Small and medium-sized businesses face a lot of challenges in trying to lower their cybersecurity risks. But if a survey released this week by managed security provider Alert Logic is accurate, the three biggest problems are encryption-related.
Thirteen encryption-related configuration issues accounted for 42 per cent of all security issues found, the company said in a report on the SMB Threatscape.
For SMBs using Amazon Web Services, encryption and S3 bucket configuration “are a challenge” among companies studied, the report adds. In fact overall, weak encryption is a top SMB workload configuration concern.
Among the other big problems found after looking at data collected from 762 customers include:
- Most unpatched vulnerabilities in the SMB space are more than a year old. Among the solutions: Regular vulnerability scanning
- Unsupported Windows versions are “rampant” in mid-sized businesses. Among the solutions: Ask why old versions of OSs are around
- Outdated Linux kernels are present in nearly half of all SMB systems. Among the solutions: Remember that many Linux application systems mask the underlying OS distribution flavor, so do careful checking
- Active unprotected FTP servers lurk in low-level SMB devices. Among the solutions, shut down unnecessary FTP servers
- SMB email servers are old and vulnerable. Among the solutions: Ask why the firm is still running Exchange 2000 and others like it
- And the three most popular TCP ports accounted for 65 per cent of SMB port vulnerabilities. Among the solutions: close ports that aren’t in use.
“In these nine takeaways, we paint a picture of SMBs straining to keep pace with changes on the security landscape while dealing with aging infrastructure with lapsed support and limited options for security updates and bug fixes,” the report says.
“We observed that while automated updates are having a positive impact on system patching, SMBs often struggle with misconfigurations and gaining visibility to the vulnerabilities these misconfigurations cause. For systems that remain unpatched, available patches are often more than a year old. This points again to hampered visibility, difficulty in locating vulnerabilities, and the use of legacy technology to which patches cannot be applied or are no longer provided, along with a challenge of keeping up with patching activities generally due to limited resources.”
When report authors looked at the top workload configuration issues, they discovered that 66 per cent of the issues were related to weak encryption. Understanding and configuring encryption trade-offs within an application is difficult, the authors admit. But the result is many organizations just implement the default encryption associated with an application. “This presents a security challenge,” they argue, “as many of these defaults were defined when older encryption protocols were still considered safe.”
For example, while the Open Web Application Security Project (OWASP) considers MD5, SHA-0, SHA-1 and AES encryption protocols should be avoided, they are still often used by applications in organizations.