• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Why don't They Just Update?

Zarathustra[H]

Extremely [H]
2FA
Joined
Oct 29, 2000
Messages
42,284
With the massive WannaCry ransomware outbreak over the last few days, and the fact that Microsoft actually released a patch that prevents its attack vector back in March, the question many are asking is, why on earth don't organizations just update their software? It's not that difficult. Consumers do it all the time. Well, as this blogger explains, it is not quite as easy as it sounds, and in many cases it comes down to cost. Within the world of IT the risks of unpatched systems are well understood, but the problem comes when one has to sell the costs associated with testing, installing and supporting updates to the system, CNC machine or MRI scanner to management or investors, especially since this cost is "just to keep the system the way it was before."

The difficulty appears to rear its ugly head when weighing the rather large potential future cost associated with falling victim to ransomware or data theft, against the much smaller (but still significant) cost of service contracts and keeping software patched and up to date. Many executives, manufacturers and medical professionals who are not IT specialists simply lack the ability to assess the likelihood and massive impacts of falling victim to this type of attack, at least until it is too late. It's human nature for current, real costs to sting more than future uncertain costs that may never happen at all.

The author suggests regulation as one answer. Require organizations key to healthcare, and key infrastructure to keep long term service contracts on their operating systems and software implementations, and better educate non-critical organizations such that they better understand the implications and factor them into the financial calculations associated with keeping software updated. With a little luck, this outbreak will serve as part of that education, and convince organizations to better prioritize and budget for security updates, but I'm not convinced it will. We humans have a long history of conveniently disregarding the unpopular and costly, and instead letting the pendulum swing between non-action and crisis-mode. Personally I have very little faith this will change anything, but I guess it doesn't hurt to be hopeful?

First: We give entities better tools to estimate the costs of not updating to nudge them in the right direction. The problem with this is that many still will take the cheap road and just hope nothing breaks. Because it’s just software, right? If you don’t touch it, it will run forever!(which is the argument used by many software companies and automation experts to sell that whole shebang).
 
This is the classic no-win argument for anyone in network security. If you bust your ass and ensure all your servers are patched, your workstations are updated, and everything is configured properly, you'll never have a security problem.

Then next year your budget will get cut, because the bosses will wonder why they have to spend so much on IA when the company has never had a security problem.
 
It also depends on the software they are running as well. Even when updating some items in Windows it can break how applications work. Security really is a doubled edged sword, i firmly believe that its necessary but understand that a vulnerability patch can break certain applications. (especially if its not the most current version) This all comes down to costs like the previous post said as well.
 
How about I just choke everyone who doesn't agree?

*** chokes everyone who doesn't agree*****
 
My boss actually instructed me to NOT do the updates for now on the few windows 7 machines we have where I work. He said "it's not worth my time to do the updates". It's true, bosses just don't weigh the potential consequences of not keeping machines current. Oh and if we somehow did get infected with this ransom ware (or some other piece of malware that caused data loss) I would be the one blamed...even though I give warnings all the time of the risks.

I went ahead and did the windows updates anyway when he left for a few hours, I'm glad I did.
 
I wonder what the true economic impact of this discussion is vs say the GDP of the country. While this virus/worm outbreak was quite spectacular it only generated around $50K for the virus agent (so really not all that much spent on decryption). Its lead to several days of clean-up on several large networks but again it only hit a few select large networks that had any true global reach. In the end those networks will largely be back up and running in the next couple of days. The IT group at the place that I work spent the weekend doing major patching on all machines on the network, but it never really interrupted anything.

In the end I would have to lean to the "measured" approach for patching. Relatively few bugs lead to these sorts of outbreaks and even then in a few months they are no longer an issue. Compared to the truly devastating affects of nature (hurricanes, tornado, ice storms, etc.) these outbreaks seem to have a truly limited impact on GDP compared to the larger impact that 100% prevention would have.
 
a1f7f30be6376e83b873816854678a99_admiral-ackbar-its-a-trap-admiral-ackbar-its-a-trap-meme_491-363.jpeg
 
Because automatic (random to the beholder) reboots at night could be terrible in a business environment?

Because Microsoft has a spotty record of releasing patches that break major business related products like Office and Outlook?

Individuals just go to social media and complain. Large businesses have to deal with customers and time schedules.....don't got time for dat.
 
I wonder what the true economic impact of this discussion is vs say the GDP of the country. While this virus/worm outbreak was quite spectacular it only generated around $50K for the virus agent (so really not all that much spent on decryption). Its lead to several days of clean-up on several large networks but again it only hit a few select large networks that had any true global reach. In the end those networks will largely be back up and running in the next couple of days. The IT group at the place that I work spent the weekend doing major patching on all machines on the network, but it never really interrupted anything.

In the end I would have to lean to the "measured" approach for patching. Relatively few bugs lead to these sorts of outbreaks and even then in a few months they are no longer an issue. Compared to the truly devastating affects of nature (hurricanes, tornado, ice storms, etc.) these outbreaks seem to have a truly limited impact on GDP compared to the larger impact that 100% prevention would have.

Question: You are in the hospital for a life threatening condition. You are informed that you can't be treated "for a couple of days" because a machine necessary for the procedure you need has been infected with ransomware.

You OK with this situation? I think not. So perspective please.
 
It's all about the cost of the risk vs the cost of the solution. Companies have bailed on spending money on good IT and outsourced it. IT is a rare company that has a dedicated IT staff that cares and takes the initiative.
 
I have worked in healthcare IT for about a decade.

a. there is a stigma due to "one update failed in 1997 so now we do not allow updates"
b. "nobody is responsible for the updates" and "security doesnt have permission to touch my servers because one time somebody updated to windows 7 on my server box! "
c. "reboots would upset doctor abc"
d. "execs dont want to upset doctor abc"

then there are legit reasons
e. anethesia machine cannot be rebooted during surgery (requires hand delivered and planned reboot)
f. cannot reboot during chemo treatment etc


However a-d always trump e-f which make up .01% of the total machines.
 
Question: You are in the hospital for a life threatening condition. You are informed that you can't be treated "for a couple of days" because a machine necessary for the procedure you need has been infected with ransomware.

You OK with this situation? I think not. So perspective please.


I have seen hospitals unable to finish chemo treatment since 3rd party vendors make it a requirement to not allow AV software or other security utilities (machines have 1500+ viruses)... its nuts. people need a spine at hospitals to say "well if you want a 3$ million contract with us, we are putting AV on it"
 
I have worked in healthcare IT for about a decade.

a. there is a stigma due to "one update failed in 1997 so now we do not allow updates"
b. "nobody is responsible for the updates" and "security doesnt have permission to touch my servers because one time somebody updated to windows 7 on my server box! "
c. "reboots would upset doctor abc"
d. "execs dont want to upset doctor abc"

then there are legit reasons
e. anethesia machine cannot be rebooted during surgery (requires hand delivered and planned reboot)
f. cannot reboot during chemo treatment etc


However a-d always trump e-f which make up .01% of the total machines.


This here is too true!
 
I had to leave our local hospital that I love (serves community) I just couldnt take the red tape anymore. If you want servers with malware, pcs without antivirus software, no monthly updates, no encryption etc and just kiss everyones butts then its just not for someone paranoid like me.
 
I have seen hospitals unable to finish chemo treatment since 3rd party vendors make it a requirement to not allow AV software or other security utilities (machines have 1500+ viruses)... its nuts. people need a spine at hospitals to say "well if you want a 3$ million contract with us, we are putting AV on it"


What? By god do you mean that companies will have to hire people who understand how AV works to properly set the AV solution up so it won't disrupt the software they are using? SAY IT AIN'T SO! ;)
 
There are lot of situations where general purpose Windows is used in an embedded fashion. Without having any experience with it, feels like Windows Embedded could be used in a lot of these places, and not ship components that aren't needed, reducing the attack surface and reducing the number of critical system updates required. (It would of course help if Microsoft hadn't poisoned the update well with sneaky ways to push people to Windows 10, in addition to run of the mill updates that break everything from time to time)
 
I have worked in healthcare IT for about a decade.

a. there is a stigma due to "one update failed in 1997 so now we do not allow updates"
b. "nobody is responsible for the updates" and "security doesnt have permission to touch my servers because one time somebody updated to windows 7 on my server box! "
c. "reboots would upset doctor abc"
d. "execs dont want to upset doctor abc"

then there are legit reasons
e. anethesia machine cannot be rebooted during surgery (requires hand delivered and planned reboot)
f. cannot reboot during chemo treatment etc


However a-d always trump e-f which make up .01% of the total machines.

Agree.


You missed one though.

Our antiquated MRI/Catheter Imaging/whatever machine is controlled on Windows 2000. There's an update from the manufacturer, but it is not in our budget.
 
What? By god do you mean that companies will have to hire people who understand how AV works to properly set the AV solution up so it won't disrupt the software they are using? SAY IT AIN'T SO! ;)

That was my favorite part of my job until I was told "AV is mine dont touch it"...
a. leave all settings default
b. dont make exceptions to match software requirements
c. absolutely do not attempt to remove malware remotely even if it is a machine with 3500+ devices
d. absolutely do not disable the device... dont upset the doctor

lol basically malware > than security .
 
A while back, we had a Windows Server 2008r2 patch break the .NET functions that linked our web services server to our SQL server. What was worse is the update to SQL that malfunctioned with the .NET update was not removable. We had to have our web developers recode the the site to work with the patched methods. It took nearly a day, while our services were down the whole time. Since that time, we have had a patch schedule that patches our QA servers a few at a time first, to test for patches doing bad things, and then our prod servers later, also a few at a time. This means our prod servers get patched a full 8 weeks after the patch comes out, just to be sure it doesn't bork over our stuff.

It's not always because someone isn't tech savvy. Sometimes, systems don't get patched because someone IS tech savvy.
 
A while back, we had a Windows Server 2008r2 patch break the .NET functions that linked our web services server to our SQL server. What was worse is the update to SQL that malfunctioned with the .NET update was not removable. We had to have our web developers recode the the site to work with the patched methods. It took nearly a day, while our services were down the whole time. Since that time, we have had a patch schedule that patches our QA servers a few at a time first, to test for patches doing bad things, and then our prod servers later, also a few at a time. This means our prod servers get patched a full 8 weeks after the patch comes out, just to be sure it doesn't bork over our stuff.

It's not always because someone isn't tech savvy. Sometimes, systems don't get patched because someone IS tech savvy.


I imagine in your case though that at least this front in web site was in an DMZ and segregated from the rest of your network with an rather aggressive firewall preventing unwanted connections from outside being able to get to it.
 
My employer deals in remote digital surveillance. Our old system from 4 years ago and older used XP. We then upgraded new systems to Windows 7 for about a year. We then decided on a dedicated Linux DVR/ NVR. We began the migration of all clients to switch from the Microsoft-based systems to these new Linux devices. However, some refused because they preferred the old software. One of which is our biggest client. So we kept a stock of older units for them. Well, our helpdesk has reported 17 cases of WannaCry since Friday. All of which were the older XP systems. Many of us around the office would love to rub it in their face "we warned you." Well, in the upcoming months we'll see if they have come to their senses or not.
 
I imagine in your case though that at least this front in web site was in an DMZ and segregated from the rest of your network with an rather aggressive firewall preventing unwanted connections from outside being able to get to it.

Exactly, if you cannot secure it, close all doors accessing it as best possible, or just remove it from being connected. Space industry stuff, like antenna controllers, ground station equipment, etc, mostly cannot be patched. We have been asking/begging vendors to put some type of patching ability into the equipment they sell, and it still is not prevalent in the market. So you build the systems, get them to work, then close all the doors because once they work, you really don't touch them again...
 
That was my favorite part of my job until I was told "AV is mine dont touch it"...
a. leave all settings default
b. dont make exceptions to match software requirements
c. absolutely do not attempt to remove malware remotely even if it is a machine with 3500+ devices
d. absolutely do not disable the device... dont upset the doctor

lol basically malware > than security .


IMHO, secured or not, no critical validated medical equipment should be on the network at all. Keep it physically disconnected at all times.

Peoples lives are way to important to be messing around by exposing them to even the local network, ESPECIALLY if not patched, but even if it is patched and up to date.

(Footnote, I validate medical equipment for a living.)

Often times we jump through hoops to validate the equipment for specific uses, only for doctors to be cavalier cowboys using stuff off label, for purposes it was never intended, or exposing it to networks it just shouldn't be exposed to.

If you ask me, the doctors are the weakest link in the entire healthcare system.
 
With the massive WannaCry ransomware outbreak over the last few days, and the fact that Microsoft actually released a patch that prevents its attack vector back in March, the question many are asking is, why on earth don't organizations just update their software? It's not that difficult. Consumers do it all the time. Well, as this blogger explains, it is not quite as easy as it sounds, and in many cases it comes down to cost. Within the world of IT the risks of unpatched systems are well understood, but the problem comes when one has to sell the costs associated with testing, installing and supporting updates to the system, CNC machine or MRI scanner to management or investors, especially since this cost is "just to keep the system the way it was before."

The difficulty appears to rear its ugly head when weighing the rather large potential future cost associated with falling victim to ransomware or data theft, against the much smaller (but still significant) cost of service contracts and keeping software patched and up to date. Many executives, manufacturers and medical professionals who are not IT specialists simply lack the ability to assess the likelihood and massive impacts of falling victim to this type of attack, at least until it is too late. It's human nature for current, real costs to sting more than future uncertain costs that may never happen at all.

The author suggests regulation as one answer. Require organizations key to healthcare, and key infrastructure to keep long term service contracts on their operating systems and software implementations, and better educate non-critical organizations such that they better understand the implications and factor them into the financial calculations associated with keeping software updated. With a little luck, this outbreak will serve as part of that education, and convince organizations to better prioritize and budget for security updates, but I'm not convinced it will. We humans have a long history of conveniently disregarding the unpopular and costly, and instead letting the pendulum swing between non-action and crisis-mode. Personally I have very little faith this will change anything, but I guess it doesn't hurt to be hopeful?

First: We give entities better tools to estimate the costs of not updating to nudge them in the right direction. The problem with this is that many still will take the cheap road and just hope nothing breaks. Because it’s just software, right? If you don’t touch it, it will run forever!(which is the argument used by many software companies and automation experts to sell that whole shebang).

Of course Microsoft also needs to stop gimping the update servers so that people CAN actually update their non-Win10 operating systems.

IMHO, secured or not, no critical validated medical equipment should be on the network at all. Keep it physically disconnected at all times.

Peoples lives are way to important to be messing around by exposing them to even the local network, ESPECIALLY if not patched, but even if it is patched and up to date.

(Footnote, I validate medical equipment for a living.)

Often times we jump through hoops to validate the equipment for specific uses, only for doctors to be cavalier cowboys using stuff off label, for purposes it was never intended, or exposing it to networks it just shouldn't be exposed to.

If you ask me, the doctors are the weakest link in the entire healthcare system.

Then what about medical equipment that by design is supposed to be online like remote surgical arms?
 
Question: You are in the hospital for a life threatening condition. You are informed that you can't be treated "for a couple of days" because a machine necessary for the procedure you need has been infected with ransomware.

You OK with this situation? I think not. So perspective please.

So you are ok if they update the computer even though the updates have never been tested with the attached equipment?
Who are you going to sue when the patch caused the computer/equipment to crash in the middle of the procedure causing you serious harm?
(maybe the x-ray machine ends up stuck in the on position due to the patch)
 
So you are ok if they update the computer even though the updates have never been tested with the attached equipment?
Who are you going to sue when the patch caused the computer/equipment to crash in the middle of the procedure causing you serious harm?
(maybe the x-ray machine ends up stuck in the on position due to the patch)


For the medical industry... they need the vendors to be on top of patches and security lock downs on the devices in question. Much like my VNX storage arrays. They are a windows flavor back end.. but so locked down I don't need to worry about a virus.
 
I have worked in healthcare IT for about a decade.

a. there is a stigma due to "one update failed in 1997 so now we do not allow updates"
b. "nobody is responsible for the updates" and "security doesnt have permission to touch my servers because one time somebody updated to windows 7 on my server box! "
c. "reboots would upset doctor abc"
d. "execs dont want to upset doctor abc"

then there are legit reasons
e. anethesia machine cannot be rebooted during surgery (requires hand delivered and planned reboot)
f. cannot reboot during chemo treatment etc


However a-d always trump e-f which make up .01% of the total machines.

I'm still surprised to this day how many healthcare machines apparently need internet access. If at all possible, I would have designed these to be off the grid, or closed network to only onsite servers that also don't go online.
If a software update is required for new functionality, then sneaker net it on over.
 
You would be surprised the number of antiquated embedded machines that run a version of windows, where they are not going to get patched, ever. I was amazed years ago when I saw a electronic weighing scale in a deli at a wal-mart that was running windows 2000! Thats one reason why this type of outbreaks never truly go away.
 
You would be surprised the number of antiquated embedded machines that run a version of windows, where they are not going to get patched, ever. I was amazed years ago when I saw a electronic weighing scale in a deli at a wal-mart that was running windows 2000! Thats one reason why this type of outbreaks never truly go away.

Try checking email on those damn things......the UI is terrible!
 
1 thing is Broke so you UPDATE. now 5 totally different things are broke that worked just fine before the update. that's why!

Your phone works Great, system update, wow my phone is sluggish and yelling low memory... time for a new phone

Google and Microsoft evil laughter can be heard in the background.
 
Last edited:
.....Often times we jump through hoops to validate the equipment for specific uses, only for doctors to be cavalier cowboys using stuff off label, for purposes it was never intended, or exposing it to networks it just shouldn't be exposed to.

If you ask me, the doctors are the weakest link in the entire healthcare system.

IT would be much easier if it wasn't for the damned users! They are very inventive at finding new and wondrous uses for computers and software. Often these new uses find new and wondrous ways to negatively impact network operation and security.
 
If it's critical, then why does it face the internet to begin with?

Seems when the general population was less tech savvy was when IT actually was able to do their jobs properly. Now you have morons who think because they can use word and work their phones that they can call the shots over how IT operates. Goes for every skill and industry, give the plebs a little knowledge and they think the specialists are full of shit.
 
I can't tell you how many times I came across computers that were missing massively important critical updates, and I wasn't allowed to update them. Normally I understand the whole "make sure it's stable first" argument, but I'm not talking patch release day stuff either, but year or two old patches. A friend's work computer has one of the earliest versions of Chrome and it barely works now because it's obsolete. This is like going back to the "you have you use IE6" days.
 
Fortunately, I haven't had to deal with ransomware yet. But I sure was worried first thing this morning, when I saw a panicked "8 of our PCs are down, and it's an immediate problem!" message.

Turns out that a switch had gone mute, probably because of a power glitch. Which happened mid-December. So no one noticed for 5 months, but it was a critical issue that required resolution ASAP. Riiiiight.
 
I work IT for major overpriced rock retailer and I can tell you that every other month we have at least one major crippling issue or another with our production servers after standard maintenance Windows patching. Our applications simply can't keep up with the frequent updates. (Or maybe we can't keep up...that's totally possible too) This usually involves rolling back the update and waiting for our application vendors to figure out what the issue is and how to fix it within our environment. It takes way too much time and when we do reach a resolution and the update can be applied it's sometimes months out which puts us behind.

It's not so simple to keep up to date in the workplace especially when this particular exploit was only patched less than two months ago.

On a side note.....I'm super guilty of hitting the 'remind me in 4 hours' box for a straight month after updates get downloaded to my work machine. I ain't got time to wait for the 30 minutes my shitty work PC takes to restart, install updates, and get back to the desktop for me to get back to work.
 
Last edited:
Back
Top