Printable View
Quote:
A study of Internet security flaws showed that for serious issues, half of vulnerable systems remain unfixed after 30 days.
http://zdnet.com.com/2100-1105_2-5058058.htmlQuote:
The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious--as much as 60 days longer--by which time, in 80 percent of the cases, security researchers and hackers had released programs to exploit the flaws.
My own network sort of mirros that. On some systems it's almost impossible to shut down everything and make a patch. In some cases the risk of screwing up a critical process outweigh the need and risk to patch. So... patches are applied taking risk of attack and risk of downtime. The more devestaing the risk of attack the more likely a patch will get applied.
Tony Bradley posted a thread that discussed liability resting on parties who do not secure their boxes that end up involved in a hacking incident. If that gets passed into law, it looks like there will be *quite* a few offenders out there.
Anyway, just goes to show that there is *a lot* of work to be done in the industry in regards to security awareness and remediation.
--TH13
I dunno..... Nowadays, with the cost of hardware I find it hard to understand how major companies with mission critical servers do not have the systems configured in such a way so they can step through server at a time patching them while others bear the load and then bring them online to take the next down. Strikes me that if you can't do that then there is pretty much no redundancy built into your system.
OTOH.... I have the advantage of working where my public servers are not mission critical.... That and the fact that I am an excellent Bull$h1tter and if I want the machines down I can find a reason why they failed on their own and we are fixing them..... :cool:
BWAHAHAHAHAHAHA!!!
That's not bull$h1tting, that is social engineering. ;)
Some Companies take long to fix flaws because either the System Administrators are lazy and don't want to do anything about it or they don't want to take the risk of the patch messing everything up and having alot of down time
The problem lies in the "window" of opportunity to apply patches where you can actually have the down time.. very few companies can afford to have exact mock ups of every little system and interface that can transverse the globe and repair itself at the touch of a button. I know of only one that I have ever worked on. And when you enter a complex enterprise, you may have 100 different pieces of software that require patches at any one time. It sucks.
I do have a few super critical apps that have a Microsoft cluster and in theory you can bring one node down, patch it and bring it up then take the other one down, etc. It actually works some of the time. Load balancing is easy when all you are doing is serving up a web page. It gets much more difficult when you are interfacing different flavors of database schema across many interfaces.