Cybersecurity is not about stopping issues but about compliance and liability. Attend RSA once, and you will see it yourself.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
Yes it does. A little bit of application control, network segmentation and credential hygiene (including phishing resistant MFA) go a long way.
> The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware,
Why are you letting employees execute arbitrary software in the first place? Application allowlisting, particularly on Windows is a well solved problem.
> not to mention AI agents.
Now this is possible only through criminal incompetence.
> And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
Relatively rare, likely to be caught by publisher rules in application control and even if not, if the compromise of a handful of endpoints can take down the entire business then you have some serious, systemic problems to solve.
> And no, backups aren't the solution either, they only limit the scope of lost data. In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
Why are you giving individual employees such broad access to so many file shares in the first place? We’re in basic hygiene territory again.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees.
If you can do that let’s see how it goes with 1000 employees.
If so, I bristle at this way that many developers (not necessarily you, but generally) view security: "It's red or it's green."
Attack surface going up as the number of employees rises is expected, and the goal is to manage the risk in the portfolio, not to ensure perfect compliance, because you won't, ever.
The security industry absolutely has a serious "more is better" syndrome.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
Do you just expect one side to magically be more dollar-efficient than the other? I'm confused.
Is there some reason to believe that this isn't the best approach? And if not, then any theories as to why it hasn't been enacted?
Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good.
And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths?
A ban on paying ransoms isn't the right tool for this. Fine them, punitively, with a portion set aside to incentivize whistleblowing.
The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did.
Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is.
The penalty for not paying is often catastrophic. The penalty for paying will have to be similarly impactful.
Getting hacked is no fun, but companies don't deserve to die because something in their tech stack was vulnerable.
Many ransoms are far more than the victim can actually pay. Not all ransom payments result in a decryption key that actually works.
Notes:
0 - https://www.nbcnews.com/politics/politics-news/officials-vir...
What does work better is outsourcing an entire function: if you pay Gmail for email services, you know exactly how much it will cost per user and have an SLA for problems which they can’t blame on you.
Another issue is that not paying up and risking restore from underfunded ops dept. might be more expensive than paying up AND making a selected executive look bad. And we can't have that, can we.
So, remember how you illegally paid us a ransom a few months ago? Unless you want to go to prison, then you better...
We're already seeing this against companies who pay ransoms and fail to report the breaches when they're legally required to - but it would be much worse if it's against individuals who are criminally liable.
If you mean ban all crypto currencies, then you're correct.
But the best antidote to many forms of ransomware isn't security software at all— it's offline backups.
Like so much in cybersecurity, an analysis by spending categories like this feels like vendors and their marketing teams driving the discourse. Even if we accept that dollars provide the right lens through which to look at this problem, companies that spend more on making sure they have good backups and good restore procedures aren't going to show up as spending more on cybersecurity in this kind of analysis.
So yeah, I'm surprised its only 3x, and not even more.
A good abliterated local LLM is great at finding dumb exploits and writing ransomware code. And the cybersec professionals? Yeah, theyre pivoting elsewhere and gone.
[1] https://web.archive.org/web/20240911103423/https://www.bittr...
The technology is there and it is used to track the average citizens every move. But when it comes to rich people then the money goes and comes without control (and without taxation).
Cryptocurrencies are a great solution to enable criminal activity. Their only use and highly appreciated by terrorists, criminals and dictatorial governments around the world.
What cracks me up is how much crypto is emblematic of Libertarianism. Sounds promising if you think about it a superficially, but is obviously bad if you actually think about it in any real world terms.
And not just abstractly - they both fall apart for the exact same reasons. Libertarianism is essentially "But, what if we scaled up the failures of crypto to all of society?"
And while cryptocurrency are certainly popular with criminals, it is far from the only option for hiding transactions. As for the technology, if it exists, it is not very effective. The shadow economy is going strong even among average citizens, from drug trade to babysitting.
If governments can't stop even the most trivial kind of unreported work in their own country, how to you expect them to stop well organized international gangs, sometimes backed by nation states.
Who send it?
> And while cryptocurrency are certainly popular with criminals, it is far from the only option for hiding transactions.
Start by removing the cryptocurrency option, that's an easy win. Go after other options afterwards. Removing cryptocurrencies is not going to stop all the crime but it will stop a lot of it and push criminals to more risky and easy to trace ways of getting money.
> how to you expect them to stop well organized international gangs, sometimes backed by nation states.
Removing their financing like cryptocurrencies. All that you say is that crime is impossible to stop. Bollocks. Start by banning Bitcoin and other crypto-crime-enablers and continue from there.
You gave zero arguments to why cryptocurrencies should not be banned.
If your counter measures are effective, you would expect sub-linear growth, heck you should demand it!
The security industry is so fucked up.
