Intelligent patching programs….blind best effort patching…what do you do?
The number of organisations that rely on patching as their main or only measure against security vulnerabilities still amazes me. The relatively small percentage of organisations that run a proactive vulnerability assessment/management program to understand their environment and actual risks they may face is a concern.
This Computerworld US story follows on the usual theme of organisational struggles to patch patch patch. (How often do we read stories like this? Is this really news?)…I was amazed that VA got a line or two for a change.
February 26th, 2008 at 11:44 am
“Summary of Recommendations
Enterprise security teams should seek to minimize their exposure to endpoint agent vulnerabilities, by:
1.Minimizing the number of machines that run agent software.
2.Minimizing the number of different agents supported in the enterprise as a whole.”
http://www.matasano.com/log/646/matasano-security-recommendation-001-avoid-agents/
Also for fun: http://www.ranum.com/security/computer_security/editorials/master-tzu/index.html
D2 says, ask not what software you think you need, but what is it you are actually trying to achieve to get the job done and allow others to get theirs done too? Do you really need a fully fledged desktop or server OS? Backups yes. Performance yes. Manageability yes. Patching is a fact of life, minimising the practice is one of our goals. Minimise the service surface also.
Enumerate the negative, eliminate the negative.
Enumerate the positive, accentuate the positive.
February 27th, 2008 at 11:04 am
D2, Thanks for the Ranum link. I’ve forgotten about that one. That is worth a read! It says a lot. Maybe if more journos learned a bit more about our industry, we would not be fed the same garbage (and over and over again). I did an interview with Patrick Gray (Journo and Producer of the Risky Business Podcast) recently where I turned the tables and he was being asked the questions. If more IT journos were like that, we would have a more intelligent IT reporting media. The interview will be on the AISA website soon in the AISA Monthly newsletter. http://www.aisa.org.au
DD