ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SMB resources on the move

    Scheduled Pinned Locked Moved IT Discussion
    124 Posts 10 Posters 17.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @stacksofplates
      last edited by

      @stacksofplates said in SMB resources on the move:

      Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.

      Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.

      stacksofplatesS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @stacksofplates
        last edited by

        @stacksofplates said in SMB resources on the move:

        @scottalanmiller said in SMB resources on the move:

        And remember, if you are encrypting your data, then breaching Amazon doesn't breach you anyway. You still have to be breached additionally. So in most high security cases, even the fear of the low risk of Amazon being breached is effectively unfounded. Even Amazon won't necessary have access to your data.

        And that's the same with on premise data.

        Not totally, with on premises they also know whose data they have BEFORE the decrypt it. On AWS, they do not. So not the same. Not totally different, but not totally the same.

        1 Reply Last reply Reply Quote 0
        • stacksofplatesS
          stacksofplates @scottalanmiller
          last edited by stacksofplates

          @scottalanmiller said in SMB resources on the move:

          @stacksofplates said in SMB resources on the move:

          Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.

          Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.

          No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @stacksofplates
            last edited by

            @stacksofplates said in SMB resources on the move:

            That does come into play, but we are approaching from a purely technical side.

            Should not, that will potentially lead to spurious security data.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @stacksofplates
              last edited by

              @stacksofplates said in SMB resources on the move:

              @scottalanmiller said in SMB resources on the move:

              @stacksofplates said in SMB resources on the move:

              Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.

              Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.

              No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I

              Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.

              stacksofplatesS 1 Reply Last reply Reply Quote 0
              • stacksofplatesS
                stacksofplates @scottalanmiller
                last edited by

                @scottalanmiller said in SMB resources on the move:

                @stacksofplates said in SMB resources on the move:

                @scottalanmiller said in SMB resources on the move:

                @stacksofplates said in SMB resources on the move:

                Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.

                Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.

                No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I

                Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.

                But now you're changing what we were talking about. Physical was never mentioned, and it was you that mentioned people using automated scripts for hacking. That's what we are talking about. Physical would not allow people to use their computers outside of the office because of the risk of cached credentials.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • stacksofplatesS
                  stacksofplates
                  last edited by

                  You're also not taking into account the fact that other people actually control the data. I recently lost my phone that had my 2FA for my Vultr account. I needed 3 pieces of information that gave me complete access to my system again. The keys to your kingdom are either a password, or the help desk guy on the other end.

                  1 Reply Last reply Reply Quote 0
                  • stacksofplatesS
                    stacksofplates
                    last edited by

                    https://danielzstinson.wordpress.com/cloud-computing-may-not-be-as-secure-as-you-would-like-to-believevulnerabilities-in-azure-part-2/

                    1 Reply Last reply Reply Quote 0
                    • bbigfordB
                      bbigford @scottalanmiller
                      last edited by bbigford

                      @scottalanmiller said in SMB resources on the move:

                      @stacksofplates said in SMB resources on the move:

                      So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).

                      There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.

                      But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.

                      This.
                      I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • stacksofplatesS
                        stacksofplates
                        last edited by

                        Don't get me wrong. I agree that most places should switch to cloud. I'm not arguing that at all. But there are legitimate reasons to not, and that has been said, I just wanted to reiterate.

                        Plus I like playing devil's advocate.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • stacksofplatesS
                          stacksofplates @scottalanmiller
                          last edited by

                          @scottalanmiller said in SMB resources on the move:

                          like the CIA

                          Do you really think they have the same caliber talent as Amazon? 😛

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • stacksofplatesS
                            stacksofplates @scottalanmiller
                            last edited by

                            @scottalanmiller said in SMB resources on the move:

                            @stacksofplates said in SMB resources on the move:

                            @scottalanmiller said in SMB resources on the move:

                            the chances of their data being found and utilized and identified remains close to zero

                            How is that logical? The hacker isn't going to comb through everything manually. They'll grab everything they can.

                            Sure, but grabbing gobs and gobs of unidentified data that isn't targeted means that combing through it is very, very hard. Just because they have it doesn't mean that they can identify it, will ever get to it or will attempt to exploit it. Might they? Sure. Has there been a breach? Yes. Is it meaningful? Possibly not.

                            If you had all of the data from Amazon's AWS.... 99.999999% of it would be useless to you.

                            Right but the issue with this is, you have no idea that they got it. If you get notifications for access to your system, you know someone got in. If they break into your office, house, whatever and physically steal it you know someone got your stuff. You can start acting on it immediately. If someone has your data and they don't even know they have it, but sell 500 TB to someone and they find it. It might be years before you find out. Sure CC numbers prob won't matter, but IP and confidential info will be a problem.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender
                              last edited by

                              That's why you would treat a breach of Amazon as a loss of control of your data and put the mitigations in place, even if you don't need them, better safe than sorry.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @stacksofplates
                                last edited by

                                @stacksofplates said in SMB resources on the move:

                                @scottalanmiller said in SMB resources on the move:

                                @stacksofplates said in SMB resources on the move:

                                @scottalanmiller said in SMB resources on the move:

                                @stacksofplates said in SMB resources on the move:

                                Beating someone up and stealing their credit card isn't hacking, gaining access to their bank account and using money there is hacking.

                                Hacking as a term for stealing data works in both cases. It's all the same thing, protecting against theft. Whether social engineering (the biggest risk to SMB), physical breach (second biggest threat to SMB) or technical means (third biggest risk) doesn't matter, we need to secure against it and look at the risk as a whole to determine our risk profile.

                                No one is disagreeing with that. But the whole discussion previous to this was completely about technical, not physical. I

                                Even technical, Amazon wins. But when you have security as the discussion, rather than just one in the weeds component of security, then the physical security overrides the others as it has so much primacy. Amazon's physical security alone causes it to be the security winner, hands down. Everything else is just icing. They already win the cake.

                                But now you're changing what we were talking about. Physical was never mentioned, and it was you that mentioned people using automated scripts for hacking. That's what we are talking about. Physical would not allow people to use their computers outside of the office because of the risk of cached credentials.

                                What do you mean? We were talking about security, right? Physical is the most important part of security. It was never left out and if we are talking about why one over the other around security, it is always a component. You can't separate it out and look at the picture without it, it becomes misleading.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @bbigford
                                  last edited by

                                  @BBigford said in SMB resources on the move:

                                  @scottalanmiller said in SMB resources on the move:

                                  @stacksofplates said in SMB resources on the move:

                                  So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).

                                  There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.

                                  But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.

                                  This.
                                  I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.

                                  No, nothing is HIPAA restricted like that. That is a myth. HIPAA does NOT undermine security. That's someone who is just lying to you.

                                  DashrenderD bbigfordB 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @stacksofplates
                                    last edited by

                                    @stacksofplates said in SMB resources on the move:

                                    Don't get me wrong. I agree that most places should switch to cloud. I'm not arguing that at all. But there are legitimate reasons to not, and that has been said, I just wanted to reiterate.

                                    Plus I like playing devil's advocate.

                                    And what I'm saying is that outside of politics and people with an agenda that directly undermines security - that all of those reasons themselves are security risks. They are hubris and a misunderstanding of security. There are plenty of reasons not to go to cloud, security isn't one of them. Only things that override security are.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @stacksofplates
                                      last edited by

                                      @stacksofplates said in SMB resources on the move:

                                      @scottalanmiller said in SMB resources on the move:

                                      like the CIA

                                      Do you really think they have the same caliber talent as Amazon? 😛

                                      Nope, that's why they choose AWS. The CIA Director said it himself, that they can't secure to the level that Amazon does.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @stacksofplates
                                        last edited by

                                        @stacksofplates said in SMB resources on the move:

                                        @scottalanmiller said in SMB resources on the move:

                                        @stacksofplates said in SMB resources on the move:

                                        @scottalanmiller said in SMB resources on the move:

                                        the chances of their data being found and utilized and identified remains close to zero

                                        How is that logical? The hacker isn't going to comb through everything manually. They'll grab everything they can.

                                        Sure, but grabbing gobs and gobs of unidentified data that isn't targeted means that combing through it is very, very hard. Just because they have it doesn't mean that they can identify it, will ever get to it or will attempt to exploit it. Might they? Sure. Has there been a breach? Yes. Is it meaningful? Possibly not.

                                        If you had all of the data from Amazon's AWS.... 99.999999% of it would be useless to you.

                                        Right but the issue with this is, you have no idea that they got it. If you get notifications for access to your system, you know someone got in. If they break into your office, house, whatever and physically steal it you know someone got your stuff. You can start acting on it immediately. If someone has your data and they don't even know they have it, but sell 500 TB to someone and they find it. It might be years before you find out. Sure CC numbers prob won't matter, but IP and confidential info will be a problem.

                                        Right. And if someone breaches Amazon, you are more likely to have them get caught, more likely to get notified quickly and far, far, far more likely to be able to start mitigating risks days, months, years, maybe decades before the people who might have gotten your stuff even know that they got your stuff.

                                        Again, all security aspects like this favour Amazon, rather than point against it. Amazon has better monitoring, better ability to know what has been breached. No monitoring is perfect, but Amazon's is considered the best ever made. Like I keep saying, feeling any SMB could even approach Amazon's level of security is hubris and is itself an example of a security risk.

                                        It's a simple conundrum - any SMB that thinks it can compete with Amazon in security demonstrates that it cannot by thinking that it can.

                                        1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in SMB resources on the move:

                                          @BBigford said in SMB resources on the move:

                                          @scottalanmiller said in SMB resources on the move:

                                          @stacksofplates said in SMB resources on the move:

                                          So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).

                                          There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.

                                          But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.

                                          This.
                                          I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.

                                          No, nothing is HIPAA restricted like that. That is a myth. HIPAA does NOT undermine security. That's someone who is just lying to you.

                                          perhaps not lieing, but instead put their own opinions into what they believe they are reading, and then put in rules for things they deal with and blame it on HIPAA.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in SMB resources on the move:

                                            @scottalanmiller said in SMB resources on the move:

                                            @BBigford said in SMB resources on the move:

                                            @scottalanmiller said in SMB resources on the move:

                                            @stacksofplates said in SMB resources on the move:

                                            So now, the only way for someone to get my info is to physically come in my house and take it (which is a different discussion).

                                            There is always another means of compromise, just thinking that there isn't itself is a security risk. One that I guarantee AWS' security team (ranked the best in the world) doesn't make. They also have monitoring and people there 24x7 always watching everything with the best AI and the best human I that there is. Nothing you do gives you the tools that they have, nothing.

                                            But beyond that, the fact that someone could grab your stuff physically alone is enough to end the discussion. Amazon effectively removes that risk. You can't physically target data at Amazon. You can't target it via software tools, you can't target it with guys and a trunk and guns. You have to attack through different vectors.

                                            This.
                                            I keep getting shot down for so many services we could have hosted because our Sprint contracts say we can't use a hosting provider because the cloud is insecure. Same goes for anything HIPPA. But cloud security and monitoring is far superior to anything I could offer on a budget. If I had a ton of time... Maybe. But I don't, and that would cost the client a ton more even if I did.

                                            No, nothing is HIPAA restricted like that. That is a myth. HIPAA does NOT undermine security. That's someone who is just lying to you.

                                            perhaps not lieing, but instead put their own opinions into what they believe they are reading, and then put in rules for things they deal with and blame it on HIPAA.

                                            Well, injecting opinion when they've not even remotely looked over the HIPAA material, talked to experts or know about security... that would be a form of lying 🙂

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 6 / 7
                                            • First post
                                              Last post