Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Petya Mainly a Threat to Unprepared and Unwilling Organizations

    By
    WAYNE RASH
    -
    June 29, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Ransomware safe door

      When the Petya malware arrived in Europe this week, it seemed at least at first like a repeat the WannaCry cyber-attacks in May.

      The victims were running Microsoft Windows computers that had not been patched to close a vulnerability in the SMBv1 protocol. Microsoft issued the patch in mid-March, and since that time the company has released security updates for Windows versions stretching back to XP. Yet those computers remained vulnerable.

      When the Petya malware emerged this week companies in Europe were the hardest hit, although some U.S. companies were affected as well. If there is any good news, it’s that the rate of infection seems slower than last time and the malware doesn’t seem to be as efficient at attacking across networks as WannaCry was. In addition, the lower rate of infection may be the result of organizations actually applying Microsoft’s patches on a timely basis.

      But the obvious question has to be, why aren’t some companies bothering to fix their Windows operating systems, even in the face of an obvious threat? The excuses are many. Some IT managers worry that a patch may somehow break something in their IT environment. Others don’t have the resources to do their jobs. Some organizations don’t have an actual IT staff, while in others work with shadow IT environments in which nobody really knows what computers are systems they are running and which need maintenance.

      All of those problems have solutions, although in a couple of cases the solution lies outside of the IT staff. For example, when the IT staff doesn’t have the resources to fix their own systems, it speaks directly to C-level incompetence.

      A CEO or CFO who fails to allocated the funds necessary to pay for essential resources needed to maintain at least adequate basic levels of cyber-security is too blind to the need to bolster their organization’s cyber-security shouldn’t keep their jobs. The stockholders of companies that got hit by the likes of Petya and WannaCry should be screaming for blood at the next annual meeting.

      For those organizations where there are sufficient resources, but IT management was unwilling to update their software, then the incompetence is at that level. Considering that there have now been malware attacks lasting for years that depend on vulnerabilities in out-of-date and unpatched operating systems, there simply is no excuse for failing to find a way to patch those systems. Yet the excuses continue.

      What’s really going on is that the top management in the IT shop either doesn’t know how to manage patches, or they’re woefully out of touch with the requirements to run a secure enterprise environment. The problem with being out of touch may mean that may mean that management is in a state of denial, thinking that it won’t happen to them. But of course, eventually, it will.

      For companies without any real IT organization, the only real solution is to find an IT contractor with a good track record. Fortunately these are common in most cities. While it costs money to hire a security contractor, it’ll cost a lot less than it will to recover your systems after a malware attack. This really boils down to doing a cost analysis of what it will cost to hire help, versus what it will cost to go out of business, perhaps forever.

      Dealing with shadow IT is thornier. There, the IT organization is weak, perhaps intentionally so, and the employees have found ways to do it themselves. It takes a while to overcome the cultural impact of such a situation because some of the employees won’t want to surrender their roles. But if the company is going survive after a malware attack, it’s necessary. Perhaps the best way to overcome cultural barriers is by including the staff that’s doing the shadow IT into the process of creating a real solution.

      Then we’re back to the IT department and the excuses, whether they come from the IT managers or a higher level. This may be the time to present the need for improvement to upper management and to do so using real examples from WannaCry and Petya.

      It’s fairly easy to quantify the cost of such attacks as they would be applied to your company, and to explain how your security, as good as your management thinks it is, isn’t adequate without proper patch management.

      If your C-level executives are so focused on the bottom line at the end of the quarter that they can’t see the risk, then it may be possible to point out that they’re willing to pay for locks on the doors and fire suppression in the computer room—unless of course they’re skimping on those too. Then there are really only two possible options, first to find a way to let your investors know the risk and the second is to reduce the risk to you by leaving to find a job at a company willing to support adequate levels of cyber-security.

      And that brings us to the last option, which is to remember that skilled and experienced IT staff jobs are going unfilled in vast numbers. Moving to a company that’s not run by idiots may be your best option. But in either case, the time for excuses has ended and it’s now time to actually find a way to fix your enterprise IT vulnerabilities.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×