Re: Patching

From: Alessandro Bottonelli (abottonelli_at_libero.it)
Date: 10/20/03

  • Next message: Keith T. Morgan: "RE: scary but true"
    To: security-basics@securityfocus.com
    Date: Mon, 20 Oct 2003 23:40:05 +0200
    
    

    OK, so the main idea I get from the list is: a known hole is fixed and the
    others are (for the moment) unknown. Therefore, patching is a good idea.

    Hmmmm. I am not convinced yet that all this makes sense from a "wider"
    security perspective. Must a vulnerability / hole be known to be a risk?
    Security risks do not all come from "out there" and "bad guys" trying to
    exploit a vulnerability. System errors, data loss may very well occur from
    holes that are very unknown (or very honest operators that make mistakes).

    Once I get a very well oiled and stable infrastructure, I personally suffer
    everytime I have to disturb that balance. There's a lot of interdependability
    among the various elements of the whole system. Application X at release n.m
    needs Middleware Y at release j.k that in turn requires OS Z at release l.m
    that in turn.... everytime I touch something I feel that I have no control
    (but that could be just me) of where the ripples are going to end up to.

    In such a interdependable environment, even if I assume that I have increased
    the level of security of one element by patching, I am not convinced that I
    can say I have increased the security level of the whole.

    Sorry if I cannot at the moment phrase it correctly, but there is a loophole
    in the "patching is necessarly good" axiom that I cannot grasp entirely.

    Hmmm, this morning caffeine is not gone yet, huh?

    -- 
    Alessandro Bottonelli
    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security
    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console
    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
    ----------------------------------------------------------------------------
    

  • Next message: Keith T. Morgan: "RE: scary but true"

    Relevant Pages

    • RE: Patching
      ... :others are unknown. ... Must a vulnerability / hole be known to ... :Security risks do not all come from "out there" and "bad guys" ... :the level of security of one element by patching, ...
      (Security-Basics)
    • RE: Patching
      ... Patching a well-running organization/system should always make you ... a hole is a hole is a hole. ... While I hate explaining why a security patch has done ... Better Management for Network Security ...
      (Security-Basics)
    • Re: [Full-disclosure] Getting Off the Patch
      ... I never admitted patching doesn't work. ... It is just one piece of the security puzzle. ... mostly human errors) but patches. ... We all know it is rather hard to get protection from unknown threads, ...
      (Full-Disclosure)
    • Re: Network Security
      ... In one of my first jobs, ... We closed the security hole ... >still needed to know who was the perpetrator, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: [Full-disclosure] Getting Off the Patch
      ... better than not patching. ... patch on one of our web servers which ran IIS 5.0 on Windows 2000. ... server because of this specific patch missing. ... security standpoint, it either has to be controlled or trusted. ...
      (Full-Disclosure)