Security Basics mailing list archives
RE: Patching
From: "Erik R. Myers" <emyers () ost edu>
Date: Tue, 21 Oct 2003 07:01:29 -0500
Some very good questions. Patching a well-running organization/system should always make you nervous. Thus the need for strident patch-testing on test-boxes, which of course increases the costs/time associated with patching. Earlier a comment was made that "patches fix known holes and that unknown holes aren't yet security risks". Not really, a hole is a hole is a hole. "Unknown" provides a little cover but doesn't make the hole go away. Someone, somewhere will eventually find it. Which brings us back to "why" we patch known vulns. Once a vuln/hole is known it is a matter of time (which seems to be shrinking) before scripts are produced to exploit it. While I hate explaining why a security patch has done something bad to app X, I don't want to have to explain why a 13 year old script-kiddie raped my system using downloaded script for a 6 month-old vuln. Yes this is a lesser of 2 evils argument. Measuring the worthness? Toughee. If we have done our jobs correctly, no one notices a thing. I guess if you had to prove to someone that you've been successful, you could gather up all your sec logs, audit reports, mail/spam/virii stats and proudly show the powers-that-be all the mischief you've deterred...assuming you can keep them awake longer than a couple of minutes. Long response, need coffee now. Happy patching. Erik R. Myers -----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Monday, October 20, 2003 3:38 PM To: security-basics () securityfocus com Subject: Re: Patching On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:
A thought has been crossing my mind for a long time, I'd like to
confront it
with the list. In the "old days" a patch and/or fix was defined as "something that
closes a
known hole and opens ten unknown holes" :-) Yet, literature and common
practices keep saying we should maintain our systems and network
appliances
up to date with the last patches / software releases. WHY should I feel safer that way? How can I tell Rev. 1.3 is any
better
(security-wise) than Rev. 1.2 ? Is the cost (financial and others) of
change
management worth it? If so, how can I measure such worthness? -- Alessandro Bottonelli
A journey of a thousand miles starts with a single step. (10,000 -1) is less than 10,000. "Safer" is not "safe". As long as you are thinking, include that in your "why" considerations. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 ------------------------------------------------------------------------ --- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- RE: Patching, (continued)
- RE: Patching Alexander Suhovey (Oct 21)
- Re: Patching Meritt James (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 20)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 21)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
- RE: Patching Graydon McKee (Oct 22)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- RE: Patching wbradd (Oct 22)
- audit (was: Re: Patching Meritt James (Oct 27)