm. It is one way to do crowd sourced penetration testing and as long as the disclosure is kept quiet, could provide interesting results.