Profile picture
Perry E. Metzger @perrymetzger
, 17 tweets, 3 min read Read on Twitter
Today's news about the Marriott breach should finally drive home a lesson that has been missed for years now: "we've been doing what every other big company does" means you are insecure and have to change your ways, because the median large company has terrible security. 1/
If you're hiring the sort of FTE security people your competitors have been hiring, following the sorts of practices other similar sized firms follow, buying the sort of products they buy, you're doing it wrong. 2/
"We can't be blamed, we just do what everyone else does" is oxymoronic. Under current circumstances, if you're doing what everyone else does, you're blameworthy, because at this point the experiment has been done, and the message reality is sending you should be clear. 3/
You need to hire much smarter, much more technically skilled security people. Security people who have lots of security certifications but can't program and don't know how the network works aren't going to cut it, even though you've hired a lot of them. 4/
You need to start patching your systems within hours, not within weeks or months or never. If your business people say "but that risks downtime!" then you need automated test systems to assure things stay up after patching. 5/
(And if you don't yet have automated tests, you need patch without them. And if you don't think you have budget to do automated testing, then you probably don't have budget to stay in business. Really. You can't do this halfway in the modern world any more.) 6/
You have to stop cargo cult practices like making employees use two exclamation points but no percent signs in their passwords that you've length-limited. That's not how people are breaking in to your systems. And you have to stop training your own employees to be phished. 7/
Why aren't all your people using two factor authentication? No, SMS doesn't count as a second factor. Why aren't all your systems backed up, it's <currentyear>? Why did you make a "strategic decision" not to patch an outward facing system "because we're not a target"? 8/
Read the newspaper. If business as usual worked, huge companies wouldn't be broken into every day. Quit hiring on the cheap, quit telling your security people "no, we can't do that", quit hoping that you'll avoid being front page news if you ignore security. 9/
And seriously, if your current advisers are telling you to do the same things that get every other company in sight victimized, maybe they're not giving you good advice. Maybe instead of buying magic pixie dust products you should patch your machines same day and use 2FA. 10/
And maybe if this was easy huge companies with big budgets wouldn't have their customer databases looted on a regular basis. In <currentyear>, you're an IT company no matter what your customers are buying from you. Budget appropriately. Quit being an ostrich. 11/11 for now
Addendum 1: Why do so many companies hold back desktop updates for months or years? It's not like you have a better test lab than your OS vendor (unless you're Google. But you're not Google.) If you get desktop failures, you can use the support contract you paid a fortune for. a/
Yes, sure, maybe when the new version comes out you pilot it for a week on the IT department's machines just in case, and then roll it out slowly. But so many places are running years behind, not weeks, and it's mostly because of fear. b/
But the thing is, you're less safe, the pain is going to come sooner or later, you still have problems because you have no bug fixes, and your users make fun of you because even their grandpa stopped using that version of the OS years ago. c/
If you have a fully automated test lab and can run all the patches through their paces, go for it, but if you're delaying so people don't blame you as much when things fail, well, they're still going to blame you. And adding latency to a change process doesn't make it safer. d/
Oh, and btw, adding more managers to the sign-off part of the change control process doesn't add quality, it only adds latency. If the manager has no special automated test system to check the patch, he's just putting his finger in the air like you are. There's no point. e/
Committees, forms and bureaucracy don't actually test the software. If you're worried about failures, then build a test system. If you don't think you can manage that, quit lying to yourself and update already. You have a support contract for a reason. f/f for now
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Perry E. Metzger
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!