[dba7dba]

This reminds of a fairly well known online/offline service company that does not patch their production Windows servers at all. Their mode of defense is firewall. Apparently they has some servers/apps breaking when Windows servers were patched, so they do not patch their servers at all.

[wglb]

From the Ninja Threat Model at https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...: The attacker is going to sit on the same network segment as the application. There’s no firewall or filters. There’s a special place in hell reserved for products that require firewalls or filtering to protect themselves against attack.

[caseymarquis]

I just ran into a company who has updates disabled on all Windows PCs, leaving them as the stock install. Their IT got defensive about it very quickly when I asked them to allow us to update the PC they were running our software on. They don't handle consumer data, but they have their own set of problems which could come from a data breach.