On Wed, 19 Jan 2011 06:25:57 EST, Jeffrey Walton said: > > Bottom line is that patching interferes operations and therefore, > Its a sad state of affairs when folks put other endeavors, such as > uptime, above security. Not necessarily. It's *usually* true, but not always. Remember - security is tradeoffs. If the security saves you $10,000 in incident handling, but deploying it causes a 20 minute outage that costs you $1,000 a minute in lost business, that's a *bad* tradeoff - in that case, uptime *is* more valuable than security. At that point, the CFO, the CIO, and the head security dude should *all* be looking for your head if you insist on deploying it anyhow. It's easy to think of cases where uptime is considered incredibly important, so they have a load balancer fronting 3 or 4 machines. At the same time, they may not care *too* much about security on those front-end machines that don't actually do much themselves, because if one gets pwned they can just take it out of the load balancer, do forensics, and re-image it without much impact. You can make this re-imaging *really* fast if you are using VMWare or similar, and a smart disk array that does snapshotting - snapshot the system and the disk, then restore to an old known-good snapshot and keep going in literally seconds. At that point, your time to recover from not patching is almost zero, so there's not much incentive to spend time patching. After all, it would be a *great* place to put an unpatched honeypot to gather info that can be used to secure the machines you *care* about. You see the front-end honeypot get hit 3-4 times with an exploit for MS11-093 that doesn't do anything because there's not much on the front-end boxes, you can then make sure your *critical* boxes all have that patch installed. And you really *do* want really good uptime on your honeypots - if it's down 75% of the time because you're doing forensics on it, you're only gathering intelligence from it 25% of the time. End result - you get better results from having a well-understood older image than a potentially destabilizing and less well-understood new image. But yes, those are corner cases where the tradeoffs were thought through and analyzed. And if some place is *blindly* choosing uptime over security, without doing the math, that *is* looking for trouble...
Attachment:
pgpUa790Jsy4R.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/