RE: Patching

["wbradd" <wbradd () comcast net>]

The problem is when auditors come in, if you don't have all the patches
listed for an OS, they will write you up even if the system is not
accessable except from the terminal.



-----Original Message-----
From: Tran, John [mailto:John.Tran () unisys com]
Sent: Wednesday, October 22, 2003 1:29 PM
To: 'Gunnoe, Jason'; Meritt James; security-basics () securityfocus com
Subject: RE: Patching


I agree with Jason.  First there has to be a reason to patch.  You should
not just go ahead and patch a machine without doing some good analysis.

-----Original Message-----
From: Gunnoe, Jason [mailto:Jason.Gunnoe () thomson com]
Sent: Wednesday, October 22, 2003 9:54 AM
To: Meritt James; security-basics () securityfocus com
Subject: RE: Patching


Mitigation of risk is the key here.  Don't patch without reason.

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: Monday, October 20, 2003 4:38 PM
To: security-basics () securityfocus com
Subject: Re: Patching

On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:
> A thought has been crossing my mind for a long time, I'd like to
confront it
> with the list.
>
> In the "old days" a patch and/or fix was defined as "something that
closes a
> known hole and opens ten unknown holes" :-) Yet, literature and common

> practices keep saying we should maintain our systems and network
appliances
> up to date with the last patches / software releases.
>
> WHY should I feel safer that way? How can I tell Rev. 1.3 is any
better
> (security-wise) than Rev. 1.2 ? Is the cost (financial and others) of
change
> management worth it? If so, how can I measure such worthness?
> --
> Alessandro Bottonelli

A journey of a thousand miles starts with a single step. (10,000 -1) is
less than 10,000.  "Safer" is not "safe".

As long as you are thinking, include that in your "why" considerations.

--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_0310
21
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_0310
21
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------