It's not that big a stretch to assume they'll test. But if it's gonna cost you a bunch of money if it breaks, it behooves you to test. If it would cost more to test than you'd lose, don't bother.
Maybe there's a market for insurance against this sort of thing?
Try again. Large company which handles Million Dollar deals and would lose lots of money if all their PCs went down... They have an IT budget, and their IT administrators, who they pay lots of money (collectively) to think of things like this, pull the update to their test environment, it bombs the machine, so they don't release it to production systems. Then they sit back and watch the IT losers of the world deploy it to production and lose lots of money.
Really, the reason corporations are still running XP is because it costs lots of money to test upgrading their OS. Because, you know, they do testing before they release vendor patches. Like AV signatures.
I doubt a court will consider that McAfee offered very much in the way of guarantees for $39.95pa. Or whatever it comes to. Value proposition is another consideration in court action. No court will hold any provider to ridiculous standards if the consideration was low.
11,000 machines down for what, on average three hours? What's the productivity of an employee? $100 an hour? 33,000 x $100/hr comes out to $3,300,000. Bet you guys wish you'd forked out a few extra hundred grand a year on testing vendor patches.
If it only cost McAfee several thousands, or even several tens of thousands, or hey, even a million bucks... You would still have been better off spending some money QAing all your vendor patches.
That's because it would drive the price of their product up across the board if they accepted liability. Do you want to pay five hundred bucks a licence for AV? No? Nor does anyone else. Companies that will be hit hard by the AV bricking PCs should be testing updates or buying insurance. Companies that won't be affected so hard should be enjoying the cheap licence.
The corporate IT departments that are using AV should just take this as a lesson and test signature updates. It's not as if AVs don't do this sort of thing now and again.
Corporate IT departments need to get the message that AV vendors don't test against all hardware and software configurations - in that sense, McAfee kind of did them a favor...
Lots of Point of Sale machines rely on internet access for a wide variety of functions these days. We used to provide a popular Point of Sale value-add which required internet access, and provided lots of great business benefits. That said, viruses are usually picked up by users doing stupid things with web browsers, so PoS systems should be able to stand being a few days out of date with their AV.
I guarantee you, there is now an effort underway in all major businesses to (1) test new anti-virus patches before rolling them out...
Any business that would stand to lose big amounts of money by PCs going down should have already been doing this. Most of them were. I've worked for two companies with fewer than 60 employees that tested AV signatures before they went out. For Coles to not bother is beyond irresponsible.
I worked for a company with about 60 desktops, and we tested all vendor patches, including AV, before pushing them out. Try this:
When you buy a new hardware batch, flick one to admin. They usually have the shittiest, oldest machines anyway, and they're also pretty good at organising stuff for you, so it's nice to have them on side. They're also the cheapest people to impact with desktop downtime. They're your new QA department. They get updates first, and if they don't bomb, it gets rolled out to everyone else. Because they get one from each hardware batch, you test on every hardware set by default before pushing out to your hundreds-of-dollars-per-hour engineering/finance/whatever staff.
If you have trouble getting budget for an extra desktop PC now and then, ask them how much it cost to lose 1000 desktops for a day or so.
Also, up-to-the-second anti-virus isn't necessary if your security program is slightly above the useless level. There are at least three security barriers I can think of which help keep viruses out of your network, and to have all of them let something through is just one of those business risks. When was the last time an actual virus incursion took down as many PCs as this did in badly affected organisations?
Wot, companies are s'posed to, y'know, focus on making Microsoft happy (or their IT teams happy) instead of earning god-damned money? What a stupid idea. They're looking at life-cycles and returns on investment, and if Microsoft can't get it right, they're not paying enough attention.
If you're really in charge of security, I'd like to make a suggestion. Rely less on insta-virus-updates and focus more on testing and multi-layer security. If you have instant updates turned on for ANY system, it's a single point of failure for both security and IT. You should be able to weather being a little behind the cutting edge by having several layers of defense.
I was primarily a developer role, but had security responsibilities for a MasterCard provider who was subject to horrible security requirements and audits. If we deployed ANY vendor update, be it an Oracle database patch or an AV signature, without testing, we would fail an audit, and for good reason. This isn't the first time a bad AV signature has made systems bomb, and it definitely won't be the last.
I've used that stick in finance too. Unfortunately, if I use it to the point my budget starts to be noticed, they start asking other people. And one of those other people could well be [SRCIOG1] chasing his next CIO position. And then it won't matter how important it was to buy those new Host Security Modules.
Are you sure it's true? It might be, but it could also be that overall, every 100 dollars spent on security reduces fraud by only 60 dollars. Your point about where the burden falls is valid, but for the economy as a whole it's be better to just not bother.
I'll counter with the same question: Are you sure it's true? PCI-DSS is an unusual example, because it's market-driven and there is competition. The PCI-DSS was developed by MasterCard. VISA have their own (similar) compliance program. American Express do something different again. There are all sorts of smaller card schemes which would like to compete, again with their own rules. VISA and MasterCard focus on security, while smaller schemes often go for enhanced services or lower fees. Again, PCI-DSS is driven by whatever generates the most Ferraris (which while not necessarily great for consumers, is kinda the foundation of capitalism - and thus, hard to separate, at least for me).
In general terms, with things like medical privacy, doing it without a regulatory need generates 0 Ferraris. Doing it when there is a regulatory requirement (or at least, faking it) prevents the regulator from reducing your otherwise-positive Ferrari generation to zero (or worse, taking away Ferraris).
I agree that lots of things on 'The List' (when making sure you're compliant) are going to be value-less. Some of them are probably counter-productive, in that they take away from Money-You-Would-Totally-Spend-On-Voluntary-Compliance-Initiatives-Not-Ferraris. But that was kinda my point: MasterCard doesn't care how many Ferraris YOU (as a bank/merchant/poor sucker who has to comply with PCI-DSS) earn. They care about how many Ferraris THEY earn. So you will install high-security mesh above your ceiling and encrypt all of your emails, even if neither of those things actually increases the security of your particular offering.
Sadly, MasterCard were neither incompetent, nor charlatans, nor idiots, when writing the PCI-DSS: they just weren't very interested in protecting your money, except so far as it protected theirs. So, when it comes to government departments developing compliance schemes, what are they protecting? Their own jobs and reputations. And the best way to get fired from a cushy government job writing compliance documents for HIPAA? Write something that lets millions of patient records become public. The best way to keep getting paid? Make sure it's so long-winded and complicated that it would take forever to train your replacement.
Thus, just like an under-graduate engineer on their first bridge design assignment: over-engineer, over-engineer, over-engineer.
I agree that HIPAA is not a very effective way of forcing companies to secure sensitive data. I think it's better than having no regulation at all, but I'm not sure if we have a good model for improving it. When someone comes up with an effective and efficient way of regulating this sort of thing, they'll probably just realise that it's no way to make money, and go into HIPAA compliance instead.
Actually, we may be stuck with crap like HIPAA because it's at the optimum profit point for some particular interest in the process. Less onerous? Not enough support from people writing it who hope to make money doing compliance work in the future. More onerous? Too much backlash from industry. Thoughts?
Actually, they're lowering profits and diverting them to a whole new industry, thus creating jobs. But then fewer people can afford health insurance, so there's less volume, so profits go down. But then compliance firms start to differentiate themselves by offering more complete services for lower prices, creating more competition and driving costs down again. And more people buy insurance again, and innovation steams ahead, jobs are created and fortunes made, and America's a great place.
And why do you guys care anyway? You've got a public safety net now.
So yes, I think it's a waste that the government forces corporations to spend a shit ton of money doing things that don't actually help me, instead of spending that money actually securing my data.
You're positing that if HIPAA was removed, industry would take all that wasted compliance money and spend it on security. I postulate that they'd instead take all that wasted compliance money and spend it on Ferraris.
The problem is that you're right. Compliance doesn't generally add value to the individual product or service. It adds value to the network or industry. Take PCI-DSS and the VISA and MasterCard networks.
Each individual bank/merchant wants to spend the minimum possible. As one of 30,000 odd banks on the network, or one of however many millions of merchants, they think their odds of being involved in a major breach is pretty small, and the risk of a lot of people losing a lot of money is that they change their name and set up shop down the road (in the case of a merchant), or shake their head, say they're sorry, and spend a million bucks on a brand name security solution (in the case of the banks). If you spend a little bit of money before anything happens, you raise the bar a bit, and reduce your risk a bit, but still, YOUR customers don't really see any benefit to those fee rises, so lots of places just try to sit below the radar of the hackers and the scammers and the other random crims.
Enter compliance: VISA and MasterCard say "hey, this sucks, nobody will spend money on security 'cause they think it won't happen to THEM. But EVERY SINGLE TIME IT HAPPENS, IT HAPPENS TO US. If each bank has one little problem once a year, we have THIRTY THOUSAND problems, and we're SICK OF IT." So they go to industry and say "you guys have to do this. And this. And this and this and this. And if you don't do it, we're gonna fine you a hundred grand. And if you don't pay the fine AND fix the problem, you're off our network, which pretty much means you're out of business."
And VISA and MasterCard create a whole new industry, and lots of jobs, and it turns out having a minimum level of security (or at least, a big stick to hit people with if they don't bother with a minimum level of security) is actually a financial plus across the system as a whole, even if it's bad for the some of the businesses. And consumer confidence is up, too, so we have more people spending more money, so even the banks and the merchants are happy in the end (by and large). And VISA and MasterCard say "HEY! This is cool, our profit margins are much better. Let's pay ourselves bigger bonuses."
...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.
No, and that's the point of TFA. You have to invest heavily in HIPAA compliance. I worked in banking for years, and got a pretty good picture of why it happens this way.
Here's how it was before compliance:
[Some random CIO guy] thinks we need X level of security, and that's what we get. But it turns out [SRCIOG] isn't too good at working out how much security we need, so we get hacked and lots of [patients/customers/federal agents] lose all of their [medical records/money/lives]. We fire [SRCIOG] and hire [SRCIOG2], but it turns out we have the same problem.
Compliance solves the arbitrary nature of the security level we aim at. We're now all aiming at Z, but the problem is [SRCIOG27] still doesn't really know what he's doing, and there's still budget pressure and he still doesn't think we REALLY need all that security because hackers happen to OTHER CIOs. So he looks at Z, and says "How can we meet each objective of Z in the cheapest and least intrusive fashion? After all, we have products to build, and research to do, and this compliance Z target is so expensive and annoying and FOR CRYING OUT LOUD DON'T TELL THE AUDITOR ABOUT THE OFFSITE BACKUP SYSTEM!!!?!"
So yes, people focus on compliance and spend lots of money to get minimal security: it's a bad solution, but it's better than just letting them set their own (often much lower) standards. Some organisations will get it right, spend the resources appropriately, and end up with a compliance solution which provides real benefits and isn't costly to maintain. The pack, by and large, spend the minimum possible up front, and keep spending and spending and spending every year in order to convince the auditors they're "making good progress".
Ultimately, compliance doesn't give us security. It gives us a big stick to beat people with when they blatantly ignore security.
Slashdot Mirror
Modern PoS software ties in to all sorts of third-party systems. Loyalty platforms are a good example. They're also really complicated.
The real question is, why did a big chain release a vendor patch to a whole bunch of production systems without testing it?
It's not that big a stretch to assume they'll test. But if it's gonna cost you a bunch of money if it breaks, it behooves you to test. If it would cost more to test than you'd lose, don't bother.
Maybe there's a market for insurance against this sort of thing?
Try again. Large company which handles Million Dollar deals and would lose lots of money if all their PCs went down... They have an IT budget, and their IT administrators, who they pay lots of money (collectively) to think of things like this, pull the update to their test environment, it bombs the machine, so they don't release it to production systems. Then they sit back and watch the IT losers of the world deploy it to production and lose lots of money.
Really, the reason corporations are still running XP is because it costs lots of money to test upgrading their OS. Because, you know, they do testing before they release vendor patches. Like AV signatures.
I doubt a court will consider that McAfee offered very much in the way of guarantees for $39.95pa. Or whatever it comes to. Value proposition is another consideration in court action. No court will hold any provider to ridiculous standards if the consideration was low.
11,000 machines down for what, on average three hours? What's the productivity of an employee? $100 an hour? 33,000 x $100/hr comes out to $3,300,000. Bet you guys wish you'd forked out a few extra hundred grand a year on testing vendor patches.
If it only cost McAfee several thousands, or even several tens of thousands, or hey, even a million bucks... You would still have been better off spending some money QAing all your vendor patches.
That's because it would drive the price of their product up across the board if they accepted liability. Do you want to pay five hundred bucks a licence for AV? No? Nor does anyone else. Companies that will be hit hard by the AV bricking PCs should be testing updates or buying insurance. Companies that won't be affected so hard should be enjoying the cheap licence.
The corporate IT departments that are using AV should just take this as a lesson and test signature updates. It's not as if AVs don't do this sort of thing now and again.
Corporate IT departments need to get the message that AV vendors don't test against all hardware and software configurations - in that sense, McAfee kind of did them a favor...
Lots of Point of Sale machines rely on internet access for a wide variety of functions these days. We used to provide a popular Point of Sale value-add which required internet access, and provided lots of great business benefits. That said, viruses are usually picked up by users doing stupid things with web browsers, so PoS systems should be able to stand being a few days out of date with their AV.
I guarantee you, there is now an effort underway in all major businesses to (1) test new anti-virus patches before rolling them out ...
Any business that would stand to lose big amounts of money by PCs going down should have already been doing this. Most of them were. I've worked for two companies with fewer than 60 employees that tested AV signatures before they went out. For Coles to not bother is beyond irresponsible.
I worked for a company with about 60 desktops, and we tested all vendor patches, including AV, before pushing them out. Try this:
When you buy a new hardware batch, flick one to admin. They usually have the shittiest, oldest machines anyway, and they're also pretty good at organising stuff for you, so it's nice to have them on side. They're also the cheapest people to impact with desktop downtime. They're your new QA department. They get updates first, and if they don't bomb, it gets rolled out to everyone else. Because they get one from each hardware batch, you test on every hardware set by default before pushing out to your hundreds-of-dollars-per-hour engineering/finance/whatever staff.
If you have trouble getting budget for an extra desktop PC now and then, ask them how much it cost to lose 1000 desktops for a day or so.
Also, up-to-the-second anti-virus isn't necessary if your security program is slightly above the useless level. There are at least three security barriers I can think of which help keep viruses out of your network, and to have all of them let something through is just one of those business risks. When was the last time an actual virus incursion took down as many PCs as this did in badly affected organisations?
I guess they're really regretting not putting some budget towards the "Testing vendor updates" line item.
Wot, companies are s'posed to, y'know, focus on making Microsoft happy (or their IT teams happy) instead of earning god-damned money? What a stupid idea. They're looking at life-cycles and returns on investment, and if Microsoft can't get it right, they're not paying enough attention.
I was around for this, except it only caused our test machine to grind to a halt. There's a lesson there.
If you're really in charge of security, I'd like to make a suggestion. Rely less on insta-virus-updates and focus more on testing and multi-layer security. If you have instant updates turned on for ANY system, it's a single point of failure for both security and IT. You should be able to weather being a little behind the cutting edge by having several layers of defense.
I was primarily a developer role, but had security responsibilities for a MasterCard provider who was subject to horrible security requirements and audits. If we deployed ANY vendor update, be it an Oracle database patch or an AV signature, without testing, we would fail an audit, and for good reason. This isn't the first time a bad AV signature has made systems bomb, and it definitely won't be the last.
He said it will be sold as a security device. He didn't say it would be any good as one.
I've used that stick in finance too. Unfortunately, if I use it to the point my budget starts to be noticed, they start asking other people. And one of those other people could well be [SRCIOG1] chasing his next CIO position. And then it won't matter how important it was to buy those new Host Security Modules.
Are you sure it's true? It might be, but it could also be that overall, every 100 dollars spent on security reduces fraud by only 60 dollars. Your point about where the burden falls is valid, but for the economy as a whole it's be better to just not bother.
I'll counter with the same question: Are you sure it's true? PCI-DSS is an unusual example, because it's market-driven and there is competition. The PCI-DSS was developed by MasterCard. VISA have their own (similar) compliance program. American Express do something different again. There are all sorts of smaller card schemes which would like to compete, again with their own rules. VISA and MasterCard focus on security, while smaller schemes often go for enhanced services or lower fees. Again, PCI-DSS is driven by whatever generates the most Ferraris (which while not necessarily great for consumers, is kinda the foundation of capitalism - and thus, hard to separate, at least for me).
In general terms, with things like medical privacy, doing it without a regulatory need generates 0 Ferraris. Doing it when there is a regulatory requirement (or at least, faking it) prevents the regulator from reducing your otherwise-positive Ferrari generation to zero (or worse, taking away Ferraris).
I agree that lots of things on 'The List' (when making sure you're compliant) are going to be value-less. Some of them are probably counter-productive, in that they take away from Money-You-Would-Totally-Spend-On-Voluntary-Compliance-Initiatives-Not-Ferraris. But that was kinda my point: MasterCard doesn't care how many Ferraris YOU (as a bank/merchant/poor sucker who has to comply with PCI-DSS) earn. They care about how many Ferraris THEY earn. So you will install high-security mesh above your ceiling and encrypt all of your emails, even if neither of those things actually increases the security of your particular offering.
Sadly, MasterCard were neither incompetent, nor charlatans, nor idiots, when writing the PCI-DSS: they just weren't very interested in protecting your money, except so far as it protected theirs. So, when it comes to government departments developing compliance schemes, what are they protecting? Their own jobs and reputations. And the best way to get fired from a cushy government job writing compliance documents for HIPAA? Write something that lets millions of patient records become public. The best way to keep getting paid? Make sure it's so long-winded and complicated that it would take forever to train your replacement.
Thus, just like an under-graduate engineer on their first bridge design assignment: over-engineer, over-engineer, over-engineer.
I agree that HIPAA is not a very effective way of forcing companies to secure sensitive data. I think it's better than having no regulation at all, but I'm not sure if we have a good model for improving it. When someone comes up with an effective and efficient way of regulating this sort of thing, they'll probably just realise that it's no way to make money, and go into HIPAA compliance instead.
Actually, we may be stuck with crap like HIPAA because it's at the optimum profit point for some particular interest in the process. Less onerous? Not enough support from people writing it who hope to make money doing compliance work in the future. More onerous? Too much backlash from industry. Thoughts?
We're talking about HIPAA, right? Augh no, that was a different thread. Never mind.
Actually, they're lowering profits and diverting them to a whole new industry, thus creating jobs. But then fewer people can afford health insurance, so there's less volume, so profits go down. But then compliance firms start to differentiate themselves by offering more complete services for lower prices, creating more competition and driving costs down again. And more people buy insurance again, and innovation steams ahead, jobs are created and fortunes made, and America's a great place.
And why do you guys care anyway? You've got a public safety net now.
So yes, I think it's a waste that the government forces corporations to spend a shit ton of money doing things that don't actually help me, instead of spending that money actually securing my data.
You're positing that if HIPAA was removed, industry would take all that wasted compliance money and spend it on security. I postulate that they'd instead take all that wasted compliance money and spend it on Ferraris.
The problem is that you're right. Compliance doesn't generally add value to the individual product or service. It adds value to the network or industry. Take PCI-DSS and the VISA and MasterCard networks.
Each individual bank/merchant wants to spend the minimum possible. As one of 30,000 odd banks on the network, or one of however many millions of merchants, they think their odds of being involved in a major breach is pretty small, and the risk of a lot of people losing a lot of money is that they change their name and set up shop down the road (in the case of a merchant), or shake their head, say they're sorry, and spend a million bucks on a brand name security solution (in the case of the banks). If you spend a little bit of money before anything happens, you raise the bar a bit, and reduce your risk a bit, but still, YOUR customers don't really see any benefit to those fee rises, so lots of places just try to sit below the radar of the hackers and the scammers and the other random crims.
Enter compliance: VISA and MasterCard say "hey, this sucks, nobody will spend money on security 'cause they think it won't happen to THEM. But EVERY SINGLE TIME IT HAPPENS, IT HAPPENS TO US. If each bank has one little problem once a year, we have THIRTY THOUSAND problems, and we're SICK OF IT." So they go to industry and say "you guys have to do this. And this. And this and this and this. And if you don't do it, we're gonna fine you a hundred grand. And if you don't pay the fine AND fix the problem, you're off our network, which pretty much means you're out of business."
And VISA and MasterCard create a whole new industry, and lots of jobs, and it turns out having a minimum level of security (or at least, a big stick to hit people with if they don't bother with a minimum level of security) is actually a financial plus across the system as a whole, even if it's bad for the some of the businesses. And consumer confidence is up, too, so we have more people spending more money, so even the banks and the merchants are happy in the end (by and large). And VISA and MasterCard say "HEY! This is cool, our profit margins are much better. Let's pay ourselves bigger bonuses."
...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.
No, and that's the point of TFA. You have to invest heavily in HIPAA compliance. I worked in banking for years, and got a pretty good picture of why it happens this way.
Here's how it was before compliance:
[Some random CIO guy] thinks we need X level of security, and that's what we get. But it turns out [SRCIOG] isn't too good at working out how much security we need, so we get hacked and lots of [patients/customers/federal agents] lose all of their [medical records/money/lives]. We fire [SRCIOG] and hire [SRCIOG2], but it turns out we have the same problem.
Compliance solves the arbitrary nature of the security level we aim at. We're now all aiming at Z, but the problem is [SRCIOG27] still doesn't really know what he's doing, and there's still budget pressure and he still doesn't think we REALLY need all that security because hackers happen to OTHER CIOs. So he looks at Z, and says "How can we meet each objective of Z in the cheapest and least intrusive fashion? After all, we have products to build, and research to do, and this compliance Z target is so expensive and annoying and FOR CRYING OUT LOUD DON'T TELL THE AUDITOR ABOUT THE OFFSITE BACKUP SYSTEM!!!?!"
So yes, people focus on compliance and spend lots of money to get minimal security: it's a bad solution, but it's better than just letting them set their own (often much lower) standards. Some organisations will get it right, spend the resources appropriately, and end up with a compliance solution which provides real benefits and isn't costly to maintain. The pack, by and large, spend the minimum possible up front, and keep spending and spending and spending every year in order to convince the auditors they're "making good progress".
Ultimately, compliance doesn't give us security. It gives us a big stick to beat people with when they blatantly ignore security.
I remember when I was cool because I had a SoundBlaster, and most of my friends were running Prince of Persia through an AdLib card or PC speaker.
This is about the funniest thing I've read this year. Thank you for making all my co-workers look over and wonder why I'm laughing.