Monday, October 30, 2017

Rum, Sodomy And An Unmet Patch Schedule - Life In Cybersecurity Today - What I am reading 10/30/2017


LAGUNA BEACH, Calif., Oct 18 (Reuters) - Two of the technology industry’s top startup investors took to the stage at a conference on Wednesday to decry the power that companies such as Facebook Inc had amassed and call for a redistribution of wealth.
...
Altman and Maris offered few details of how to accomplish a redistribution of wealth. Maris proposed shorter term limits for elected officials and simplifying the tax code. Altman has advocated basic income, a poverty-fighting proposal in which all residents would receive a regular, unconditional sum of money from the government.
They're right that companies like Facebook have accumulated far more power and social influence than AT&T ever had, but I don't see where their proposed solutions do anything about that.  AT & T was kept in check because it was a regulated monopoly.  Then when conditions changed it was broken up.  If you are truly concerned about Facebook, Google etc. those ore the solutions you should be looking at.

BBC - NHS 'could have prevented' WannaCry ransomware attack -
NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said.
...
Speaking on the same programme, former chairman of NHS Digital, Kingsley Manning, said that a failure to upgrade old computer systems at a local level within the NHS had contributed to the rapid spread of the malware.
He said: "The problem with cyber security for the NHS is [that] it has a particular vulnerability... It's very interconnected so if you get an attack in one place it tends to spread."
...
Of course, all of this could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS. Once again, there had been warnings sent out by NHS Digital, but many trusts failed to act upon them - though in that they were no different from many organisations around the world that were also hit.
 This report was filed by the "Water is wet" department.  Every single serious list of cyber-security precautions - CIS Top 20 Critical Security Controls, Australia's NSD Top 35 Security Controls, NSA Top 10, etc - What's always in the top 5 of the controls?  Patching.  What's always one of the major areas of failure when an attack like this hits?  Patching.  Just patch you morons.

Speaking of Patching...

Dark Reading - Why Patching Software is Hard (a two part series) -

Technical Challenges 

  • Tracking Devices, Applications, and Software Libraries
  • Updating Critical, Complex, and Legacy Applications

Organizational Challenges 

 the reality is there are many organizational challenges preventing best practices. To solve the problem and not just point fingers, companies should look at the teams and individuals involved with patching and identify potential blockers. The following is a list of the roles that may be involved in patching, and what challenges they may face.
...
Patching needs to be a priority. It takes time and money from other important projects that offer more immediate and visible value compared to protection against a potential threat. 
The two articles together are pretty good and present a fairly balanced picture of difficulties associated with a large scale patch management program.  Still, by far the biggest obstacle is, in my opinion a lack of understanding of just how critical timely patching is.  Number two is lack of organizational will.  The technical challenges can be big but they are also controllable, because they are technical in nature.

No comments: