SoylentNews is people
SoylentNews
Backups 'no longer effective' for stopping ransomware attacks:
The growth of double extortion – and even triple extortion – ransomware attacks is in danger of rendering common, traditional methods of mitigating the impact of a ransomware hit, such as well-maintained backups, less efficacious, according to a report from machine identity specialist Venafi.
Data collated from Venafi's worldwide survey of IT and security decision-makers reveal that 83% of successful ransomware attacks now involve alternative extortion methods – for example, using stolen data to extort customers (38%), leaking data to the dark web (35%), and informing customers that their data has been compromised (32%). A mere 17% of attacks merely ask for money for a decryption key.
Venafi said that this means that because ransomware attacks now rely on data exfiltration, effective backup strategies are therefore to some extent "no longer effective" for containing a breach.
"Ransomware attacks have become much more dangerous. They have evolved beyond basic security defences and business continuity techniques like next-gen antivirus and backups," said Kevin Bocek, vice-president of business development and threat intelligence at Venafi.
Venafi also found that cyber criminals are increasingly following through on their threats whether or not they get paid. Indeed, 18% of victims had their data leaked despite paying, while more than the 16% who refused outright to pay anything and had their data leaked. Some 8% refused outright, but then had their customers extorted; and 35% paid, but were left hanging, unable to retrieve their data.
(Score: 1, Flamebait) by Anonymous Coward on Saturday February 26 2022, @05:47PM (11 children)
then damn keep them UNCONNECTED to the damn Internet!!! HOW is that so hard to understand???
If you do not bother to keep your data secure, then you have only yourselves to blame for damage when they get leaked.
(Score: 2, Informative) by Anonymous Coward on Saturday February 26 2022, @06:13PM
Everything is online now, their business midels depend on securely accessing the data over the net. You're not wrong though, and where possible data should be protected in that manner.
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @06:20PM (4 children)
Good advice, but usually it's not the NAS or servers themselves which get attacked, but workstations that access the data on daily basis. You can't expect the workstations to be off the Internet when most of the work depends in some way on it.
Proper design of data access policies, permissions, auditing and active monitoring of access patterns is the proper solution. If you detect that one workstation is modifying huge amounts of data, then it's time to check it out, for example. As always proper security is expensive, and most of the time only considered AFTER a huge breach has happened.
(Score: -1, Troll) by Anonymous Coward on Saturday February 26 2022, @06:38PM (3 children)
Is keeping TWO damn boxes connected to two damn LCDs on same desk SO damn hard?
An Internet connected one for emails, searches, and online timewasting; and another on the internal network where sensitive data are, and no Internet-connected device allowed in.
If something from the sensitive-data network ever need be emailed for some reason, then damn print it out, then scan it in, and send. Or do a photo of the screen and send that. If that is "too hard", then your data are not sensitive enough.
(Score: 3, Insightful) by Anonymous Coward on Saturday February 26 2022, @06:43PM (2 children)
Yes, it is that damn hard. Normal people barely comprehend a single PC, and you expect them to handle two with no method of sending data from one to the other?
Your solution is clearly not a realistic one. We're talking about normal companies handling client data, like internet shops and so on, not NSA state secrets.
(Score: 1, Insightful) by Anonymous Coward on Saturday February 26 2022, @07:10PM (1 child)
Those "normal companies" can choose; either they do NOT gather and keep sensitive client data, or they are fully liable for criminal negligence when the mis-kept data get stolen from them.
If people cannot be bothered to handle sensitive data with proper care, they SHOULD NOT BE HANDLING THEM AT ALL.
(Score: 3, Funny) by Anonymous Coward on Saturday February 26 2022, @07:26PM
Then by the finest capitalist principles they choose not to care unless they are in the EU and are bound by the GDPR rules.
(Score: 2) by maxwell demon on Saturday February 26 2022, @06:38PM (3 children)
Indeed, online shops should only store their customer's credit card info offline. And require the customer to send it in on paper, so that it never touches the internet-connected servers. That certainly will gain them lots of customers. </sarcasm>
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Insightful) by Anonymous Coward on Saturday February 26 2022, @07:01PM (1 child)
How about NOT STORING IT AT ALL?
The ONLY place on the damn Internet that has ANY business storing my credit card info, is the bank that issued the card. Any other outfit that keeps the data past the transaction, is doing it for the sole reason of scamming me.
Not that in my case the data they squirrel away would help them, or any other crooks, any: https://en.wikipedia.org/wiki/3-D_Secure [wikipedia.org]
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @07:21PM
You should be aware then that 3-D Secure can be skipped by the payment processor, for example Amazon Payment Services (https://paymentservices.amazon.com/docs/EN/54.html):
>It is also possible to bypass the 3D Secure authentication process based on a set of rules that you define in the back office.
(Score: 5, Interesting) by Thexalon on Saturday February 26 2022, @07:37PM
As someone who worked for many years on credit card processing for a fairly major company: The only leak we had of credit card data, at least that we ever found out about, were a set that came in over the phone and were processed by a customer service rep (who was caught and arrested). So requiring customers to send it in on paper isn't just inconvenient, it's creating a weak point, namely the humans who process the piece of paper.
But the sibling is right that payment card data is supposed to be treated like a hot potato, something to get rid of as quickly as possible or even better not have at all. The ideal flow of that data these days for online transactions is from browser to payment processor, without going through the retailer's server at all. Now, that does create a giant problem if, say, Chase Paymentech gets pwned, but they have a level of resources to prevent being pwned that your average small online retailer just doesn't have.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Sunday February 27 2022, @01:30PM
Office and web browsers auto create and logon to an internet account It just gets worse year after year. Windows 11 will require a MS account and no doubt in the future a phone number.
Two courses I have attended required a Microsoft account.
A school requires kids to use a google account to access the coursework.
Work is the same. All devices have AAD now. Teams is a backdoor for patches. Integrated with Office.
How will people work offline? Not with Windows