While change is constant in the IT world, the headlines frequently cover similar themes. Data breaches, new smartphones and the next big industry disruption are often getting attention. When you look beneath the surface, however, you can find news stories that emphasize the real day-to-day challenges IT workers are facing, not just the big-picture issues or hyped solutions that tend to get media attention.
Here’s a look at three major news stories from February with an emphasis on incidents that highlight the everyday problems facing IT, particularly the difficulty in gaining visibility into the configuration.
80 Million Records Added to Compromised List
Troy Hunt, a cybersecurity expert who is working on a large project for Have I Been Pwned, a site that documents compromised records so consumers can adjust account credentials, has added data from almost 3,000 previously undocumented data breaches to a database on the site, CSO reported.
According to the news source, Hunt initially began working from a large, 8.8 GB zip file containing an archive of user credentials that were known to be compromised. The credentials were discovered by Hacked-DB, who discovered 3,000 hacked databases linked to various organizations and individuals.
In total, Hunt has delved through the raw data to identify information that has already been published on Have I Been Pwned and has since updated the list with only new information, which amounts to a staggering 80 million records, the report said.
What makes this unique is that it isn’t an announcement of a new data breach or security mishap. Instead, it is a researcher identifying compromised information that has been lurking on the dark web and that isn’t directly associated with a single data breach. Users may have no idea that this information is compromised – Hunt doesn’t even know if the account details are active or accurate – because this is information that is out there for public viewing.
Hunt’s work highlights just how much businesses don’t necessarily know about their own data configurations, and shows that organizations need to work to gain more control over their systems so they can not only recognize breaches, but also inform affected customers before that information is made public.
Another Government Data Breach
The Massachusetts Department of Revenue experienced an unusual data breach. An error in system configuration allowed companies using its online business tax filing portal to view one another’s data. Upon further investigation, the Boston Globe found that the DOR had been alerted to the issue with the underlying data system months before solving it, leading to the eventual breach.
As of now, it is believed that the breach only involved business data, with the possibility of one Social Security Number being compromised, and many of the details of the breach have been known for a while. The new point, about the DOR knowing about the error, is the story here. The issue isn’t so much that the DOR is extremely negligent. Instead, the agency fell into a trap many businesses have run into. A small vulnerability, a neglected patch or technical debt forces companies to prioritize immediate problems over long-term fixes and system health.
The Massachusetts DOR isn’t the first entity to face this kind of breach, and they won’t be the last. Organizations that want to avoid such problems must go beyond reactionary asset and endpoint management strategies and implement tools that help them get more proactive about protecting themselves and their users.
Another Rough Windows Update Cycle
For the past few months, Windows users have been experiencing a rough set of updates leading to crashes, bugs and similar issues. In some cases, these are just the typical problems of major updates, such as the Fall Creators update that is still being fixed in some areas. But the Meltdown and Spectre vulnerabilities led to Windows patches that created more complexity. In some cases, the patches had performance or stability drawbacks. In others, they could lock systems or cause outright crashes. The issues were particularly apparent on devices using AMD chips, as the patches were extremely urgent and not necessarily refined in how they altered the way the operating system interacted with processors.
February wasn’t as bad as some of these prior months, but Computerworld explained that a major update to the Windows 10 Fall Creators patch has led to blue screens of death and, in some instances, completely disabled USB devices. What’s more, Microsoft took 10 days to acknowledge the bugs existed.
Windows 10 users weren’t alone in experiencing problems. The news source explained that Windows 7 machines configured for monthly rollups have been experiencing bugs in which they no longer restart properly, leading to a black screen.
It’s important to keep in mind that while patches and updates are rarely exciting, they can be problematic. This presents a double-edged sword. Fall behind on patches and you can be hit by a vulnerability and called negligent. Charge forward without visibility and your help desk can be inundated with support requests from users experiencing new bugs. Endpoint control and, ideally, process automation are critical in balancing these issues.
These news items point the scale of everyday management challenges facing IT departments. Data breaches can lurk beneath the surface for years, small errors left unfixed can lead to headline-gathering problems and simple OS updates can cause crashes and bugs aplenty.