> One thing that irritates me is the notion that "the > patch has been out for x > months and companies should be patched." I would have to agree. I have conducted assessments at enough locations to know that simply arbitrary installing a patch can do more harm than good. And not all organizations have the staff, technical know-how, or hardware to test out patches. However, I do think that more should be done by individual organizations to come up with *some* means of dealing with these issues. Yes, Microsoft has done quite a bit with their products to make them a management and administrative nightmare, but I am also quite sick of hearing the excuse that organizations aren't subscribing to the Security Bulletins b/c there are just too many to deal with. It doesn't take much more than a few seconds to see if the issue affects you at all...if you use Eudora, then an OutLook vulnerability won't be an issue, will it? Arbitrarily installing every patch that comes out isn't the answer. But neither is doing nothing. Do router/firewall ACLs need to be updated? What about IDS signatures? > Should admin's be dilligent in patching? > Absolutely. Laziness is really > the only reason for not working on patches. > However, keep in mind that > while a shop with 20 servers can be patched > carefully in a week or less, a > shop with 300 can take significantly more time. I agree. However, look at Code Red...had admins followed the simple tenet of not allowing unnecessary services or functionality, the ida/idq script mappings would have been disabled during or following installation, and the systems would not have been vulnerable. Many of the affected systems didn't even require the functionality. Same is true for the older .htr issue. Being diligent w/ patches is certainly something important, but it's far more important to be diligent w/ issues. Default installations of products...any products...are going to come back and bite you in the butt. __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 10:08:44 PST