Clarity of SMB security risks paves the path for improvement

In the Alert Logic Critical Watch Report released today, you’ll find confirmation that SMB’s are feeling exposed by unpatched systems, blindspots, and misconfigured security technologies.  We took a look at the SMB portion of our base, and this report provides some real, quantified, data you can use in your own planning and justifications.  Once again, we’re not seeing a raft of ground-breaking attacks and approaches.  I think the practical challenge of resolving these known, existing and understood, issues takes a back seat to shinier security technology and stories, but the weaknesses are the door that attackers are walking through.

Hopefully, especially for smaller businesses, this kind of clarity will bring focus.  Why did WannaCry spread so far, so fast?  Because too many orgs hadn’t universally and consistently applied the Microsoft SMB patch, and too few organizations were watching for attacks that land and expand. Why do whole towns or healthcare systems get hammered?  In some cases it is user awareness, in others it is patching again, and for most, there is a notable lack of humans monitoring and interpreting security events.

As security people, we’ve always known that the most common, widespread, and damaging campaigns aren’t built from custom exploits or complex interactive on-the-fly social engineering and targeted attacks.  The most common source of pain and data exfiltration are simple mistakes and exploits of unpatched, unknown, and sometimes almost criminally neglected systems.  So use the data our researchers have gathered to generate the support you need for at least a couple of these best practices:

1. Maximize visibility across your system inventory and the software you are running. Blind spots (whether because they are unknown or undermanaged) are bad.
2. Integrate consistent patch analysis and prioritization into your administration task list, with the same regularity that you apply to backups.  Apply mitigating controls, reduce access, and increase monitoring on those vulnerable systems you don’t have the latitude to automatically update when they’re at risk.
3. Understand the security tech ( like encryption ) that you think you are using, validate your assumptions, and if you feel like you are out of your depth, get some help with configuration and management.
4. Watch what’s happening.  Don’t rely solely on technology, don’t hope for the best, and don’t have unrealistic expectations of the protection provided by the platforms you are using. 

Use the report results to illustrate that most organizations are, in some way, vulnerable.  Show that unexpected events happen all the time, and deliver the message that part of being secure is ensuring that you will detect a successful attack and stop it while the blast radius is still small.