Yeah, um. Fuck. That. Noise.
Blaming an individual IT flunky for not patching a system? Really? That’s bullshit. There was so much more that went wrong here beyond a simple “failure to patch”.
- No internal penetration testing trying to exploit common or known vulnerabilities (and this was a known vulnerability with a CVE and everything)
- Nobody realizing for a significant period of time that there was an APT in their system stealing data
- Lack of proper network segmentation
- Lack of audit trail to identify APT (and if you’re familiar with the security world, you’ll know that APTs have characteristics and commonalities you can use to identify them)
- Lack of proper permissions segmentation
- Data not being encrypted or otherwise protected at rest
- Lack of proper password hygiene
… and that’s just the few things I can think of off the top of my head.
The CEO blaming an individual is pure cowardice. It’s like a four star general blaming a single infantryman for losing a war. No. This is not the action of a lone individual. I can’t think of this as anything less than a culture of incompetence and negligence across IT, security, and operations. Individuals may have made mistakes, but to me this indicates far larger fuck ups much higher up.
If your shit is so weak and insecure that “some dude forgot to apply a patch” could lead to what happened, that’s not something you can blame on a single person.
