Poor configuration, old versions of Windows, Linux among security issues facing SMBs: Survey

Small and medium-sized businesses face a lot of challenges in trying to lower their cybersecurity risks. But if a survey released this week by managed security provider Alert Logic is accurate, the three biggest problems are encryption-related.

Thirteen encryption-related configuration issues accounted for 42 per cent of all security issues found, the company said in a report on the SMB Threatscape.

For SMBs using Amazon Web Services, encryption and S3 bucket configuration “are a challenge” among companies studied, the report adds. In fact overall, weak encryption is a top SMB workload configuration concern.

Among the other big problems found after looking at data collected from 762 customers include:

  • Most unpatched vulnerabilities in the SMB space are more than a year old. Among the solutions: Regular vulnerability scanning
  • Unsupported Windows versions are “rampant” in mid-sized businesses. Among the solutions: Ask why old versions of OSs are around
  • Outdated Linux kernels are present in nearly half of all SMB systems. Among the solutions: Remember that many Linux application systems mask the underlying OS distribution flavor, so do careful checking
  • Active unprotected FTP servers lurk in low-level SMB devices. Among the solutions, shut down unnecessary FTP servers
  • SMB email servers are old and vulnerable. Among the solutions: Ask why the firm is still running Exchange 2000 and others like it
  • And the three most popular TCP ports accounted for 65 per cent of SMB port vulnerabilities. Among the solutions: close ports that aren’t in use.

“In these nine takeaways, we paint a picture of SMBs straining to keep pace with changes on the security landscape while dealing with aging infrastructure with lapsed support and limited options for security updates and bug fixes,” the report says.

“We observed that while automated updates are having a positive impact on system patching, SMBs often struggle with misconfigurations and gaining visibility to the vulnerabilities these misconfigurations cause. For systems that remain unpatched, available patches are often more than a year old. This points again to hampered visibility, difficulty in locating vulnerabilities, and the use of legacy technology to which patches cannot be applied or are no longer provided, along with a challenge of keeping up with patching activities generally due to limited resources.”

When report authors looked at the top workload configuration issues, they discovered that 66 per cent of the issues were related to weak encryption. Understanding and configuring encryption trade-offs within an application is difficult, the authors admit. But the result is many organizations just implement the default encryption associated with an application. “This presents a security challenge,” they argue, “as many of these defaults were defined when older encryption protocols were still considered safe.”

For example, while the Open Web Application Security Project (OWASP) considers MD5, SHA-0, SHA-1 and AES encryption protocols should be avoided, they are still often used by applications in organizations.

Read the full report here. 

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now