The most recent Petya outbreak follows Wannacry by only a couple of months and uses the same exploit that it used. So, you have to ask what were the IT Directors of these companies thinking when the Wannacry closed down hospitals and infected places with seemingly random distribution? This was something that Microsoft had patched on an operating system that it no longer supported.
That means your IT Director not only was using an unsupported OS, but didn't patch it when the patch came out, didn't patch it when Wannacry ran rampant in world, and hadn't patched it since Petya came out. Now, it does not take a rocket scientist to think that this is not a security problem as much as a laziness on the operators of these systems. This is not paying attention to what is going on the world around you and not doing much of anything to prevent a known attack from being successful.
I used to wonder about this kind of thing until I was teaching a course to IRS leadership and used a study on anti-virus that said about 34% of people did not use anti-virus until they got hit by a virus and then 96% used it. It seemed intuitively obvious, but the audience was taking notes like crazy when I showed this study. It scared me. Didn't they have antivirus software on their systems? They knew what it was. We had a license for the entire organization. Still, many of them were not using it.
Part of this is education. Every organization needs a group that keeps up with current attack vectors in the environments they use. They should check to see that patches are made and updates loaded. They need to get supported stoftware in the inventory and stop using trial software and unsupported public domain software. It is due diligence for those who have not heard the term recently. From Webster's Dictionary : 1 law : the care that a reasonable person exercises to avoid harm to other persons or their property failed to exercise due diligence in trying to prevent the accident.
In most cases, that is just doing your job in the way most others in your profession do it. I would be thinking about that if I were on the board of some of the these companies that got hit this week.
No comments:
Post a Comment