The Evolution of an Inside Term

Used in our Vendor Risk Report
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving when a particular organization “slammed” a particular operating system on me. This was in about 2010 or so. Could have been earlier. It was after malware started to become a big thing. It was when we were teaching people to beware of unexpected popup windows, and how to exit them safely.

I had been opting out of a “free upgrade” to an operating system from a particular operating system vendor, for months. I was opting out of this upgrade on a particular personal machine I was using. I was opting out because I used this machine only for one purpose: as a server for my music collection. Every time I would connect the device to the internet . . . primarily to patch the operating system and antivirus . . . a pop-up window would ask me if I wanted to upgrade to the new operating system. One time I even had to click through a set of windows that tried to sell the features of the operating system.

But then one time, when I clicked “no,” the entire window clicked, and it installed the upgrade.

That’s how malware propagated in those days.

Or at least one of the ways.

I fell victim to the very attack vector I had been warning people about. I stupidly clicked on a pop-up window. I trusted that this particular vendor would not use tactics similar to those of the Russian Business Network.

But I was also the person who wrote the vendor management report for our organization. Thus, when we started monitoring this particular operating system vendor, I referred to them as the “malware company.” Years later, when they started denying service until my devices proved they had paid their “ransom,” I changed the reference to “ransomware company.”

All in sarcastic tongue-in-cheek, expressing our frustration with the company whose negligence created our industry.

But guess what? I just fell prey to this approach yet again. A particular device crashed on me due to a particular application. As I was bringing the device up, a window popped up, informing me that the application had crashed the device, and asking if I wanted to “ignore” or “report” the error.

Like an idiot, I clicked “ignore” and noticed that it seemed to report anyway. The whole window seemed to move and disappear. The “ignore” button sure didn’t move. Causing me to wonder, “wait a minute . . .“
After a complete virus scan, a self-scolding, a report to the ISO, and a confirmation that the application was indeed the recipient of the report . . . forty minutes out of my day . . . I wrote this article.

Why . . . why . . . why . . .

If the good guys are going to revert to the tactics of the bad guys, we will lose.

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

”Dan’s New Leaf” is a ”fun blog to inspire thought in the area of IT Governance.”