Here is my best advice for keeping your organization safe from online attacks. I've given similar advice in the past, and I suspect this advice is nearly the same that almost every security professional will give you. None of it is very deep or complicated. 1/
First, patch all vulnerabilities on all your machines as soon as possible, and never run an operating system or software version that is out of support. 2/
(Some people will tell you that your company can reasonably evaluate how important particular patches are, or that they are better able to determine if a patch is safe than Microsoft or Apple. I recommend ignoring such advice.) 3/
Second, you may need to restore absolutely everything someday. Make sure all machines are fully backed up, and that backups are stored offline. Make sure you test that backups are correct and complete at intervals or it may turn out that they aren't. 4/
Third, make all users use a password safe and use unique passwords for all uses; a password safe makes this convenient. Reused passwords are unsafe passwords, and humans can't remember dozens or hundreds of unique passwords. 5/
Fourth, implement two factor authentication. If you can at all avoid it, don't use SMS as a second factor; OTP apps on phones are the way to cheap out, not SMS. 2FA is easy, cheap, and blocks a wide variety of attacks. 6/
If, and only if, you have done all these things, then you can think about more sophisticated countermeasures. However, the bulk of the embarrassing security failures you read about in the newspaper would have been prevented by these simple measures. 7/
If you're not doing the simple stuff, don't bother talking to the salesman with the cool sounding CyberAI Hyperdefense Shield or whatever his marketing people named it this week. There's no point. 8/
And again, if your staff tell you that really the important thing is to rotate passwords every sixteen minutes, or that they have a methodology to analyze new Microsoft patches for safety even though none of them know how to program, they're giving you bad advice. 9/
So step one is patch, back up, use unique passwords and 2FA. Start there. If you're not doing that, you're wasting your time on anything more sophisticated. 10/
Do I expect most organizations are going to take this advice? No. Why do I assume that? Because no matter what the SEC makes companies say, past performance is an indicator of future performance. Mostly people fail to do the simple stuff and will continue to do so. 11/
Does doing the simple stuff make you invulnerable? Hell no. But it's a start, and it's probably better than what you're likely doing now if you're most companies. 12/
(And given the front page headlines we've seen in recent years, "most companies" includes huge banks, credit reporting agencies, pipeline operators, international airlines, and more.) 13/
I don't expect much is going to change. But when you next see an article about some company's systems that got broken in to because they didn't patch, didn't use 2FA, etc. and couldn't recover because they had no backups, don't act surprised. 14/14
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Apparently the government is urging businesses to take measures to stop ransomware attacks. My assumption, based on decades of observation, is that the probability of success of this campaign pretty much zero.
The issue isn't that most companies don't want secure infrastructure. The issue is also not a lack of regulation. The issue is most of them don't have the capacity to implement it.
It's not that it's impossible to do, mind you. Running up to date software, patching regularly, taking backups, using 2FA etc., are not particularly complicated. But solving an arbitrary quadratic equation is also straightforward and I bet most people can't manage that, either.
There is a distinction between what is something you ought to do and what is legal. It is legal to drink yourself to death. It is probably not a good idea. The distinction is not a small one. Let's apply it to the social norms many people suggest we adopt on silencing others.
I hear quite frequently arguments to the effect that private platforms are legally _allowed_ to silence people. And yes, they are, and yes, they should be. Is this a good idea, though? Let's have a quick look for a moment.
It's possible to imagine a society where every restaurant refuses service to people of the wrong political background, every supermarket checks to see if people arriving match a particular political affiliation before selling them groceries.
Hypothesis: Outlook and GMail are so terrible at handling complicated conversations (they encourage top posting and make it impossible to reply point by point) that they have caused meetings to multiply when many topics could instead have been disposed of in email threads.
One symptom of this that many people have noticed is "send many questions, get an answer to one of them" syndrome. You can't see the list of the counterparty's questions, so you have to remember what they were, and many people forget while replying.
The people who created the Outlook and Gmail style of email had no experience with the tools that came before; they did not understand the power of quoted replies, and ideas like automatic sorting of email were things they reinvented thinking they were new.
To some people, who were arguing with me about these ideas thirty years ago, or heard about them in the interim, this will be very old news. To others, this will be surprising, or perhaps unbelievable, and perhaps even more reason to question my sanity.
In our 200,000 years on earth, humanity has created more and more capable tools with time to augment our natural abilities. Tools have the interesting feature that they may be turned towards the creation of yet more sophisticated tools.
So where are we now in the #COVID19 crisis at the end of its fourth month. First, treatment. So far, pretty much everything is either still really equivocal or has failed. Remdesivir, kaletra, (probably) hydroxychloroquine, etc. either failed RCTs or are marginal. 1/
It’s possible that some of these aren’t actually terrible in some niche applications, or if given very early, but we can’t yet detect an effect from any of the proposed drugs in vivo reliably. This is of course problematic. 2/
There are a bunch of vaccines in development, and some of them are even in early phase trials. None is going to be ready in a few months, and it doesn’t look like anyone is planning human challenge trials so I don’t think any of them is showing up for mass use very quickly. 3/
When your employer cuts your pay 30% and informs you that half your peers are being furloughed, when the restaurant on the corner shutters forever, when your neighbor's body is found after a week, when you're told you have permanent pulmonary fibrosis, remember... 1/2
...all this was avoidable. The whole thing was unnecessary. Even the states that shut everything "early" were three weeks late. Even the places "ramping up testing fast" pissed eight golden weeks down the drain. Nature provided the virus, your "leaders" provided the idiocy. 2/2
Oh, what the hell. A few more points. Your manager who wouldn't approve WFH until the last moment? They endangered people's lives. That politician saying "please keep going to the bars"? Pretty close to manslaughter, that. Depraved indifference to human life and all that. 3/