During these days of confinement due to COVID-19, many companies in all sectors have been pushed to use the famous telework. Removing the organizational problems associated with telework for companies that are not familiar with this practice as responsible for not believing that workers are working if they are not seen sitting on their site, slow or non-portable computer equipment, etc. I’m especially concerned about companies that have sought a low cost teleworking with the associated risks we will now discuss. So much for you.

time talking about digital transformation, industry 4.0 and all those concepts… and at the time of truth we do it wrong .

Business Continuity Management

I don’t mean to talk business continuity. Although I have been working for many years with the standard taken as the basis for the management of Business Continuity, ISO 22301. And I don’t mean to talk about this because no one could foresee a disruption in the business of such magnitude that it had the workers, suppliers, carriers and customers in their homes for more than 1 month. There was simply no precedent of this type, so the coefficient of Probability in the risk analysis made us rule out such threats.

What bothers me is that For months now we have been talking about ‘digital transformation’, the modernization of industries towards a 4.0 approach (I think we have skipped 3… or at least I have not heard about it) and the inclusion of technology in all sectors… and I am afraid that on many occasions this was not quite true. Many companies have been forced to suspend activities, launch ERTs to workers and do little more than get their hands on their heads because they were actually far from all this’ digitization ‘. Some of these are the same that had sold us the concepts of digital transformation in talks and events.

A laugh.

Others, to support their workers and to look modern, have rushed to open the corporate servers to the Internet without the minimum requirements of analysis and safety that would have been desirable, so by doing a search in Shodan we can find aberrations like these:

Internet shared folders: No firewall or milk, directly the shared folder accessible from anywhere so that workers can continue to access the company’s resources.

Remote desk accessible: The Windows shared desktop has had various vulnerabilities throughout its history that do not advise to open it directly to the Internet… however there are nothing less than 36,109 IP addresses with remote desktop accessible from anywhere.
BONUS TRACK: We can thinner and find for example Windows XP with remote desktop accessible from the Internet even though vulnerability

get = «_ blank» > CVE-2019-0708 It was never parked by Microsoft.

Speaking of Windows XP: The Windows XP support ended in 2014… still there are Internet services posted from a Windows XP, with all the vulnerabilities that this entails.

2300 SQL databases exposed only in Madrid: It is clear that we do not have the username and password, but the number of MySQL versions exposed only in Madrid includes some with serious vulnerabilities that allow remote access as root.

Not to mention the typical security cameras without username and password, or with default usernames and password as admin / 1234… but this now worries me less as you can’t leave the house, so we can be robbed in the company… in theory.

Chernobyl the series

I don’t know if you’ve seen the show. Chernobil which was published in HBO a few months ago, but reflects exactly the idea I wanted to convey to you.

No mood to make the series spoiler as the Chernobyl nuclear accident is history, One of the errors that led to the core explosion was the haste: the night shift had to do a safety test that could not be performed during the day by the group that really knew that test, so they executed it in haste and without having the right instructions.

Just as it has been shown that it is not a good idea to perform the safety test of a nuclear power plant at night and by an inexperienced group (it is often recommended to postpone it for the next day or for another more suitable time window), we cannot put a server in production, open a service to the world without reviewing its safety or install applications without checking on our devices because of the urgency of doing telework from home and To find us problems like the ones we’re seeing these days.

In Chernobyl they learned the lesson, the head of the operations of the reactor 4 that it exploded spent 10 years of his life doing forced labour… and that in ancient Russia, so you can imagine that those 10 years were not a path of roses. Do not be hasty by incorporating technologies into your company without the same safety measures, checks and tests you would perform at any other time.