I saw this assertion go by and it stood out:
The bigger cost would be the cost of not patching. Such items as downtime will affect more staff/users than patching will.
The issue so far has been black and white.
There is a black and white difference between devices that face the internet and those that are not accessible to or from the 'Net.
But what about the "grey"? No all patches have the same criticality even for 'Net-facing devices.
And there's more to security - even of the Internet-facing devices - than patching software.
I subscribe to the SANS @RISK: The Consensus Security Vulnerability
Alert, which summarizing the most important vulnerabilities and exploitsidentified during the past week. Along with the CVE it gives a brief description. No mention of criticality, but presumably you can figured it out, since in the past Microsoft has deemed as 'non critical' vulnerabilities that the community at large has deemed very critical.
Yes, you have to figure out how important it is rather than take a "fix it all right now" attitude.
Stop and think: what controls do you have in place that will mitigate the threat(s) that can exploit this vulnerability? What will be the effect if this vulnerability *is* exploited? Can that be mitigated?
All in all, you *should* have controls in place that *will* mitigate *potential* as well as actual flaws and vulnerabilities. You shouldn't need to wait or a vendor or third party to tell you there is a hole that you need to fix. Let's face it we all know that all software, even the patches, is going to be buggy. Anyone who designs on the assumption that it it isn't is living in a dream world.
Like, how rapidly are you upgrading to Windows-7?
And why? (or why not?)
Perhaps its a 'new can of worms'. Many people running well stabilized versions of XP are reluctant to upgrade since they fear that the new starting point will be a step backwards for them.
One size doesn't fit all.
This might not be the fix you're looking for, anyway, so move along.
Related articles by Zemanta
- Microsoft: Why rising bug fixes is a sign of its security success (infoworld.com)
- Vista 7 Zero-Day Followed by Internet Explorer 7 Zero-Day (boycottnovell.com)
- Ubuntu Linux Clone Looks and Feels Like WIndows XP (slumpedoverkeyboarddead.com)
- On communicating better (37signals.com)