As reports rise that Kaseya facilitated the massive ransomware attack by requiring users to turn off security features, it is obvious that large companies companies cannot to protect our data, even when protecting that is a primary focus of that company.
That means the first line of defense for small to medium businesses (SMB) is going to be the businesses themselves. That is nothing new. The problem is few of those businesses know what to do, they lack the knowledge to protect themselves. Cybersecurity Social media groups are filled with executives and job seekers asking one basic question: Where do I start with Cybersecurity?
After six months of looking over every aspect and category, we’ve settled on a single technological practice as the genesis of a security framework: Penetration testing, also known as “pentesting.”
Breaking in with permission
For those outside of the cybersecurity world, pentesting is an authorized simulated cyberattack to evaluate the security of the system. Essentially, you hire someone who knows how to break into your network before someone does it without your permission. The test identifies vulnerabilities and weaknesses as well as strengths, so a risk assessment can be performed. While a simple solution for a large enterprise, for a small business it is unattainable financially and completely incomprehensible.
Simon Linstead, head of marketing for Ronin Pentest in the UK, believes the real problem is the lack of Cybersecurity knowledge in the C-suite. “There’s all this talk of this perceived skills gap,“ he explained. “There isn’t any. There is an education gap right across the industry.” (Listen to the interview with Ronin Pentest)
Hundreds of companies offer tools and services making knowing how to secure your data confusing. You might not be sure you are doing it the most efficient way. After the Colonial breach, the CEO gave the excuse that the company had spent millions of dollars upgrading their security. He called the attack “sophisticated.” It wasn’t, of course, Colonial had just not covered the right holes. In the CEO’s defense, no one knew if they covered the right holes. And no one security solution is capable of covering them all.
That kind of failure keeps business owners up at night. If a company spends millions on security and still gets hacked, what hope does a small business have to secure its own data? Slim to none, it would seem.
Do small businesses even stand a chance?
We contacted ten pentesting services recommended by Cybersecurity Ventures, asking for an average starting price. Only four responded and reluctantly provided an annual base price covering only scanning, not remediation. One company, Synack of Redwood City, California, only engage with companies that can afford $125,000 a year. These companies prefer working with large enterprises because that is, after all, where the money is. Medium sized enterprises are second on the list as some can afford to.
Although small businesses make up a larger market a large number of customers is difficult to support. Targeting large customers is better for the bottom line. That complicates the issue of securing networks for everyone.
In a ransomware attack, a small business will pay an average of $111,605 according to Coveware, it costs another $84,000 to restore the network and data, even if decryption tools provided by the ransomers work. A medium-sized business might be able to justify the expense of a pentesting subscription, not a small business. But small businesses will often do business with larger businesses, either as a customer or a provider. A small, undefended business represents a threat vector in either case, as was the case with Kaseya and even Fireye last year.
There are alternatives for small businesses to at least start a pentesting program, however.
While most pentesting companies work on annual subscriptions, others charge per scan/per target, either an IP address for a public cloud-based business or a server. intruder.io charges $77 a month for continuous scans of a single target with either month-to-month or annual subscriptions. That means a small business could keep monitor for intrusions for less than $1200 a year. The question is, do you actually need continuous scans. What if you just want to see if the are problems, fix them and then do irregular checks. Not an optimal choice but better than doing nothing. Enter Ronin-Pentest out of the UK.
For less than $25 Ronin will perform a comprehensive scan, based on the top 10 vulnerabilities from the Open Web Application Security Project (OWASP). If they find something they can suggest corrections, plug up the holes or offer ongoing service in the form of deeper, manual scanning.
On the web application side, Ronin looks for misconfigurations, around cookies around headers, injection flaws, said CEO Ben Brown “Basically, we’re aiming to pick up as much of the OWASP top 10 as we possibly can on the web application side. On the infrastructure side, it’s the vast majority of vulnerabilities are going to be around either using unencrypted protocols or out of date and unsupported software versions. That’s how the majority of of baddies get in. And you’ll I think you’ll find if, if you’re I don’t know how much you read up around ransomware.”
Brown said the majority of ransomware attacks come either from compromised username and password in a business email where the connect with a remote desktop interface exposed to the internet. “After that, it’s game over.”
Ronin’s open-source intelligence scan scrapes public databases like https://haveibeenpwned.com, and compares them to publicly available profiles on sites like Linkedin. That compromises the automated reconnaissance element of a pentest. Then the tool scans all the network infrastructure and moves on to websites and applications. Even then, Brown said a company needs a definitive list of all internet facing assets. A study by Firemon last year claimed that every sector of the internet had thousands to external devices connected to the internet and to their own network that the network administrators could not see.
That, however is another story. Step one, is finding the the most obvious holes. Pentesting is the way to go.