On MS17-010 and Ambulance Chasing
I had a mild Twitter outburst this week that got a relatively large amount of exposure (for me).
So I thought maybe I’d take a step back and give my irritation some texture that isn’t in 140-character snips. I’m feeling a little calmer now so I want to touch on some curious things happening with respect to vendors and MS17-010. Let’s highlight the topics of discussion here:
Topic #1: Vendors are ambulance chasing.
The term “Ambulance Chaser” is a pejorative. It isn’t a term of endearment. I think we all get the reference. In the context of this most recent global incident – and others – it is incredibly applicable. Vendors are following clients, in the wake of their misfortune, in the hopes of gaining profit from said misfortune.
I understand that some vendors or service providers can actually help. We all get that. Many vendors and service providers actually have useful products and services. On top of that many of them can, in fact, help us deal with this most recent incident and perhaps even those to come. But that isn’t really the issue is it?
The issue is timing and tone. The tone of some of the emails and phone calls is irritating to insulting (you can substitute your own adjective here). “You could be fishing right now!” “Our customers were protected. Were you?” Perhaps this is true but the tone makes for a bad sales technique not to mention bad form when interacting with another human.
The timing is worse. Do vendors really think their clients and prospective clients want to take a sales meeting during a global incident? Forget “want” here for a second. Do vendors think customers CAN take such a meeting? It’s absurd.
Clients keep track of things like this. They note who’s using their misfortune for gain and who’s here to help. I do as well. Call me petty if you want. I’ve been called worse today and it’s only 1130.
Topic #2: Vendors are claiming to fix the problem
Literally – and I’m using this word correctly here – every endpoint vendor I’ve talked to or whose posts I've read since Friday has claimed to stop Wannacry itself as well as any of the other exploits targeting MS17-010. Other vendors claim to provide ancillary services to help address either the incident or the operational environmental challenges relative to such incidents. These vendors are deployed in every environment in the world. Conservatively, that would make the sample size for the aggregate claim just around 70% of all environments globally. This leaves us in the user community with some options to consider based on what we just saw:
1. They’re lying. Simple. They can’t do what they claim. Cynical, I know
2. You’re misconfiguring ALL of their products. This is the one I believe and I think there’s some merit to it. But I’m not sure what this says about the products, our deployments of said products, and the state of our IT infrastructure – collectively and individually. This is a much larger discussion that we’ve been having for a while: how do we gain the confidence to let our controls block transactions in large part, on their own? And boy oh boy, I don’t have the time to type that think piece up right now.
3. Some other options that I’m not thinking of. As I’m not the brightest bulb on the tree, we have to leave this option open.
Topic #3: It’s complicated and sometimes there isn’t one Right answer.
Much of this post was about timing and tone for vendor sales teams. But if we dig deeper into the unsettling facts of this incident and so many others, we find something else: we find we should have disabled SMBv1, we should have patched (and everything that comes along with that), we shouldn’t still have these antiquated systems on our network, we shouldn’t have such a flat network, and we find we may not have the right tech in place when we can’t disable SMBv1 and patch. Finally, if – and this is a big “if” – we have the right preventative tech in place, we have it misconfigured.
Again there is no Right answer. There are extenuating circumstances. Technical debt, budget restrictions, lack of training, turnover, lack of leadership. The list goes on and on.
This stuff is hard. But maybe while your clients or prospects are doing the hard stuff, don’t hit them with a tacky sales pitch eh?