From the Nikkei Shimbun: "Warnings ignored: a cyber attack waiting to happen"1An article with this title came up. The article contained the following statement:
Of course, the primary responsibility lies with Microsoft, the company that sells the Windows operating system (the target of the attack) and which has long been criticized for security flaws.
No, the primary responsibility lies not with Microsoft, but with the organizations that continued to use the software even after support ended, and those that did not apply patches even after they were released. This kind of irresponsible shifting of responsibility is putting the public at risk.
It's time to understand that when you buy software, you are not buying and owning it like a physical good, but rather acquiring the right to use it for a certain period of time. I think software providers should also consider providing software that will no longer work after support ends.
The article above gives an example of the UK's NHS (National Health Service) ceasing operations. This was because the equipment was still based on XP (support for which has long since ended) and was infected by WannaCry. It is not surprising that medical equipment remains on XP because the hardware is not compatible. However, if it was expected from the beginning that the OS in question would completely stop working when support ended, I think medical institutions and equipment manufacturers would respond and would budget for it from the beginning.
Also, even in these cases, people continue to use unsupported software like XP for such a long time, and I think this is based on the myth that if you disconnect the network from the Internet, you are safe. Even if you think you have disconnected the network, if you look at the timeline, you will almost always find that it has not been disconnected, so people do not understand that it is okay to lose perimeter security. This attack also did not come from email, but rather seems to have been spread when a computer connected to the Internet by tethering or some other means was infected and then spread when it was connected to the company LAN. After all, infection from email has never been observed.
The minimum security standards that organizations must meet should be addressed as national policy.I think that is the reason.This is already a public safety issueThat's why. The minimum security standards that must be met should be determined through cooperation between countries, just like setting CO2 emission standards. Management systems such as ISMS set their own standards, so the minimum standards may not be maintained, and they are too heavy for small and medium-sized enterprises.There is a need for a simple method that can be done using a checklist.Can we say that?