RE: Patching

["Erik R. Myers" <emyers () ost edu>]

Some very good questions.
Patching a well-running organization/system should always make you
nervous.  Thus the need for strident patch-testing on test-boxes, which
of course increases the costs/time associated with patching.  Earlier a
comment was made that "patches fix known holes and that unknown holes
aren't yet security risks".  Not really, a hole is a hole is a hole.
"Unknown" provides a little cover but doesn't make the hole go away.
Someone, somewhere will eventually find it.  Which brings us back to
"why" we patch known vulns.  Once a vuln/hole is known it is a matter of
time (which seems to be shrinking) before scripts are produced to
exploit it.  While I hate explaining why a security patch has done
something bad to app X, I don't want to have to explain why a 13 year
old script-kiddie raped my system using downloaded script for a 6
month-old vuln.  Yes this is a lesser of 2 evils argument.
Measuring the worthness?  Toughee.  If we have done our jobs correctly,
no one notices a thing.  I guess if you had to prove to someone that
you've been successful, you could gather up all your sec logs, audit
reports, mail/spam/virii stats and proudly show the powers-that-be all
the mischief you've deterred...assuming you can keep them awake longer
than a couple of minutes.  

Long response, need coffee now. Happy patching.
Erik R. Myers

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com] 
Sent: Monday, October 20, 2003 3:38 PM
To: security-basics () securityfocus com
Subject: Re: Patching

On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:
> A thought has been crossing my mind for a long time, I'd like to
confront it 
> with the list.
>
> In the "old days" a patch and/or fix was defined as "something that
closes a 
> known hole and opens ten unknown holes" :-) Yet, literature and common

> practices keep saying we should maintain our systems and network
appliances 
> up to date with the last patches / software releases.
>
> WHY should I feel safer that way? How can I tell Rev. 1.3 is any
better 
> (security-wise) than Rev. 1.2 ? Is the cost (financial and others) of
change 
> management worth it? If so, how can I measure such worthness?
> -- 
> Alessandro Bottonelli

A journey of a thousand miles starts with a single step. (10,000 -1) is
less than 10,000.  "Safer" is not "safe".

As long as you are thinking, include that in your "why" considerations.

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------