Re: [Full-disclosure] Getting Off the Patch

On Wed, 19 Jan 2011 06:25:57 EST, Jeffrey Walton said:
Bottom line is that patching interferes operations and therefore,
Its a sad state of affairs when folks put other endeavors, such as
uptime, above security.

Not necessarily. It's *usually* true, but not always. Remember - security is
tradeoffs. If the security saves you $10,000 in incident handling, but
deploying it causes a 20 minute outage that costs you $1,000 a minute in lost
business, that's a *bad* tradeoff - in that case, uptime *is* more valuable
than security. At that point, the CFO, the CIO, and the head security dude
should *all* be looking for your head if you insist on deploying it anyhow.

It's easy to think of cases where uptime is considered incredibly important, so
they have a load balancer fronting 3 or 4 machines. At the same time, they may
not care *too* much about security on those front-end machines that don't
actually do much themselves, because if one gets pwned they can just take it
out of the load balancer, do forensics, and re-image it without much impact.
You can make this re-imaging *really* fast if you are using VMWare or similar,
and a smart disk array that does snapshotting - snapshot the system and the
disk, then restore to an old known-good snapshot and keep going in literally
seconds. At that point, your time to recover from not patching is almost zero,
so there's not much incentive to spend time patching.

After all, it would be a *great* place to put an unpatched honeypot to
gather info that can be used to secure the machines you *care* about. You see
the front-end honeypot get hit 3-4 times with an exploit for MS11-093 that
doesn't do anything because there's not much on the front-end boxes, you can
then make sure your *critical* boxes all have that patch installed. And you
really *do* want really good uptime on your honeypots - if it's down 75% of the
time because you're doing forensics on it, you're only gathering intelligence
from it 25% of the time.

End result - you get better results from having a well-understood older image
than a potentially destabilizing and less well-understood new image.

But yes, those are corner cases where the tradeoffs were thought through and
analyzed. And if some place is *blindly* choosing uptime over security, without
doing the math, that *is* looking for trouble...

Attachment: pgpBP0jezWFNr.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Way OT: How long does your box run for?
    ... > grows in direct correlation to system uptime (which should reflect more on ... > my perceived knowledge of security and paranoia than on the Project's ... we used to have boxes with uptimes in the 900 day range. ... As a security professional, I get irked ...
    (freebsd-questions)
  • Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Sec
    ... network, internet, power), one should require a Security SLA. ... performs a process and maintains a level of security, risk, privacy, ... 99.995% uptime why shouldn't security. ...
    (Security-Basics)
  • Re: non-random IP IDs
    ... >>> there is a site that calculates server uptime from these numbers. ... > go without security advisories for over a year. ... just as good, and sometimes better, than the vendor fix for the ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: system is up 1 year
    ... What references do you want? ... I run a Router/Firewall with Linux 2.4.32 and its uptime is currently ... Linux 2.6 have to many security problems as it can ...
    (Debian-User)
  • Re: honeypot in conjunction with pen test?
    ... this is a question from the point of view of the customer of ... > You were happy but I expect that the pen-testers were really ... >> position a honeypot in the facility, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)