Uptime vrs. security policy (Was: Re: Sun Solaris login bug patches out)

From: bergman@merctech.com
Date: 01/01/02 

To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: bergman@merctech.com
Date: Tue, 01 Jan 2002 19:58:02 +0100

In your message dated: Mon, 31 Dec 2001 10:54:28 PST,
The pithy ruminations from Cy Schubert - ITSD Open Systems Group on
<Re: Sun Solaris login bug patches out > were:
=> In message <Pine.LNX.4.05.10112292206020.5128-100000@jp-gp.vsi.nl>,
=> Jan-Philip
=> Velders writes:
=> >
=> > > Date: Thu, 27 Dec 2001 14:24:16 -0800
=> > > From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
=> > > Subject: Re: Sun Solaris login bug patches out
=> > > [ ... ]
=> >
=> > > A UNIX box with a high uptime is indicative of that box not being
=> > > maintained with the latest security patches.
=> >
=> > or in my book: a system which has been set up securely !
=>
=> So a system that hasn't been rebooted to install kernel or libc
=> security patches is just as secure as one that does not have the
=> patches?
=>
=> I'm excluding clustered systems from this arguemnt.

Um, why? A tightly clustered system (using Sun Clustering, VCS, etc., as opposed
to a loosely "clustered" group of machines managed via load balancers, external
application servers, etc.) usually should have all machines at the same patch
level, particularly for things like kernel services. In that case, you'll see
uptime of individual machines that's not exceptional. Of course, the advantage
to clustering is that the reboots can be staged so that they don't affect
user-visible operations.

=>
=> >
=> > > IMO I think it's a shame that this attitude is part of the UNIX
=> > > culture.
=> >
=> > Why ? UNIX systems have been growing into a role, where downtime (no
=> > matter what amount) is becoming more and more *unacceptable*.
=> >

        [SNIP!]

=>
=> It's been documented that historically 80% of exploits are perpetrated
=> by insiders, e.g. employees. Your firewall protects you from the 20%
=> of the attacks that come from the outside. On the inside you need to

I'm not taking issue with your numbers here, but you're confusing exploits with
attempts. While the vast majority of successful exploits may come from insiders,
I think that an overwhelmingly greater number of exploit _attempts_ come from
outsiders. That "20% of attacks that come from the outside" is probably the
results of hundreds of times more attempts than the 80% of insider exploits. If
not for good firewalls and security that's biased against attacks from the
outside, we'd see the stats on external vrs. insider exploits reversed. I'm not
saying that you can ignore the internal threat, but that should also be much
easier to quantify, judge the risk, and manage through non-technical means than
the external threat.
  
=> make sure that your software is as resistant to attack as possible.
=>
        [SNIP!]

=> >
=> > You have to take a lot of things into account:
=> > * security
=> > * stability
=> > * work-load (how much overtime is allowed by management !?)
=> > * homogenity between systems
=> > etc.

Absolutely.

        [SNIP!]

=> >
=> > > Regards,
=> > > Cy Schubert
=> >
=> > Kind Regards,
=> > JP Velders
=> >
=>
=>
=>
=> Regards, Phone: (250)387-8437
=> Cy Schubert Fax: (250)387-5766
=> Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca
=> Open Systems Group, ITSD
=> Ministry of Management Services
=> Province of BC
=> FreeBSD UNIX: cy@FreeBSD.org
=>
=>
=>

-----
Mark Bergman Biker, Rock Climber, Unix mechanic, IATSE #1 Stagehand
'94 Yamaha GTS1000A
bergman@panix.com

http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=bergman%40panix.com

I want a newsgroup with a infinite S/N ratio! Now taking CFV on:
rec.motorcycles.stagehands.pet-bird-owners.pinballers.unix-supporters
5+ So Far--Want to join? Check out: http://www.panix.com/~bergman

Relevant Pages

  • Re: Changes in IDS Companies?
    ... Things like port scans and DoS attacks very often ... >> If people are running insecure web servers, ... when people don't update their patches at ... > downplay the vulnerability to save face, so admins even if they are trying ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... In any ID implementation tuning of the device to reduce false alarms is ... necessary flexibility to drop some user specified attacks while only ... >> Pretty sad state of affairs, when people don't update their patches at ... >>> only lazy admins get their servers broken into), ...
    (Focus-IDS)
  • Re: Sun Solaris login bug patches out
    ... > overall 'rush' to install the latest greatest patches. ... >> of the attacks that come from the outside. ... Replace the "r" services with ssh. ...
    (Focus-SUN)
  • Re: Silent Hunter III: OK, Im Missing Something
    ... Try playing the game with the sleath ... most night attacks were at ranges under 1km. ... No one _ever_ made a night periscope attack, AFAIK, ... Subsim has a few patches that can alter the water density etc but nothing ...
    (comp.sys.ibm.pc.games.naval)
  • Re: Instead of freebsd.com, why not...
    ... > come out in the last year that require rebooting during their install. ... > attacks and other trouble on the Internet today. ... Another little Microsoft secret for Microsquish ... I've installed the patches for the JPEG vulnerability. ...
    (freebsd-questions)