June 6, 2017 at 9:21 am
ZZartin - Tuesday, June 6, 2017 9:16 AMSean Redmond - Monday, June 5, 2017 11:26 PMFirst of all, I agree with Grant. Internet-facing machines need to be treated with a level of paranoia. They must be patched as soon as possible and only kept online for whenever necessary. Being on the Internet has on gone from living in a good neighbourhood to living in a rough one. Windows (no pun intended) need to be closed and doors need to be locked now.There are two things that I don't really understand - given how poorly protected many home (and business machines) are, why is sensitive material left on Internet-facing computers? We need to start moving towards functional separation. Designated machines have Internet access. They are separated from the other machines and their OS can be easily re-installed in the event of it being compromised. Other computers in the house/company have their specific uses but are not Internet-facing (or are temporarily Internet-facing for the purposes of activating software, for example).
The second thing which boggles me is why most SQL Servers are Internet-facing. Aside from updates, what benefits does it bring? The SQL Server should be behind firewalls with extremely limited access and certainly not Internet access.
I, personally, am dreading the day when computers become little more than dumb clients and are required to have a permanent Internet connection in order to connect to Azure, Whatever-as-a-Service and so on. It will be the worst of both worlds.
Internet is pretty fundamental to most people's job's these days.
I hope most DBAs know to have their SQL Servers inside the firewall. I know the majority of your post is about a different level of isolation, but this point is a pretty simple one.
June 7, 2017 at 2:00 am
ZZartin - Tuesday, June 6, 2017 9:16 AMInternet is pretty fundamental to most people's job's these days.
I agree, but it is not as fundamental as one may think. E-mail is a necessity to be sure. How much of one's browser usage is work-related?
However, my main point is that unless you have competent people with the enough resources to manage the interface with the Internet, it is becoming foolish to have sensitive data on machines that face the Internet. I have in mind primarily of home-users and small businesses. An Internet connection brings with it a lot of risks that require programs that are very intensive on resources such as time, money, CPU and RAM. It may already make sense for smaller setups to separate machines into those with and those without Internet access. It is more hassle but then so is locking your door when you leave your house or car. It becomes normal.
For example, all of those old XP machines that are needed to run some custom piece of software should not be on the Internet. Likewise, anything that isn't fit for the modern Internet shouldn't be on the Internet and by 'fit' I mean OSs that can't or won't be kept up to date to the ever growing threats that exist out there.
June 7, 2017 at 4:17 am
At work, its not my problem - We have 2 IT dept that take care of all hardware, software, and upgrades. 1 team for production servers, and another for internal machines.
At home, I patch religiously. However, the fact that I have no control over when Win10 downloads a patch is a deal breaker for me. I have uninstalled Win10 Pro, and reverted to Win7. I finally gave up on Win10 when it constantly tried to pull the same 900+MB update until it blew out my 50GB cap. This after I had already noted that there was an issue, downloaded the file manually, and tried to install it - only to be informed it was already installed.
June 7, 2017 at 4:30 am
DesNorton - Wednesday, June 7, 2017 4:17 AMAt work, its not my problem - We have 2 IT dept that take care of all hardware, software, and upgrades. 1 team for production servers, and another for internal machines.At home, I patch religiously. However, the fact that I have no control over when Win10 downloads a patch is a deal breaker for me. I have uninstalled Win10 Pro, and reverted to Win7. I finally gave up on Win10 when it constantly tried to pull the same 900+MB update until it blew out my 50GB cap. This after I had already noted that there was an issue, downloaded the file manually, and tried to install it - only to be informed it was already installed.
In creative update you can now set LAN connections as "metered connections" that might help. I feel sorry for those not in the UK, here we don't have data caps and the fiber rollout is pretty good unless you live out in the sticks somewhere.
June 7, 2017 at 7:00 am
Grant Fritchey - Monday, June 5, 2017 2:56 PMSteve Jones - SSC Editor - Monday, June 5, 2017 1:43 PMI'm torn here. On one hand, I think we need updates, and need some forcing of updates. Far, far too many people don't update and let systems languish for years. However, a couple points.1. Microsoft can, and should improve the process. My iOS device nags me for updates, but allows me to defer them or set a time. Windows should do this, with a cut off date. I'd prefer a few months, since work does need to be scheduled, but nag me with a final date, and give me an option to schedule.
2. The schedule needs to be the start time. Always. We don't think any other way.
3. Microsoft should be liable for patches that cause issues if they're going to push them every xx time periods.
4. There should be some sort of warranty for software sold that includes the need to update the software as the underlying platform changes. I don't know how to do this, and maybe this is just disclosure that we will support software through xx date, which includes updates. With Windows changing every year, maybe this will force vendors to provide some sort of lifecycle patching for their software. Or maybe get customers to demand this before buying xx software.I am tempted to require that software cannot be sold on unsupported platforms. That feels like government intrusion, but selling software today for Windows XP is a problem as the insecurity has community effects. It's not necessarily just an issue for the customer.
True. It's like herd immunity through immunization. At some point, if there are too many anti-vaxxers, we could all get sick.
As to the rest, no argument. It really does need to be a better process to get updates installed. However, a painful process just doesn't absolve people of guilt when they just stop doing updates, as lots and lots of people are doing.
WannaCry is remarkable in terms of how quickly is spread and it's method of transmission, however, it can also be said that it's damaging effects were (conspicuously) limited. The number of devices infected were a lot higher than the incidences of actual data loss. In a sense, WannaCry wasn't so much of a pandemic as it was an inoculation of the herd, because what it has done is expose vulnerabilities that have now been addressed. So, what doesn't kill us makes us stronger.
We are very fortunate that the creators behind WannaCry were apparently amateurs with mediocre ambitions (if we are to believe the official narrative). It was also speculated by some security experts that the virus was possibly released accidentally. However, just think of potential damage that could have been caused had WannaCry been deployed by an organization like ISIS or North Korea and goal had been the targeted leaching of data from government agencies or the disruption of infrastructure.
The way this all played out makes me Wanna-Breathe-A-Sigh-Of-Relief and hope that we have all learned a powerful lesson.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 5 posts - 31 through 34 (of 34 total)
You must be logged in to reply to this topic. Login to reply