Educause Security Discussion mailing list archives
Re: Windows O/S Patching Question
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Tue, 27 Mar 2012 16:07:25 +0000
I guess the question is, do you want to be the guy who was responsible because a vulnerability, that was known for several weeks or even months .. and is 0 day (ie Microsoft or Apple learned about it because it was actively being exploited), infected your systems or allowed for a breach because you waited unnecessarily? Remember, attackers these days are not college kids, they're organized crime. -Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Tuesday, March 27, 2012 11:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows O/S Patching Question So, if I wait a month or two before installing patches normally and the exploit comes out before the end of my normally (very lax) install cycle, I can call it a 0-day ... I guess that would work if your boss is really clueless :-) My 2 cents Joel --On Monday, March 26, 2012 1:06 PM -0700 David Gillett <gillettdavid () FHDA EDU> wrote:
It's TOOOO long if the compromised is out in the wildThat is, I believe, the definition of a "0-day": The "patch window" between discovery of a vulnerability and appearance of an exploit "in the wild" is of zero length, usually because the vulnerability was identified (by vendor or researchers) only by reverse-engineering some new exploit.... ... I believe it is the task of auditors to verify two assertions: 1. The institution's policies/procedures meet its business needs. where "meet the requirements of thus-and-such standard" is often accepted as a minimum set of requirements, necessary but not necessarily sufficient to satisfy this assertion, and 2. Actual operations conform to those policies/procedures. So to pass an audit is going to require at least (a) a written standard/policy, and (b) an "audit trail" logging actions performed with time and date. If you don't have both of those, you shouldn't pass an audit. Ever. Once you have them, then it's time to look closer at #1 and at the actual needs of the business -- whether regulatory compliance is mandated by legislation, what degree of risk is acceptable, and so forth -- stuff where Senior Management makes some choices, even if the choice is only whether to remain in business or not.... David Gillett, CISSP CCNP
Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Current thread:
- Windows O/S Patching Question Sarazen, Daniel (Mar 23)
- Re: Windows O/S Patching Question Basgen, Brian (Mar 23)
- Re: Windows O/S Patching Question Charlie Derr (Mar 23)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
- Re: Windows O/S Patching Question Pratt, Benjamin E. (Mar 23)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
- Re: Windows O/S Patching Question Joel Rosenblatt (Mar 23)
- Re: Windows O/S Patching Question David Gillett (Mar 26)
- Re: Windows O/S Patching Question Joel Rosenblatt (Mar 27)
- Re: Windows O/S Patching Question Brian Helman (Mar 27)
- Re: Windows O/S Patching Question Valdis Kletnieks (Mar 27)
- Re: Windows O/S Patching Question Brian Helman (Mar 27)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 27)
- Re: Windows O/S Patching Question David Gillett (Mar 26)
- <Possible follow-ups>
- Re: Windows O/S Patching Question Ted Pham (Mar 23)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
- Re: Windows O/S Patching Question Valdis Kletnieks (Mar 23)
- Re: Windows O/S Patching Question Basgen, Brian (Mar 23)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)