Study: Bad security flaws don't die
Results 1 to 7 of 7

Thread: Study: Bad security flaws don't die

  1. #1
    Banned
    Join Date
    Apr 2003
    Posts
    3,839

    Study: Bad security flaws don't die

    A study of Internet security flaws showed that for serious issues, half of vulnerable systems remain unfixed after 30 days.
    The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious--as much as 60 days longer--by which time, in 80 percent of the cases, security researchers and hackers had released programs to exploit the flaws.
    http://zdnet.com.com/2100-1105_2-5058058.html

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    My own network sort of mirros that. On some systems it's almost impossible to shut down everything and make a patch. In some cases the risk of screwing up a critical process outweigh the need and risk to patch. So... patches are applied taking risk of attack and risk of downtime. The more devestaing the risk of attack the more likely a patch will get applied.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Tony Bradley posted a thread that discussed liability resting on parties who do not secure their boxes that end up involved in a hacking incident. If that gets passed into law, it looks like there will be *quite* a few offenders out there.

    Anyway, just goes to show that there is *a lot* of work to be done in the industry in regards to security awareness and remediation.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I dunno..... Nowadays, with the cost of hardware I find it hard to understand how major companies with mission critical servers do not have the systems configured in such a way so they can step through server at a time patching them while others bear the load and then bring them online to take the next down. Strikes me that if you can't do that then there is pretty much no redundancy built into your system.

    OTOH.... I have the advantage of working where my public servers are not mission critical.... That and the fact that I am an excellent Bull$h1tter and if I want the machines down I can find a reason why they failed on their own and we are fixing them.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    BWAHAHAHAHAHAHA!!!

    That's not bull$h1tting, that is social engineering.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Member
    Join Date
    Jul 2003
    Posts
    63
    Some Companies take long to fix flaws because either the System Administrators are lazy and don't want to do anything about it or they don't want to take the risk of the patch messing everything up and having alot of down time

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    The problem lies in the "window" of opportunity to apply patches where you can actually have the down time.. very few companies can afford to have exact mock ups of every little system and interface that can transverse the globe and repair itself at the touch of a button. I know of only one that I have ever worked on. And when you enter a complex enterprise, you may have 100 different pieces of software that require patches at any one time. It sucks.

    I do have a few super critical apps that have a Microsoft cluster and in theory you can bring one node down, patch it and bring it up then take the other one down, etc. It actually works some of the time. Load balancing is easy when all you are doing is serving up a web page. It gets much more difficult when you are interfacing different flavors of database schema across many interfaces.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •