Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: Valdis.Kletnieks () vt edu
Date: Wed, 19 Jan 2011 10:12:50 -0500

On Wed, 19 Jan 2011 06:25:57 EST, Jeffrey Walton said:
Bottom line is that patching interferes operations and therefore,
Its a sad state of affairs when folks put other endeavors, such as
uptime, above security.

Not necessarily.  It's *usually* true, but not always. Remember - security is
tradeoffs.  If the security saves you $10,000 in incident handling, but
deploying it causes a 20 minute outage that costs you $1,000 a minute in lost
business, that's a *bad* tradeoff - in that case, uptime *is* more valuable
than security.  At that point, the CFO, the CIO, and the head security dude
should *all* be looking for your head if you insist on deploying it anyhow.

It's easy to think of cases where uptime is considered incredibly important, so
they have a load balancer fronting 3 or 4 machines. At the same time, they may
not care *too* much about security on those front-end machines that don't
actually do much themselves, because if one gets pwned they can just take it
out of the load balancer, do forensics, and re-image it without much impact.
You can make this re-imaging *really* fast if you are using VMWare or similar,
and a smart disk array that does snapshotting - snapshot the system and the
disk, then restore to an old known-good snapshot and keep going in literally
seconds.  At that point, your time to recover from not patching is almost zero,
so there's not much incentive to spend time patching.

After all, it would be a *great* place to put an unpatched honeypot to
gather info that can be used to secure the machines you *care* about. You see
the front-end honeypot get hit 3-4 times with an exploit for MS11-093 that
doesn't do anything because there's not much on the front-end boxes, you can
then make sure your *critical* boxes all have that patch installed.  And you
really *do* want really good uptime on your honeypots - if it's down 75% of the
time because you're doing forensics on it, you're only gathering intelligence
from it 25% of the time.

End result - you get better results from having a well-understood older image
than a potentially destabilizing and less well-understood new image.

But yes, those are corner cases where the tradeoffs were thought through and
analyzed. And if some place is *blindly* choosing uptime over security, without
doing the math, that *is* looking for trouble...

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]