A Pandemic’s Collateral Damage to CyberSecurity
I was reading Bruce’s article again “On Not Fixing Old Vulnerabilities” where he ponders the unbelievable result of a report on very, very old vulnerabilities still in real-world existence today, and came upon a disturbing thought.
As I scrolled through the comments section (yes, I read comments as often as I can stomach them) one particular one caught my attention. Then I had a lightbulb moment. Not the bright lightbulb of “Ah, ha!” but the red one of “Oh, shit!”. This comment:
I guess that the reason many companies are still on Windows 7 — or even XP — is that long ago they bought very expensive applications which won’t run on later versions, whose manufacturers can’t be bothered to update them, or are demanding prohibitive fees for doing so, or even have gone out of business. So those companies are faced with enormous cost of switching to new applications. Or companies long ago bought very expensive equipment whose manufacturers won’t provide Windows-10-compatible software, or have gone out of business. So those companies are faced with a choice: either completely replace some wildly-expensive equipment which still works perfectly well, simply because there’s no driver for it, or stay with Windows 7 or XP. For top management that choice is a no-brainer, and the CIO has no chance of persuading them otherwise.
Whomever you are, you’ve highlighted a side-effect of the economic collapse we’ve just experienced as imposed by the various world governments — lots of companies have gone out of business.
Imagine if you’re a healthcare, manufacturing, retail, or other specialized industry vertical and you depend on a particular piece of software or hardware — and now the vendor is out of business. Their tech stack will quickly fall into disrepair, and unless you’re willing to rip-and-replace it all, you are powerless to do anything about it. Generally speaking, doing your own upgrades/updates will break things — and that’s bad.
I hadn’t thought about this until now, but now I’m wondering how many of you out there are calling your vendor reps asking when the next patch cycle is only to realize they don’t exist anymore. Yikes.