What is the most important target for investment to guard against incidents like last week’s cyberattacks?
What last week’s poll lacked in votes (311) was more than made up for in Comments, where the debate raged over who is responsible for internet security.
The poll was prompted by the worldwide “WannaCry” cyberattack that saw numerous institutions, including the NHS, under attack from unknown actors demanding monies to be paid in Bitcoins.
As was noted, these attacks almost always come without warning and there appears to be widespread agreement that money needs to be spent to help prevent malware and hacking from damaging valuable and safety-critical systems and putting them out of action. There doesn’t, however, appear to be clear consensus on the most important target for such investment.
A total of 49% of readers agreed that the solution lies in improving skills, followed by 43 per cent who think that software is first line of defence. The remaining eight per cent was split evenly between those that chose hardware and none of the above.
The poll prompted a number of responses, with 20 Cent stating: “I am surprised at the naivety of people who think that computers, and the internet in particular, are, or will ever be secure. No matter what systems are invented there will be people out there finding ways around them. The internet, cloud, and social media are excellent and convenient ways of accessing and distributing information, but don’t expect privacy or security.
“This is the price the world is paying for the convenience of computer driven societies and economies. I believe it is true to say that anything that relies on computer control can be hacked, from the cars one drives, credit card transactions, bank accounts, company files, national security. Computers in = Security out.”
Dave Mawdsley asked: “Am I alone in thinking that Microsoft (for producing such poor, easily attacked operating systems), service providers and content providers e.g. YouTube (for not policing their environment), are culpable? These organisations generate vast profits but take no responsibility for the results of their work. It is the height of hypocrisy for Microsoft to pass all the blame to users when it is a flaw in their own product that has left users so vulnerable.”
Drawing an analogy between home security and computer networks, Peter Sim Canning said: “Would you walk out of your house and leave the doors unlocked and the windows open? No. If you have a company that runs on software then the manager must ensure that the systems can run safely and efficiently, if not, then the manager is not doing his job properly. And by manager I mean anyone who is responsible for ensuring the software is up to date, from the IT manager who keeps the IT system running, to the Finance manager who decides where any cuts have to be made.”
The debate rages on and we’d still like to hear your opinions via Comments.
The best fortress is useless if you leave the door open to anyone to walk in and sleep with your boyfriend. So skills should be developed how to walk around, look at open doors and windows, and other skills to decide what to do with them, etc.
The biggest problem is companies not seeing the need to upgrade out dated software that runs on older Operating systems IE Windows XP, or just being reluctant because of the massive upheaval of doing so, espectially when the original system was ‘custom built’ back in the ‘good old days’ and there is no direct upgrade because the company who made it went bust or got bought out. The longer the gap between upgrades the bigger the issue, this affects the big corperations as well as the small businesses.
Stuart Nathan refers to Windows X. Did he mean Window 10, or forget the ‘P’? And can we rely on Microsoft always being ‘on the ball’ in respect of their patches?
I forgot the P.
I thought UNIX was the preferred OS for servers? So the attack would have got temporary files on users PC, but all the vital data should be on the UNIX servers. Am I missing something?
Am I alone in thinking that Microsoft (for producing such poor, easily attacked operating systems), service providers and content providers eg YouTube (for not policing their environment), are culpable. These organisations generate vast profits but take no responsibility for the results of their work. It is the height of hypocrisy for Microsoft to pass all the blame to users when it is a flaw in their own product that has left users so vulnerable.
Microsoft sold us all a product (Windows) when we purchased our computer(s), we had no choice in that matter because it was there. They should be made to service all versions of their programmes for infinity or until such time as no-one is using them anymore. Microsoft should be held to account to provide service for their products, for the life of the product.
Absolutely!
So everyone is focussing on the XP thing. In actual fact Microsoft make available a version of many operating systems ‘for embedded systems’. For example XP embedded was used in many Electronic Point of Sale (EPOS) terminals (Tills), Machines such as engineering machinery, and medical devices (MRI, CAT, Heart rate monitors, etc). The thing with ‘Embedded’ versions was that it was a snapshot at a point in time and wholly reliant on the equipment manufacturer to ensure that their provided Embedded OS was suitably secure and patched. People are pointing fingers over this debacle at either Microsoft or the IT departments when in most cases responsibility was / is with the equipment manufacturer. Embedded OS versions have very specific terms and conditions attached which give the equipment manufacturer more scope than normal users of the OS, also embedded tends to have a longer support lifecycle than the ‘desktop’ product.
I feel the only reason there was less impact actually is that most EPOS systems had to move from XP Embedded as due to the end of the support lifecycle under UK law it could no longer be used for monetary transactions so ‘should’ have become obsolete in all tills. However it does not mean it will as the local café owner will / may not be aware if he has purchased his tills and subsequently is operating in bliss, although this probably represents relatively so few people as to be obsolete.
The major devices Embedded will be utilized in has a machine life of tens of years, rather than the home PC which has/had an OS life of a few years, and as such will become more vulnerable as it extends through its lifecyle and vulnerabilities become known.
https://msdn.microsoft.com/en-us/library/aa460432(v=winembedded.5).aspx
https://www.microsoft.com/windowsembedded/en-us/windows-embedded-standard-7.aspx
Having used embedded myself in a few devices I had to make sure of certain security policies to ensure exactly the kind of thing the various affected companies are experiencing did not happen to our system.
No, you are not. I read aloud your post to my coalleages at office, 18 of 19 including me think Microsoft is the forst to blame, followed by service providers.
P.D.: at least half of the persons that put the blame on Microsoft are highly qualified people with many years of experience in IT, BTW! Amclaussen, Mexico City.
I am surprised at the naivety of people who think that computers, and the internet in particular, are, or will ever be secure. No matter what systems are invented there will be people out there finding ways around them. The internet, cloud, and social media are excellent and convenient ways of accessing and distributing information, but don’t expect privacy or security.
This is the price the world is paying for the convenience of computer driven societies and economies. I believe it is true to say that anything that relies on computer control can be hacked, from the cars one drives, credit card transactions, bank accounts, company files, national security.
Computers in = Security out.
Agreed wholeheartedly – If you want secret or private data don’t put it on interconnected systems, if you do anticipate at some point it will be accessed by others illicitly and plan and mitigate for such.
Correct, and it will always be a case of catch-up!
I also used to be one of the ‘nay sayers’ then one day I had a realisation. Microsoft (and a limited few others) have probably done more to help modern life than any other company on earth to present. The task was and still is formidable ‘To Create an operating system that will interface to an almost unlimited amount of hardware from multiple vendors, seamlessly to the user, in real time and run an infinitely variable amount of software while providing global interconnectivity’. A look at the nearest rivals (Linux systems) shows they are still massively lagging in functionality despite a dedicated and global volunteer and commercial workforce.
The Windows (TM) operating system in its various forms has permitted development in every area of Science, Technology, Engineering and Mathematics.
It is inevitable some glitches, holes and errors will slip in along the way, during its valid lifecycle these are fixed. Microsoft widely publicises product lifecycles and if you use their products outside the lifecycle ‘Caveat Emptor’!
We do not expect our cars or any other product to receive manufacturer support forever, why should we expect the same of software?
I’m sure some will jump on my reference to Linux above and say its secure, just perform a search on ‘Linux Security Holes’ to see how true this is not. The benefit is however the high developer user base tends to find and fix them in short shrift.
I am and never have been affiliated to Microsoft, the task presented them was astronomical and I for one, despite the views of others think they’ve done a pretty good job overall and befitted all of mankind in more ways than we can possibly ever think of.
Lets focus our attention more on catching the crooks and eliminating them than pointing fingers and harsh words against those trying their best in more meaningful tasks.
Simple solution, just disable the ability of external systems to be able to modify the contents of a hard drive or operating system. This coupled with a more open ability to see what is actually going on and use controls to stop or monitor activity, without arcane commands or hidden interface, will allow users to help themselves. If they don’t have the skills to do so then they shouldn’t have access to that level of interface.
A bit simplistic and restrictive yes, but the hazards are a direct consequence of doing things remotely and programmatically.
This solution sounds too simple to be true, is there a reason it could not be made operable?
I have had occasions when I had to allow an external IT engineer access my machine and this required me to provide the required permission. Is it not feasible to lock all external access to the operating system without positive permission of the owner of the machine?
Can you still buy spares for your 90-year old Model T Ford? There are still a few on the roads.
Microsoft stopped making Windows XP nearly a decade ago. That people have equipment that old is worrying.
I’m afraid I must disagree with Michael here. When I purchased my PC, no part of the small print said anything about “you must replace your PC after X years”. When I purchased my printers and scanners, etc.; no part of the small print said “these will be useless in x years” (because we will not provide the drivers for them on later versions of the PC’s OS). Sadly though this it what has happened; so unless I keep replacing every bit of IT kit I own, I need to keep my old XP driven PC to act as a printer server, etc.
If IT providers were more morally honest, they would have offered IT products with a fixed term of service (fully supported), and an ongoing upgrade path as part of the package. (Like a car leasing deal.) That way we would have known what we were in for from the outset; rather than discovering that at some arbitrary point, perfectly operational equipment would no longer function just because the manufacturer doesn’t feel it needs supporting anymore! (I suspect there are millions of home users who discovered this out the hard way too.)
Thus proving that even IT professionals may not know what they are talking about.
Microsoft was guilty of producing something that was cheaper, more adaptable and hardware agnostic than Apple was prepared to offer in its attempts to rule the world. In this way Microsoft created a large user base that attracted the hackers and evil doers. Apple was too small to be worth the effort. It just ran around claiming that it was immune to infection, which is yet more IT tosh.
Remember, it wasn’t Windows that resulted in all those Wikileaks. That was the USB drive. Anyone want to campaign for their abolition? (Does HM Government still disable all USB drives in Whitehall’s PCs?)
Would you walk out of your house and leave the doors unlocked and the windows open (glass windows) No. If you have a company that runs on software then the manager must ensure that the systems can run safely and efficiently, if not, then the manager is not doing his job properly. And by manager I mean anyone who is responsible for ensuring the software is up to date, from the IT manager who keeps the IT system running, to the Finance manager who decides where any cuts have to be made.