On Tue, Sep 28, 2021 at 11:15 PM Ryan Delgrosso <ryandelgrosso at gmail.com> wrote:
B: I believe they need to be drawing national attention to this to highlight what a steaming dumpster fire much of the critical infra really is. Mostly because its designed to maximize quarterly earnings, not stay working in the face of adversity.
That's not an exclusive problem to network engineering, or even IT in general. Under another hat, I consult with a lot of healthcare facilities. I'd say somewhere around 40% of my clients are *still* running Windows 7 and Windows Server 2008 on their networks. Why? Because it will cost a few hundred thousand to upgrade/replace all the machines and they want IT costs to look good on paper so they can sell out in a month, a year, or whatever. When I mention how irresponsible it is, I found out most (if not all) of them managed to get "cyber insurance". Did you know you can get a $5,000,000 "cyber insurance" policy from some insurance companies for only $2,500k/mo? Even more astonishing...did you know they will issue that policy after doing a port-scan of your public IPs, and if they find no ports open, they consider you to be secure? They didn't even require something as basic as a NIST 800-171 audit or filling out the most basic of questionnaires. I read one of the policies and was stunned. I'm not a lawyer, but it appears to me the insurance company will be on the hook even though they have no AV, no patch management, no logging/monitoring, and their stunningly incompetent external IT contractor fixes permissions issues in vendor-supplied applications by promoting people to "Domain Admin". No one cares because they'd rather have an external company for $15k/mo as opposed to a competent team of employees for $25k/mo. Looks great on the books that they saved ~$120k last year by "fixing" IT. ;) -A