I am fed up. This is a bit of a rant, but with good reason: companies and services that I and all of us pay good money for are not being managed properly. I say: Enough, no more excuses.
The ongoing reports in the media about assorted cyber attacks tend to all have just a few things in common:
- Outdated and unsupported software
- Supported software that has not been kept up to date
- Administrator-level privileges routinely being used
Now this really is basic stuff.
Let’s ignore the detail of the attacks, almost none are using zero-days. That means no excuses. It just indicates lax systems management. Irresponsible, lazy, incompetent, poor resource allocation. IT departments – I blame you. Though it’s usually the managers: they hold the responsibility, and thus it is only fair to hold them accountable. And that is extremely worrying considering the human, financial and technical resources they already have at their disposal.
Let’s look at those three common issues in more detail. My solutions to these issues will be addressed in future posts.
Outdated and unsupported software
By this I am including the software that runs inside your hardware. Everything connected to your network runs software. Firewalls, printers, switches, display screens, HVAC, WiFi access points, all that BYOD stuff you got pressured into allowing because “everyone’s doing it”, storage systems, remote access controllers, your new fancy and eye-wateringly expensive security monitoring system. So none of this “oh but it’s an appliance so I don’t need to update it”. Oh yes you do, it’s probably running some version of Linux with a web interface (that’s now) full of holes. “But we bought it before anyone knew about this cyber stuff”. Right, so it’s 20 years old then? Didn’t think so. In any case, you know about it now so update it, replace it, or get it off the network.
Add this to your purchasing criteria, otherwise your next “appliance” might become a dangerous attack vector just a few weeks (if you’re unlucky) or months (lucky) after you buy it, and the only safe thing you can do is disconnect it, which tends to make these things pretty useless. And it’ll make you look stupid.
“But we didn’t have time to move off Windows XP before Microsoft cut support for it”. Rubbish. You just lack basic planning skills. Microsoft, as with many other software companies, provide support and (importantly) updates for their products based on product lifecycles. These state quite clearly when the different levels of support will end. These dates are announced when the product is first released, and historically were updated as Service Packs were released. Which means that you had many years of notice when the support end date was. Plenty for pretty much any budget or size of rollout. Note that if you’re only just now moving from XP to Windows 7 SP1 – fail – you “only” have until Jan 14th 2020, yes two and a half years, to get off it onto something newer (it was released mid 2009 – it’s currently eight years old, that is a long time in OS years!).
Oh, you could pay huge amounts of money for updates beyond the extended support date, but that’s rather adding financial injury to the insult already bestowed on your organisation by their IT management. And it doesn’t magically upgrade you to Windows “latest” – you still have to do that work yourself.
Outdated applications also make upgrading to newer OSs difficult or impossible, though there are almost invariably workarounds that range from OK to pretty nasty.
A final point to make about using outdated software is that frequently the mechanisms it uses are also outdated. Think old and compromised security protocols, requirements to access sensitive parts of the operating system, reliance on old compromised plugins and libraries, non-existence of modern security features, incompatibility with modern security features. You might have to turn off some of the security in your newer systems because otherwise all you old stuff won’t be able to talk to it! I bet you never get around to turning that on again, either.
Supported software that has not been kept up to date
“If we update it, it might break”. How about this: You don’t update it and some hacker/malware will break it for you. And break a whole load of other stuff too, and you won’t have a clue what’s been done to what, where your data’s gone/been sold, when it’ll resurface, or if you’ve even recovered properly. Assuming you do recover at all.
You do not want to be doing some crazy cocktail of updates a couple of times a year because that’s asking for trouble too. If your business units can’t tolerate a few minutes of downtime per PC and server once a month either a) they’re lying, or b) you bought the wrong system or designed it wrong.
It’s much better to just keep things up to date every month. Which in Windows, is default (i.e. it has to be deliberately disabled).
You’ll mostly be fine. In fact you’ll almost certainly be fine. I know, I’ve done this to thousands of PCs, hundreds of servers and applications with tens of thousands of users for many, many years. I am not just “lucky”.
And if you’re not fine, well that’s where good update management, recovery procedures, and SLAs with your suppliers come in. And at least you know what you did to break it. But 999 times out of a thousand nothing will break, and you’ll feel smug that you’re not getting hacked by months or years old vulnerabilities. Which makes you look stupid.
Administrator-level privileges routinely being used
Nasty, messy, dangerous, expensive. Do not give end users administrator privileges. No excuses. If they need them to run some horrible piece of software – time to update it to a slightly less horrible version (see above) or ditch it for a supplier that can actually write modern code (as opposed to something they’ve been banging away at in Visual Basic (not .NET)). If they want to run iTunes (insert any other non-work-related application here) on their work PC, either get your boss to agree with their boss that the costs involved to package, deploy and update this regularly are worth it (hint: they won’t be), or tell them “no” upfront. Simple. Running as administrator allows almost all security restrictions to be bypassed – even if your users don’t try it you can bet that bit of malware they just clicked on will.
Also, do not routinely (ideally ever) use domain administrator accounts on end-user devices. If something has managed to escalate it’s privileges locally, it is extremely easy to steal or impersonate other live credentials – and if those happen to be of a domain administrator then it’s game over. Don’t be lazy admins.
And while we’re on the subject, don’t use the same local administrator password on everything, each device should be different and should be changed regularly.
This really is basic stuff, and yet we continue to see the reports in the news headlines. The people who should be doing taking care of this need to just actually crack on and do it. GDPR may help, but it’s really just a (very) big stick – if your personal data has been compromised, or a service you require can no longer function, the fact that a bunch of execs might go to prison still doesn’t get your data back or your service up and running again. Not until it’s scared enough of the people responsible to actually do their jobs properly, which sadly will take years.
If you work in IT and your department isn’t taking care of the above points, ask your boss why not. Get them to ask their boss why not. If you don’t like the answers (or don’t get any at all), leave before somebody tries to pin the impending disaster on you!
I’ll be posting simple methods of not getting caught out by the above points over the next few days so watch/follow/etc. so you don’t miss out.