Re: [fw-wiz] SCADA

On Tue, 14 Apr 2009, Bertolett, Richard wrote:

Security, particularly cyber-security, is best implemented in layers.
So yes, you do need an anti-virus system, and yes, you do need to apply
MS security patches, and you do need firewalls, a DMZ, and ways to keep
the users from doing things on SCADA computers that they should not be
doing. But easy should never be a driver in security decisions, it is
much more secure to retrieve patches and virus sigs from an internal
server, say little of the internet connection bandwidth usage.

The other side of the coin is that adding layers adds complexity and code-
and adding code adds bugs- so you don't *always* get a net security gain
by adding "protecion." That's not even factoring in having to update the
update infrastructure, configuration complexity, or a bunch of other

Adding layers should be done on a risk-based basis, with the probability
of failure of a particular control or the elevation of a particular attack
vector taken into account.

Also, the "obvious" choices aren't always the best ones. I can stop more
Windows malware with permissions and group policies than I can with
anti-virus software for instance.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: Is VMS losing the Financial Sector, also?
    ... there were 46 security patches: ... we see *one* critical server-related security patch in 6 ... revision and config management and App re-cert testing processes just do ... It's *stupid* to install Samba and NFS and yp/nis and GNOME and 1000 other apps on a dedicated web server, and it's just as stupid to install non-essential stuff on a dedicated Samba server. ...
  • RE: Is VMS losing the Financial Sector, also?
    ... there were 46 security patches: ... we see *one* critical server-related security patch in 6 ... Click a button to filter by All, Security, Bug fixes, Enhancements. ... You don't seem to know very much about Linux package management. ...
  • RE: My system has been hacked!
    ... If you only recently installed the security patches, ... other than IIS, such as IE or even Windows itself. ... And even if you install all the security patches and lock ...
  • RE: IIS on 443 replaced by serv-u
    ... It sounds like your system was compromised before installing the patch. ... More information on creating slip-streamed installs of Windows can ... Download the Security Patch Management Guide: ... It's important to not that not all security patches are offered by the ...
  • Re: Should I install SP1 for Win 7?
    ... experimentation over the lemmings any day. ... security patches Microsoft provides than they can with them. ... That is because trusting in security patches to protect your system ...