Do Corporations need to change business practices due to hacks/malware

[JimKiler]

I am thinking about how a lot of companies get hacked or ransom-ware for vulnerabilities that have been patched but the companies are afraid to patch their servers for fear of breaking software. First with all the ransomware is it a better deal to patch and hope for the best to prevent ransom-ware or other malware? Second shouldn't corporate america demand better software compatibility from vendors? I know vendors cannot fix their software prior to patches but if contracts were written so companies can get quick fixed when OS patches break software it would force software vendors to support their products better.

Do my ideas have any merit with you fine folks?

 

[sourceninja]

...

 

[Elixer]

It isn't just about software compatibility.
Corporate America just needs better fault tolerant systems, and have backup plans in case of attack/malware/whatever.
They don't do this, since it costs $$$, and they think they can get away with not spending the required $$$.

 

[Red Squirrel]

Companies need to get their head out of their asses and stop using proprietary software from fly by night companies that leave them in a situation where they're too scared to touch the system because it might break and nobody knows how to fix it and the company is gone. Stick to open source and/or in house coded stuff that can be modified/supported as needed either via online based help, or in house.

There's tons of stuff on NT4 servers at my hospital for this reason, it runs critical systems that have no upgrade path and no support. My favourite was a SCO Unix box that ran the entire finances, nobody actually knows the password to get in, and because it's actual Unix, and not Linux, it's very proprietary. You can't just boot with a live CD to try to make anything of the data as it uses a different file system.

But also companies need to be held more liable when it comes to user personal information that gets leaked, stuff like SSNs, credit card numbers, phone numbers, addresses etc. Perhaps they should even be held liable for passwords, if they are found to not be hashed or encrypted, as it shows a total lack of care. Basically if no effort was done to secure the information they should be held fully liable. This would light a fire under their asses to perhaps actually care about security.

Employees who open stupid crap that infect the whole corporate network should also be fired on the spot and escorted out. I would consider that as being equivalent as performing a huge H&S violation such as bypassing a lockout tag on equipment. Stuff like that gets people fired fast. I've never been a fan of the concept of firing people over a mistake or misjudgement as mistakes happen but the concept of not opening unknown email attachments is over a decade old, if people STILL don't know, then they deserved to be fired. Stop trying to blame IT. IT cannot control user behavior. No amount of patching or updating is going to help secure a windows based environment against this kind of thing as there are new vulnerabilities discovered daily.

 

[sourceninja]

...

 

[Chiefcrowe]

I may be wrong but aren't there some corporate email systems which scan attachments like this? I know we implement URL scanning over here and I think they also scan attachments. Although this service probably comes with an added cost for the company.

I'm going to revise my previous statements. It is possible to to idiot proof some systems. For example, we don't want people to open attachments from their email, yet we still allow them to get email with attachments. That does not make sense. A better solution would be for the attachment to be removed from the email and placed in a secure sandbox where it is ran, verified safe, then delivered to the user.

 

[Murloc]

Employees who open stupid crap that infect the whole corporate network should also be fired on the spot and escorted out. I would consider that as being equivalent as performing a huge H&S violation such as bypassing a lockout tag on equipment. Stuff like that gets people fired fast. I've never been a fan of the concept of firing people over a mistake or misjudgement as mistakes happen but the concept of not opening unknown email attachments is over a decade old, if people STILL don't know, then they deserved to be fired. Stop trying to blame IT. IT cannot control user behavior. No amount of patching or updating is going to help secure a windows based environment against this kind of thing as there are new vulnerabilities discovered daily.

It comes down to experience and you can't have cheap office drones if you want them computer savvy.

If enough legal pressure is on companies, they will ban email attachments or remove and check them separately and tell the employees to suck it up.

 

[JimKiler]

How sad is it that tons of computers got hit yesterday with ransomware that has been preventable since Window's March patch. The media (real & fake) should be shaming these companies more.

 

[XavierMace]

Companies need to get their head out of their asses and stop using proprietary software from fly by night companies....Stick to open source and/or in house coded stuff that can be modified/supported as needed either via online based help, or in house.

I love that you think open source is some how a magical fix for this and IT problems in general. Not to mention that you seem to be insinuating that all proprietary software is from fly by night companies.

It comes down to experience and you can't have cheap office drones if you want them computer savvy.

If enough legal pressure is on companies, they will ban email attachments or remove and check them separately and tell the employees to suck it up.

Banning email attachments isn't practical in many industries and it's hardly the only delivery method.