Its not my boss, but in conversations with many people that span many companies, the general line of thought seems to be "until there is an active exploit that is blowing away machines on my network, we will do nothing. After all, not every vulnerability that is published is followed by a bad exploit. And not every bad exploit manages to get inside. Your asking me to spend real money on a theoritical problem. Remember: IT is a cost center, something where you do everything possible to reduce costs and expendatures."
The above are not my thoughts, they are a condensed version of many conversations. Do I think it is penny wise and pound foolish? Yes. Do I think these people are not seeing the big picture? Yes. But, I'm just an advisor. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric LeBlanc Sent: Wednesday, April 28, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines On Tue, 27 Apr 2004, Jedi/Sector One wrote: > On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote: > > Are you saying that unless there's an exploit > > that gives you access to the target machine > > your company wouldn't patch > > It's a matter of priority. > > For most PHBs, proactive security must be very low priority because > keeping systems up to date doesn't bring any money to the company. > Just to tell your boss that the worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-ne twork will cost them more than keeping their system up to date (with proof). It's enough to convince them that the patching will save them a *LOT* of money and time (if the patch don't broke the system of course, especially with microsoft patches). If they don't want to understand it.. Well, I want to be there when their system will have a virus/wathever just to see their face :-) Oh, it's possible that the VP of company will tell to you that it's YOUR fault... E. -- Eric LeBlanc [EMAIL PROTECTED] -------------------------------------------------- UNIX is user friendly. It's just selective about who its friends are. ================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
