McAfee's Apology - And Recompense For Corporate Customers
McAfee has revealed the first phase of their corporate customer followup to the 5958 DAT issue. The notice, available via their SNS notification service and via McAfee's website, says:
McAfee is offering a complimentary one year subscription to our automated security Healthcheck Platform. This will include a 4-hour session of remote consulting in which we will help you set up and run the health check, review your policies, server configuration and environment, interpret the results and provide recommendations based on McAfee best practices. If you would like to take advantage of this offer, please email Register@McAfeeQuickstart.com by June 15, 2010.Unlike the offer extended to home users, which included a 2 year subscription renewal, and the potential to see recompense for "reasonable" repair fees, this does not include any real significant remedy to corporate users. While the expense to McAfee would be far higher than the costs from their home users, it does mean that corporate customers may feel that they have been left out in the cold. Stories of hospital emergency rooms (as described in the comments on techielobang and Ars Technica's posts about the issue) and 911 call centers (as described by the ISC) going down in the wake of the DAT release mean that McAfee will likely face very upset customers as the full cost and impact of the issue are calculated.
McAfee president David DeWalt's open letter, posted to the McAfee Security Insights blog claims that "The vast majority of affected users were back up and running smoothly within hours, and we are continuing to work diligently until we are sure that every last user node among each and every one of our customers is back in action." - a claim that may be difficult to back up in large organizations, or for users whose only access to the Internet and email was taken down by the issue. In many cases, large organizations with a significant XP SP3 install base saw hundreds of systems taken down that required manual visits. Stories such as this comment posted in response to his letter tell a story of woe. "Our team of 10 technicians worked for over 24 hour straight to touch all 1200+ machines by hand in order to assure our patients safety and our continued operations."
For an organization, that's a cost that could reach into thousands, if not tens of thousands of dollars in staff time alone. Lost productivity for offline machines could total far more. What will McAfee offer to heavily affected corporate customers? We'll likely know in the next week or so. Until then, security professionals and IT support staff can only point their management to McAfee's apology, and decide how they can best update their business practices to avoid update issues without compromising quick response.
Perhaps more interestingly, as our industry starts to ponder whether whitelisting is the way to, we should consider what a bad update to a whitelist could do to our organizations. The risk model is much the same - so the question will remain. Do we trust our vendors QA processes and update release methodologies?