These kinds of games, and the all-nighter / weeks long nightmares they cause, make me want to leave this industry. We set up software on a lot of machines and then we answer a million ridiculous user questions until we finally resort to installing remote access so we don't have to stay up all night telling people what to type into a command line. Then the remote access gets hacked en masse. I'm pretty much at the point of thinking people need to learn how to write on paper and whiteboards again. Without a well-trained work force, this shit isn't resilient, and no technical priesthood can keep it running in the face of constant attempts to demolish it. It's too brittle, and the knowledge of the user base is too shallow.
Depth can be provided by reverting to older skill sets. Fallbacks. Businesses should not go down because their computers locked up with ransomware.
I pitched and wrote some software for a company a few years ago to automate a very rigorous daily process that used to take a lot of man-hours. Occasionally, local networks would go down and people would have to revert to the old way of doing things on paper. But as turnover happened at the company, fewer and fewer people knew the "old way". Now they've reached a point where they're locally paralyzed if there's a network outage. They have to call in senior management on their day off to run the shop. I realized I didn't do them a favor. I solved one problem for them and saved them a lot of labor, but I created a whole new problem of reliance on a system that's more convenient, but much less robust than the paper system they used to have. And this doesn't even take into account the potential for security issues.
I think we should try somehow to architect things with offline fallbacks and training for those scenarios. The pace of attack is unsustainable and we're losing the war. If the point is to keep business running, we will lose the war if we lose the skill base and knowledge that we had which was capable of running the economy without a screen in front of them.
[edit] Come to think of it, there's a great startup idea in systematically re-paperizing businesses for failover. Take all that business logic that got written into software, and turn it back into a set of worksheets and training manuals.
> I'm pretty much at the point of thinking people need to learn how to write on paper and whiteboards again.
Health IT here: won't happen.
You need your CT NOW. The patient is about to be opened. There is no time to wait for the printer and it's Sunday night. The radiologist is at home examining the data while the scanner runs.
And man...security is so bad and it's so hard to convince management to invest into proper security. Also everything that breaks or even slightly slows down workflows is just unacceptable.
I'm sweating hard with every wide scale attack out there expecting the next big thing to hit us. The targeted ones I just don't even want to think about.
Well, that's the scariest thing I've read all week. Just reading your level of stress between the lines here gives me the chills. Why is it so hard to convince them to take security seriously? Especially with hospitals, this should be a national security issue. The consequences are right in everyone's face now. In my case, an attack might be expensive, even dire, but no one would die. I know why I have a hard time pushing security reviews, they're costly and intensive and not sexy for management or investors. But things like this need to make it clear to the c-suite how quickly the wheels can come off.
It's hard because "we've been doing it this way all the time and nothing happened" is what I hear most of the times.
Most of the times I still "sneak" in improvements where I can without disturbing operations but the whole thing needs a proper overhaul and it always is, as we say here: "a dance on the razor blade".
What I hear from other colleges and contractors in the sector: it doesn't look better there. I don't want to leave out that there is a certain amount of IT personal which is responsible for it too. Most of them older guys (yes...they really are all guys) who also follow the mantra I mentioned above.
There is hope though...there is a certification requirement coming up here in Germany. It covers most of the basic security measures. We fail to cover a significant part of it. We've just passed one of the deadlines. Two are coming up and than there is a certification process. I've presented management with the measures we'd have to take to fulfil those. They've been ignored. The whole issue is being actively ignored or played down. The day will come when it'll be too late and I wonder what will happen. Wouldn't be surprised if I lose my job about it since somebody will have to be blamed or the certification issue will be "made to work out" somehow. Seen that happening before.
In the case I had in mind, the company runs a mix of windows and os x. And some android. Luckily it's mostly mac in the shops now, but personal laptops and tablets that connect to the LANs are also involved, and definitely the most dangerous point of failure.
Yup, if I had to run a company, it will be macbooks and iphones with MDM, like by jamf.com. That will cover device security. Then SSO, separated networks and no Windows whatsoever.
Depth can be provided by reverting to older skill sets. Fallbacks. Businesses should not go down because their computers locked up with ransomware.
I pitched and wrote some software for a company a few years ago to automate a very rigorous daily process that used to take a lot of man-hours. Occasionally, local networks would go down and people would have to revert to the old way of doing things on paper. But as turnover happened at the company, fewer and fewer people knew the "old way". Now they've reached a point where they're locally paralyzed if there's a network outage. They have to call in senior management on their day off to run the shop. I realized I didn't do them a favor. I solved one problem for them and saved them a lot of labor, but I created a whole new problem of reliance on a system that's more convenient, but much less robust than the paper system they used to have. And this doesn't even take into account the potential for security issues.
I think we should try somehow to architect things with offline fallbacks and training for those scenarios. The pace of attack is unsustainable and we're losing the war. If the point is to keep business running, we will lose the war if we lose the skill base and knowledge that we had which was capable of running the economy without a screen in front of them.
[edit] Come to think of it, there's a great startup idea in systematically re-paperizing businesses for failover. Take all that business logic that got written into software, and turn it back into a set of worksheets and training manuals.