The Cost of patching

I saw this assertion go by and it stood out:

The bigger cost would be the cost of not patching. Such items as downtime will affect more staff/users than patching will.

That’s not a fair statement. There is much more to the discussion than whether to patch or not to patch or “stuff this for a lark, lets convert to MAC or Linux“.

The issue so far has been black and white.
There is a black and white difference between devices that face the internet and those that are not accessible to or from the ‘Net.

But what about the “grey”? No all patches have the same criticality even for ‘Net-facing devices.

And there’s more to security – even of the Internet-facing devices – than patching software.

I subscribe to the SANS @RISK: The Consensus Security Vulnerability
Alert, which summarizing the most important vulnerabilities and exploitsidentified during the past week. Along with the CVE it gives a brief description. No mention of criticality, but presumably you can figured it out, since in the past Microsoft has deemed as ‘non critical’ vulnerabilities that the community at large has deemed very critical.

Yes, you have to figure out how important it is rather than take a “fix it all right now” attitude.

Stop and think: what controls do you have in place that will mitigate the threat(s) that can exploit this vulnerability? What will be the effect if this vulnerability *is* exploited? Can that be mitigated?

All in all, you *should* have controls in place that *will* mitigate *potential* as well as actual flaws and vulnerabilities. You shouldn’t need to wait or a vendor or third party to tell you there is a hole that you need to fix. Let’s face it we all know that all software, even the patches, is going to be buggy. Anyone who designs on the assumption that it it isn’t is living in a dream world.

Like, how rapidly are you upgrading to Windows-7?
And why? (or why not?)

Image representing Windows 7 as depicted in Cr...
Image via CrunchBase

Perhaps its a ‘new can of worms’. Many people running well stabilized versions of XP are reluctant to upgrade since they fear that the new starting point will be a step backwards for them.

One size doesn’t fit all.
This might not be the fix you’re looking for, anyway, so move along.

Reblog this post [with Zemanta]

About the author

Security Evangelist

Leave a Reply