Security Basics mailing list archives

Re: Patching

From: Alessandro Bottonelli <abottonelli () libero it>
Date: Tue, 21 Oct 2003 23:13:52 +0200

On Tuesday 21 October 2003 10:33, Ansgar -59cobalt- Wiechers wrote:

On 2003-10-20 Alessandro Bottonelli wrote:

Hmmmm. I am not convinced yet that all this makes sense from a "wider"
security perspective. Must a vulnerability / hole be known to be a
risk?


Yes.

The more I think about it, the more I do not agree. Security is availability,
confidentiality and integrity, isn't it? An unknown hole / vulnerability can
still hit you hard (data loss, data integrity, system availability to name a
few instances). Humans may not know about such vulnerability but systems run
that code, and if the code is flawed, systems do not need humans to fail or
to behave incorrectly from a security perspective.

Just as an example, say I have tested my recovery procedures with system at
revision X.x with applications Y.y and disk/tape drivers at revision Z.z.
Then I patch tape drivers to revision Z.z + n to "close" a known
vulnerabilty. Fine, then I get a fire, go to my cold backup facility, try to
recover from my previous backups and discover that the drivers at the new
revision level write fine onto tapes but then cannot read them right with
system at revision X.x.....

Was the price of closing a known hole that maybe someone one day might have
exploited (and maybe I might have had another option for proctecting my
systems) worth a failed Disaster Recovery?

I am not saying patching is evil, but is dawning on me the idea that is not
"necessarily" good, or in other words its worthness is not axiomatic.

The list suggested a testbed system should be used for testing patches before
going onto production systems. This would be a good step forward in making
patches less dangerous, yet many organizations (or at least most of those I
deal with) cannot (or do not want to) afford such luxury which requires a
duplicate system, time and human resources (and even then I wonder how
thorough and reliable a test would be on a non-production system, probably
not fully interconnected with the whole infrastructure).

Caveat emptor! :-)

--
Alessandro Bottonelli

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new
network analysis tool that
makes the complex - easy
www.clearsightnet.com/jmp6-downloadtrial.jsp
----------------------------------------------------------------------------

Current thread:

Patching Alessandro Bottonelli (Oct 20)
- RE: Patching Raoul Armfield (Oct 20)
- Re: Patching Florian Streck (Oct 20)
  - Re: Patching Meritt James (Oct 20)
    - RE: Patching Alexander Suhovey (Oct 21)
    - Re: Patching Meritt James (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 20)
  - Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
    - Re: Patching Alessandro Bottonelli (Oct 21)
    - Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
    - RE: Patching Graydon McKee (Oct 22)
  - Re: Patching gregh (Oct 21)
  - RE: Patching Raoul Armfield (Oct 21)
- <Possible follow-ups>
- Re: Patching David Lanagan (Oct 21)
- RE: Patching Erik R. Myers (Oct 21)
- RE: Patching Gunnoe, Jason (Oct 22)
- RE: Patching Tran, John (Oct 22)
  - RE: Patching wbradd (Oct 22)
    - audit (was: Re: Patching Meritt James (Oct 27)