The average cost of a data breach in 2020 will exceed $150 million. The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
到2020年,数据泄露的平均成本将超过1.5亿美元。 勒索软件攻击企业的平均成本为133,000美元。 ( SafeAtLast )
Every company is vulnerable. Nothing in the world is 100% secure, especially in the digital world. There is an attack every 39 seconds, and your company is not excluded as a target.
每个公司都是脆弱的。 世界上没有什么是100%安全的,尤其是在数字世界中。 每39秒就会发生一次攻击,并且不会将您的公司排除在目标之外。
When businesses are for-profit, profit is consistently chosen over security best practices. Vital security details can be overlooked. Once-valuable infrastructure can be forgotten. Once-trusted staff, with company secrets, will eventually leave to work for another company, taking their secrets with them. The code that is written by your most experienced developer is not bulletproof, despite assurances and a god-like reputation. The truth is that humans are flawed, and it is those flawed individuals who write the code securing your most precious assets. But sometimes it is not software that is at fault for a security compromise. Sometimes it is a combination of circumstances that you cannot predict. This is why knowledge of attack vectors and secure protocols can go along way to preventing a breach. Even if it’s as simple as making your employees realize that they shouldn’t use the same password for their facebook and work admin portal.
当企业以营利为目的时,始终会从安全最佳实践中选择利润。 重要的安全细节可以忽略。 曾经有价值的基础架构可能会被遗忘。 具有公司机密的曾经受信任的员工最终将带着他们的机密前往另一家公司工作。 尽管有保证并享有上帝般的声誉,但由您最有经验的开发人员编写的代码并不是防弹的。 事实是人是有缺陷的,正是那些有缺陷的人编写了保护您最宝贵资产的代码。 但是,有时并不是软件会在安全性方面造成错误。 有时是无法预测的多种情况的结合。 这就是为什么对攻击媒介和安全协议的了解可以一直防止破坏的原因。 即使这只是让您的员工意识到他们不应该为自己的Facebook和工作管理门户使用相同的密码一样简单。
The impact of a cyber-attack is catastrophic. You could experience a loss of profits, loss of trust, lawsuits, and an inevitable PR disaster.
网络攻击的影响是灾难性的。 您可能会遭受利润损失,信任损失,诉讼以及不可避免的公关灾难。
Security breaches are a hot topic in the media. With increasing publicity, companies are becoming more aware of the threats towards their business. Accordingly, it comes as no surprise that 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000.
安全漏洞是媒体上的热门话题。 随着宣传的增加,公司越来越意识到对其业务的威胁。 因此,不足为奇的是,50%的大型企业(拥有10,000多名员工)每年在安全方面花费100万美元或以上,其中43%的花费在25万美元至999,999美元之间,而只有7%的花费在25万美元以下。
If you don’t spend the money on information security now, you may have to spend 3-times that amount in the wake of a data breach.
如果您现在不花钱在信息安全上,那么在数据泄露后,您可能必须花3倍的钱。
Equifax has recently experienced negative media headlines, after being deemed liable for their 2017 breach, which affected 147.9 million consumers worldwide. That’s at least 147.9 million people who no longer trust Equifax, in addition to millions of people who don’t use Equifax but have negative associations due to media coverage. It takes years of hard work and consistent business to build trust, integrity, and respect. Being the victim of a breach can destroy all of that in significantly less time than it took to build. Consequently, the Federal Trade Commission (FTC) fined Equifax $425 million.
Equifax在被认为应对2017年违规行为负责之后,最近受到媒体的负面报道,该事件影响了全球1.479亿消费者。 至少有1.479亿不再信任Equifax的人,以及数百万不使用Equifax但由于媒体报道而具有负面联想的人。 建立信任,诚信和尊重需要多年的努力和一致的业务。 作为违规行为的受害者,可以花费比建立时间少得多的时间销毁所有这些信息。 因此,联邦贸易委员会(FTC)对Equifax罚款4.25亿美元。
Ignoring security in favor of profits means you are consciously deciding to disrespect your users, who are ironically integral to those profits. You may boast that it hasn’t happened to you, but how do you know?
忽略安全性以获取利润意味着您有意识地决定不尊重您的用户,这些用户对于这些利润具有讽刺意味。 您可能会吹嘘自己没有发生过,但是您怎么知道呢?
You won’t always be immediately aware that you have been compromised. Sensitive data such as passwords, credit card details, and social security numbers may have been compromised months or even years before you are notified. ‘Zero-Day’ vulnerabilities, which are vulnerabilities unknown to the vendor and could compromise the security of a host or product, are discovered daily, and they are ‘Zero-Day’ because they have zero-time to address or patch the vulnerability.
您将不会总是立即意识到自己已经受到损害。 诸如密码,信用卡详细信息和社会保险号之类的敏感数据可能已在几个月或什至数年之前被泄露,直到您收到通知。 每天发现``零日''漏洞,这是供应商未知的漏洞,可能会损害主机或产品的安全性,因此它们是``零日''漏洞,因为它们零时间来解决或修补漏洞 。
‘Zero-Day’ vulnerabilities can be reported ethically through responsible disclosure, such as on Zerodium. However, they are also traded illegally on the darknet to buyers with malicious intent, such as using it for financial or political gain. Data breaches that go undetected can affect millions of users before any action is taken to remedy the breach.
可以通过负责任的披露(例如在Zerodium上)以道德的方式报告“零日”漏洞。 但是,他们还通过暗网上非法交易给有恶意的购买者,例如出于经济或政治利益目的而使用。 在采取任何措施来纠正数据泄露之前,无法检测到的数据泄露可能会影响数百万的用户。
Just look at the activity here. White hat hackers make a living from finding and reporting vulnerabilities in the most secure platforms on the web. Companies that have had a bug bounty program with hackerone.com or bugcrowd.com for years are still informed daily of new vulnerabilities on their platform. There is no feeling of “we’ve caught them all”, I can assure you.
只要看看这里的活动。 白帽黑客以在网络上最安全的平台中发现和报告漏洞为生。 拥有hackerone.com或bugcrowd.com漏洞修复赏金计划多年的公司仍每天都会收到有关其平台上新漏洞的每日通知。 我可以向您保证,没有感觉“我们已经抓住了所有人”。
Yes, they do.
是的,他们有。
43% of breach victims were small businesses. Cisco’s 2018 SMB Cybersecurity Report found that 53% of mid-market companies in 26 countries experienced a breach. For small and medium businesses, one breach often puts them out of business. That’s because 54% of all cyber-attacks cause financial damages exceeding $500,000.
破坏受害者中有43%是小型企业 。 思科的《 2018年SMB网络安全报告》发现,在26个国家/地区的中型市场公司中,有53%发生了漏洞。 对于中小型企业,一次违规通常会使他们破产。 这是因为所有网络攻击中有54%造成的经济损失超过500,000美元。
The code securing access to your server might be adhering to all the security best practices, using secure protocols, but that will do little to prevent an employee from falling victim to a slightly sophisticated phishing attempt, a technique often resulting in a victim unintentionally revealing their admin password to an attacker over email. Not surprising, considering 94% of all malware is spread through email.
使用安全协议来保护访问服务器的代码可能会遵循所有安全最佳做法,但这并不能防止员工因轻微的网络钓鱼而成为受害者,而这种技术通常导致受害者无意间泄露了自己的信息。通过电子邮件发送给攻击者的管理员密码。 毫不奇怪,考虑到94%的恶意软件都是通过电子邮件传播的。
Attempts like these are recorded daily, with 62% of businesses reported to have experienced phishing and social engineering attacks in 2018.
每天都会记录此类尝试,据报道62%的企业在2018年遭受了网络钓鱼和社会工程攻击。
The bigger the company, the more digital assets, the more attack vectors, and the more likely that digital assets are forgotten about and become harder to track. Maybe a development environment was created using production data, with bugs that don’t exist in production or clear-text PII (personally identifiable information), such as passwords and credit card numbers, or revealing API keys with admin-level privileges. Maybe the attacker just needs to navigate to a subdomain and look through the source code to see the API key just sitting there.
公司越大,数字资产越多,攻击媒介就越多,数字资产被遗忘的可能性也就越大,变得越难追踪。 可能是使用生产数据创建了一个开发环境,其中存在生产或明文PII(个人可识别信息)中不存在的错误,例如密码和信用卡号,或显示具有管理员级别特权的API密钥。 也许攻击者只需要导航到一个子域并浏览源代码即可看到仅位于该子域中的API密钥。
The largest corporations, with a wealth of software developers at hand, are not necessarily more secure. The amount of developers and security experts required to be secure is directly proportional to the company and digital asset size. Equifax, as well as Capital One and Facebook, are examples of the large companies suffering a security breach more recently.
拥有大量软件开发人员的大型公司不一定更安全。 确保安全所需的开发人员和安全专家的数量与公司和数字资产规模成正比。 Equifax以及Capital One和Facebook都是大型公司最近遭受安全破坏的例子。
As your business grows, so should your cybersecurity spending. Globally approximately $6 trillion is expected to be spent on cybersecurity by 2021. Large companies have faced this reality, which is reflected in the increase in demand for cybersecurity experts. A demand that has been growing for many years, and will continue to increase for the foreseeable future, along with the evolution of modern technology.
随着业务的增长,您的网络安全支出也应增加。 到2021年,全球预计将在网络安全上花费约6万亿美元。大型公司已经面对了这一现实,这反映在对网络安全专家的需求增加上。 需求已经增长了很多年,并且随着现代技术的发展,在可预见的未来还将继续增长。
As you expand, your digital infrastructure becomes more complex, and your system’s security requirements change. To protect your growing infrastructure, you should isolate sections of your digital business by segmenting networks and splitting them into subnetworks, thereby improving security and performance. This ensures that being compromised only affects that segment.
随着您的扩展,您的数字基础架构变得更加复杂,并且系统的安全要求也在变化。 为了保护不断增长的基础架构,您应该通过分段网络并将其划分为子网来隔离数字业务的各个部分,从而提高安全性和性能。 这样可以确保被破坏仅影响该部分。
The last thing you want is the attackers to have access to all systems and data from a single breach.
您想要的最后一件事是攻击者可以一次漏洞访问所有系统和数据。
Be mindful of who you give privileged access to. Despite best practices advising companies to apply the rule of least privilege, many companies implicitly trust their staff without a second thought. For example, 53% of companies had over 1,000 sensitive files open to every employee, and 34% of data breaches involved internal actors. If those statistics don’t make you paranoid about your trusted staff, then I don’t know what will.
请注意您授予谁的特权。 尽管建议公司采用最佳特权规则的最佳做法是,但许多公司毫不犹豫地暗含信任员工。 例如,有53%的公司向每个员工开放了1,000多个敏感文件 ,而34%的数据泄露涉及内部参与者 。 如果这些统计数据不使您对可信赖的员工产生偏执,那么我不知道会怎样。
Use strict Access Control Lists (ACL’s). Don’t grant employees access to data, networks, and software that is not necessary for their daily work duties.
使用严格的访问控制列表(ACL)。 不要授予员工访问日常工作所不需要的数据,网络和软件的权限。
For example, to prevent social engineering, consider implementing a web filter, protecting against web-based attacks. Taking measures to prevent web-based attacks is essential, as 1 in 13 web requests lead to malware. It will prevent employees from visiting sites that are not deemed as relevant to the work. It helps to prevent employees from visiting phishing websites or sites that host malware. Additionally, DNS-based web filters help to protect wired or wireless networks, whilst protecting remote workers, including blocking malware downloads.
例如,为了防止进行社会工程,请考虑实施Web筛选器,以防止基于Web的攻击。 必须采取措施防止基于Web的攻击,因为13个Web请求中有1个会导致恶意软件 。 这将防止员工访问与工作无关的站点。 它有助于防止员工访问网络钓鱼网站或托管恶意软件的网站。 此外,基于DNS的Web筛选器有助于保护有线或无线网络,同时保护远程工作者,包括阻止恶意软件下载。
Consider providing all staff, regardless of their role, with Security Awareness Training. Don’t leave security responsibility solely to developers. Everyone should have at least basic training in cybersecurity and a working knowledge of the Open Web Application Security Project (OWASP) top 10, the top 10 web application security vulnerabilities.
考虑为所有员工(无论其角色如何)提供安全意识培训。 不要将安全责任仅留给开发人员。 每个人都应该至少具有网络安全方面的基础培训,并且必须了解开放Web应用程序安全项目(OWASP)的前10名,前10名Web应用程序安全漏洞。
Selectively choose your vendors, partners and software dependencies. The infrastructure that you control may be secure, but what about the third-party API that you just integrated? Has that been thoroughly checked for vulnerabilities?
有选择地选择您的供应商,合作伙伴和软件依赖项。 您控制的基础架构可能是安全的,但是您刚刚集成的第三方API呢? 是否已彻底检查漏洞?
Software bugs can be introduced today that were not present yesterday, especially if you are a tech-based company, as updates are pushed almost daily due to constant development. Therefore, a day-to-day assessment of security is unreliable. Think about who you share data with, and which partners or dependencies require sensitive data to be shared. What would it mean for your business if their systems were compromised? How would your users be affected?
今天可以引入昨天没有的软件错误,尤其是如果您是一家技术公司,由于不断的开发,更新几乎每天都在进行。 因此,对安全性的日常评估是不可靠的。 考虑与谁共享数据,以及哪些合作伙伴或依赖项需要共享敏感数据。 如果他们的系统遭到破坏,对您的业务意味着什么? 您的用户将如何受到影响?
The battle to stay secure is continuous. Take action now. It’s in your company’s best interests.
保持安全的斗争是持续不断的。 现在就采取行动。 这符合您公司的最大利益。
翻译自: https://medium.com/swlh/is-your-company-vulnerable-to-a-cyber-attack-maybe-the-question-should-be-how-66c18e1bc57b
