RE: Media Excitement!

[Ron Gula <rgula () tenablesecurity com>]

At 03:21 PM 4/21/2005, Kohlenberg, Toby wrote:
> "Aitel disputes the mantra that patches are the ultimate remedy.
> "Patching is terribly expensive," he says. "You have to test and test to
> ensure that your applications all work after the patch. And then
> deploying a patch in a medium-sized firm will cost many hundreds of
> thousands. How many companies are prepared - or even have - this kind of
> money to spend on deploying a patch?""
>
> Okay, so I agree with every one of these statements.
> Now, what's the alternative to patching?

The alternative is better network management.

I've become a disciple of the zen network manager masters ;) Anyone read
books like 'Visable Ops'? It basically says there are 4 types of networks:

1 - those that continuously have unplanned outages (including self those 
inflicted)
2 - those that have enough controls to en-force change management
3 - those that have enough controls to build their systems the same every time
4 - those that do 2 & 3, but try to increase available uptime and also
    lower outage times

The reason that patching is a pain in the ass is that we don't
know what is on our networks. If you have a better idea of what
is on your network, you can have better controls in place to
compensate for your risks.

Said another way, would you rather secure a bunch of computers
that are configured exactly the same, or attempt to secure random
configurations. Now how about incident response?

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com










_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave