Security Basics mailing list archives

RE: Patching

From: "Tran, John" <John.Tran () unisys com>
Date: Wed, 22 Oct 2003 13:28:34 -0400

I agree with Jason.  First there has to be a reason to patch.  You should
not just go ahead and patch a machine without doing some good analysis.

-----Original Message-----
From: Gunnoe, Jason [mailto:Jason.Gunnoe () thomson com]
Sent: Wednesday, October 22, 2003 9:54 AM
To: Meritt James; security-basics () securityfocus com
Subject: RE: Patching

Mitigation of risk is the key here.  Don't patch without reason.

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com] 
Sent: Monday, October 20, 2003 4:38 PM
To: security-basics () securityfocus com
Subject: Re: Patching

On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:

A thought has been crossing my mind for a long time, I'd like to

confront it

with the list.

In the "old days" a patch and/or fix was defined as "something that

closes a

known hole and opens ten unknown holes" :-) Yet, literature and common

practices keep saying we should maintain our systems and network

appliances

up to date with the last patches / software releases.

WHY should I feel safer that way? How can I tell Rev. 1.3 is any

better

(security-wise) than Rev. 1.2 ? Is the cost (financial and others) of

change

management worth it? If so, how can I measure such worthness?
-- 
Alessandro Bottonelli


A journey of a thousand miles starts with a single step. (10,000 -1) is
less than 10,000.  "Safer" is not "safe".

As long as you are thinking, include that in your "why" considerations.

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_0310
21
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------

Current thread:

Re: Patching, (continued)
- Re: Patching Alessandro Bottonelli (Oct 20)
  - Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
    - Re: Patching Alessandro Bottonelli (Oct 21)
    - Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
    - RE: Patching Graydon McKee (Oct 22)
  - Re: Patching gregh (Oct 21)
  - RE: Patching Raoul Armfield (Oct 21)
- Re: Patching David Lanagan (Oct 21)
- RE: Patching Erik R. Myers (Oct 21)
- RE: Patching Gunnoe, Jason (Oct 22)
- RE: Patching Tran, John (Oct 22)
  - RE: Patching wbradd (Oct 22)
    - audit (was: Re: Patching Meritt James (Oct 27)