Re: Patching

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 10/22/03

  • Next message: Steve: "Re: How can you trust a company you don't know?"
    Date: Wed, 22 Oct 2003 12:57:32 +0200
    To: security-basics@securityfocus.com
    
    

    On 2003-10-21 Alessandro Bottonelli wrote:
    > On Tuesday 21 October 2003 10:33, Ansgar -59cobalt- Wiechers wrote:
    > > On 2003-10-20 Alessandro Bottonelli wrote:
    > > > Hmmmm. I am not convinced yet that all this makes sense from a
    > > > "wider" security perspective. Must a vulnerability / hole be known
    > > > to be a risk?
    > >
    > > Yes.
    >
    > The more I think about it, the more I do not agree. Security is
    > availability, confidentiality and integrity, isn't it? An unknown hole
    > / vulnerability can still hit you hard (data loss, data integrity,
    > system availability to name a few instances). Humans may not know
    > about such vulnerability but systems run that code, and if the code is
    > flawed, systems do not need humans to fail or to behave incorrectly
    > from a security perspective.

    Availability, confidentiality and integrity are separate issues that
    have to be addressed in different ways. When talking about security (at
    least on this list) the majority is referring to confidentiality and
    partly integrity (to the extent that data isn't manipulated by
    unauthorized persons). At least that's my perception. Please correct me
    if I'm wrong.

    You are right that might affect availability and/or integrity and that
    those issues need to be taken into consideration, but AFAIK they are
    usually not considered _security_ risks.

    [...]
    > Was the price of closing a known hole that maybe someone one day might
    > have exploited (and maybe I might have had another option for
    > proctecting my systems) worth a failed Disaster Recovery?

    Deal with that problem when you run into it. That's what you test
    patches for. There is no point in avoiding a patch just because it
    *might* break something.

    If it breaks something you will have to make a decision whether to apply
    it (and forfeit on some functionality) or not (and face the risk of
    getting 0wnzed). That decision can only be made for each individual
    incident.

    If anyone happens to have a golden rule here, I'd like to know too ;)

    > I am not saying patching is evil, but is dawning on me the idea that
    > is not "necessarily" good, or in other words its worthness is not
    > axiomatic.

    It may rise other problems, but it gets you rid of a security breach
    that is known to the world. That's the only point I was referring to.

    > The list suggested a testbed system should be used for testing patches
    > before going onto production systems. This would be a good step
    > forward in making patches less dangerous, yet many organizations (or
    > at least most of those I deal with) cannot (or do not want to) afford
    > such luxury which requires a duplicate system, time and human
    > resources (and even then I wonder how thorough and reliable a test
    > would be on a non-production system, probably not fully interconnected
    > with the whole infrastructure).

    There has been a discussion on this a while ago, and there were some
    valuable suggestions (e.g. using VMware). You might want to take a look
    into the list's archive.

    Regards
    Ansgar Wiechers

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that
    makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
    ----------------------------------------------------------------------------


  • Next message: Steve: "Re: How can you trust a company you don't know?"

    Relevant Pages

    • Re: Patching
      ... Security is availability, ... confidentiality and integrity, isn't it? ... to behave incorrectly from a security perspective. ... revision X.x with applications Y.y and disk/tape drivers at revision Z.z. ...
      (Security-Basics)
    • Re: AppArmor FAQ
      ... MLS systems) attaches security policy to the data. ... through the system, the label sticks to the data, and so security ... Enforcement was specifically designed to be able to address integrity ... _and_ confidentiality in a way acceptable to commercial organizations. ...
      (Linux-Kernel)
    • Re: classification shceme of security concept
      ... (confidentiality, trust, access control, replication, integrity, ... well, there is the CIA triad (confidentiality, integrity, ... disposed a differents concept related to security domain ...
      (alt.computer.security)
    • Re: Thou shalt have no other gods before the ANSI C standard
      ... A great example of a system where confidentiality is more important ... than availability. ... >Nixing the ATM service suddenly seems like a very attractive solution. ... A good example of a system where integrity is more important ...
      (sci.crypt)
    • Re: classification shceme of security concept
      ... classification scheme of taxonomy of security concept ... (confidentiality, trust, access control, replication, integrity, ... i'm not sure trust falls into any of them... ...
      (alt.computer.security)