Full Disclosure mailing list archives
Re: Getting Off the Patch
From: Valdis.Kletnieks () vt edu
Date: Wed, 19 Jan 2011 10:12:50 -0500
On Wed, 19 Jan 2011 06:25:57 EST, Jeffrey Walton said:
Bottom line is that patching interferes operations and therefore,Its a sad state of affairs when folks put other endeavors, such as uptime, above security.
Not necessarily. It's *usually* true, but not always. Remember - security is tradeoffs. If the security saves you $10,000 in incident handling, but deploying it causes a 20 minute outage that costs you $1,000 a minute in lost business, that's a *bad* tradeoff - in that case, uptime *is* more valuable than security. At that point, the CFO, the CIO, and the head security dude should *all* be looking for your head if you insist on deploying it anyhow. It's easy to think of cases where uptime is considered incredibly important, so they have a load balancer fronting 3 or 4 machines. At the same time, they may not care *too* much about security on those front-end machines that don't actually do much themselves, because if one gets pwned they can just take it out of the load balancer, do forensics, and re-image it without much impact. You can make this re-imaging *really* fast if you are using VMWare or similar, and a smart disk array that does snapshotting - snapshot the system and the disk, then restore to an old known-good snapshot and keep going in literally seconds. At that point, your time to recover from not patching is almost zero, so there's not much incentive to spend time patching. After all, it would be a *great* place to put an unpatched honeypot to gather info that can be used to secure the machines you *care* about. You see the front-end honeypot get hit 3-4 times with an exploit for MS11-093 that doesn't do anything because there's not much on the front-end boxes, you can then make sure your *critical* boxes all have that patch installed. And you really *do* want really good uptime on your honeypots - if it's down 75% of the time because you're doing forensics on it, you're only gathering intelligence from it 25% of the time. End result - you get better results from having a well-understood older image than a potentially destabilizing and less well-understood new image. But yes, those are corner cases where the tradeoffs were thought through and analyzed. And if some place is *blindly* choosing uptime over security, without doing the math, that *is* looking for trouble...
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Getting Off the Patch, (continued)
- Re: Getting Off the Patch Christian Sciberras (Jan 18)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Christian Sciberras (Jan 19)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 18)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 18)
- Re: Getting Off the Patch Cor Rosielle (Jan 19)
- Re: Getting Off the Patch Jeffrey Walton (Jan 19)
- Re: Getting Off the Patch Christian Sciberras (Jan 19)
- Re: Getting Off the Patch Cor Rosielle (Jan 19)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 19)
- Re: Getting Off the Patch cpolish (Jan 19)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 19)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 19)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 19)
- Re: Getting Off the Patch Cor Rosielle (Jan 19)
- Re: Getting Off the Patch Pete Smith (Jan 19)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Cal Leeming [Simplicity Media Ltd] (Jan 19)
- Re: Getting Off the Patch Phil (Jan 19)
- Re: Getting Off the Patch Tracy Reed (Jan 19)