It's possible that happened here, but I would put the odds at near 0. There's also the option of purchasing Extended Security Updates (ESU), which will get you through 2023. I'm hoping that as these things continue, that attitude will change. Nobody The majority never pushes them to do better and update their tools to work on modern OS's. Vendors do this because they can get away with it. Then they'll always promise me that it's "just a few months now" before they replace their complete IT system which of course never happens. But then they keep begging and begging me to "rescue" them until I get soft and help them once more. I always tell them that their whole system is a completely irresponsible f*ckup and that I really don't want any part in it. It's a company that I did some emergency break-fix many years ago and ever since they call me like once or twice a year for some other emergency break-fix stuff. This was 'designed' by the company that delivers their cash registers and the software (and I figure they use that password for all their customers) and is going on like this for well over a decadeĪctually it's not really a customer of mine, of course. Which is a shame since self-regulation like PCI DSS generally seems to result in better security whereas heavily prescriptive frameworks like NERC CIP are full of holes and too slow to keep up with the threat.Ī "customer" of mine is a dress shop company with about 60 stores throughout the country.Īll of their cash registers (which are computer with an ERP on them) are running a heavily outdated version of the TeamViewer host with the same five-lowercase-character password. Incidents like this are going to result in people dying eventually and I expect that we'll see more stringent compliance and reporting requirements as a result. That's despite the fact that NIST is leagues ahead of any other security guidance I've seen (outside of vendor specific stuff) and works with the larger security community to make excellent and somewhat accessible resources for most aspects of cybersecurity. I worked for an electric company under NERC CIP but came from a FISMA background and whenever I would bring up NIST my coworkers looked like I just tried to bring up my star sign at an astronomy convention. Oddly, the NIST 800 series is often looked down on in certain critical infrastructure sectors that have more specific compliance frameworks. throw the sysadmin under the bus before even considering that they were the person not allowing time or money to be put into securitng the system. theres soulless people, pushing away responisbility, fights over power, and the people wanting responsibility and winning power (usually what comes closest to ceo) will be in it for politic reasons, and fight fallout with tooth and nail, i.e. Infrastructure like waterplants, its usually government controlled. in other words, you say "you really should have a password in your phone, if you lose it, someone can access all your data, which is a nightmare because a b and c" - and if they still chose to ignore you, they will lose phone, get hacked, money stolen from, dragged through the news, lose business and the ceo dumped. and they will, should, in a self correcting marketplace, be punished for it, and disappear. and bad ceos/management either hires bad people, or listens to bad advise, or dont listen to good advise, or ignore knowledge, or are grossly misjudging risk. and to be honest, I would even go as far as argue that "your" job is to accurately present the choices, not make them. requests, even over your objections, well, usually that is in the free marketplace. Not saying you are wrong, but ceos and upper management with their. I dont think that applies here entirely either. and I also dont think it would be as bad as what we see here if those places had on location full time sysadmins / security personal employed, and would not operate on decade old systems are good enough, and bob from down the road can set it up just fine I dont think the issue would persist if a mandate would dictate what will be done or not. and not so much "dont care", unless you count "not believing in necessity" as "not caring" I honestly believe, its a mix of multiple cooks, with a big helping of budget issues, lack of knowledge, advertising lies, permanent temporary fixes, information flow. then there is the other computer guy who is talking about "bugs", but who would chose us? and then there is the bigger boss who said he needs to X, and then there is the team Y that complains that driving on location is just stupid, so why not give them access. theres this guy doing this computer stuff, that is talking about "hackers". I am sure, the people involved, and persons making decision do care.īut. I am not sure "not care" is the right word.
0 Comments
Leave a Reply. |