back to article Cisco cleans up critical flaws, Florida city forks out $600k to ransomware scumbags, and more from infosec land

Here's a quick Monday summary of recent infosec news, beyond what we've already reported. Cisco emits critical bug fixes Admins running Cisco gear will need to dedicate some time to updating their software an firmware following the release of 26 security patches from Switchzilla. Of the fixes, three are for critical flaws: …

  1. ElReg!comments!Pierre

    Desjardins

    not Desjardens

  2. Anonymous Coward
    Anonymous Coward

    "the reality of long and costly recovery projects means"

    I think there should be a rule that if a ransom needs to be paid, then that sum must be deducted from the salaries of all the people involved who not kept the systems secure, and those who brought the malware in (if any). Otherwise, you'll get people keeping on with slack security - after all if something bad happens, someone else will pay - especially when it's taxpayers money - and they have little or now work to perform, after all data are back, aren't they?

    And frankly, for such sums you will even find insiders ready to spread a ransomware for a cut of the pie...

    1. Halfmad

      Re: "the reality of long and costly recovery projects means"

      Great in theory but complete nonsense when you try to implement it.

      For all we know the local IT folks were all screaming for more resources, had a risk register stating how open they were to ransomware attacks and yet were never given resources to tackle it. Chances are we are talking the basics of IT, backup tapes etc. However what about staff and training?

      I'm not looking to make excuses for them but having worked in some pretty ****** places in the past I wouldn't be surprised if this shower of idiots hadn't outsourced key parts creating gaps and then handed management of it to a non-IT literate manager with zero experience in running IT services and business continuity.

      1. Anonymous Coward
        Anonymous Coward

        Re: "the reality of long and costly recovery projects means"

        Evidently if you can prove you made clear what the situation was, and those in charge didn't listen you would not be subject to deductions, but those who didn't act yes.

        But let's be sincere - not all IT people do the right thing every time, and are just hampered by management that doesn't give them the resources.

        There are a lot of IT systems run by bad and lazy IT people who still believe they can manage their system as they did forty years ago, they don't need to learn anything new, and that nothing bad will happen to them just because it never happened before.

    2. Anonymous Coward
      Anonymous Coward

      Re: "the reality of long and costly recovery projects means"

      I talk to security departments within various organizations on a daily basis. I am often appalled at how hamstrung government institutions are in regard to security due to internal politics. One department maintains a fiefdom to do their own IT, separate from the other departments. Thus from an attack surface the weakest link compromises the whole chain. This is almost always the result of funding priorities established by non-technical politicians and bureaucrats trying to maintain their empire. I have lectured the IT department countless times, only to be told “Yes we know, yes we have it documented, no the decision is out of our hands”.

      No, don’t eject the IT staff when TSHTF. Eject the bureaucrats & politicians.

      We often say it is not “if” you get attacked, it is “when” you get attacked. If IT staff were personally financially liable for an attack, no one would take the job because of the inevitability.

  3. OssianScotland

    Danegeld

    Surely the first rule of ransomware is never pay? Also, "replace all their computer systems"? Surely a low level wipe and restore from backup would be sufficient? Backups.... backups.... oops....

  4. holmegm

    Not quite as bad as paying ransomware, but ...

    We had a client whose business was maintaining a public searchable database of professional certifications for a narrow field.

    After playing whack-a-mole with an ever-changing-IP-address entity that was scraping their data (and frequently bringing their web server to its knees), our client was contacted by the scrapers, who helpfully suggested that they make the data available as an XML file or RSS feed or something, just to save everyone unnecessary time and work (over what was after all in the end freely available public data).

    I suggested that they seriously consider it ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like