I think an IT (or corporate) overreaction is typical of these kinds of events. How many people have labs now set up to test MS updates and then find themselves getting farther and farther behind? As somebody said, sometimes the cure is worse than the disease.
-----Original Message----- From: Angus Scott-Fleming [mailto:[email protected]] Sent: Monday, April 26, 2010 9:24 PM To: NT System Admin Issues Subject: Re: OT what is the lesson for IT deparments and AV vendors after MCAFEE issue " update" On 26 Apr 2010 at 10:26, Ziots, Edward wrote: > With your situation that probably is a better situation of the "wait and > see" but what happens when the 0day that is being exploited and the patch > comes out of cycle, do you still subscribe to the "wait and see" and allow > the drive by attacks to continue? Hard question I am sure, but it´s a risk > that has to be either accepted or rejected. Depends on the client. For clients where I have been able to put a "nobody runs as an admin user" policy in place I let them go longer. For clients where for business reasons (unusual software, mostly, but sometime inertia) everybody is a local admin I'm aggressive about patching. I still let it go a day or two usually. Needless to say it's more expensive to support those types of clients. > Also if you are supporting multiple small clients any way to do testing in > the office on VM´s before having clients updated accordingly? I like VM´s in > undoable mode, for this especially, either that or do snap-shots before > patching and roll-back as needed. Not cost effective IMHO. In small businesses almost every computer is different, different hardware, different software. Like any insurance policy, AV and patching is a crap-shoot. Most of the time you win. The few times you lose, in a small business the cost is *_usually_* less than the accumulated cost of all the proactive work you would have had to do. In a large business where many people run identical or nearly-identical machines the cost of losing the crap-shoot is so high in terms of lost (wo)man- hours that you don't bet that way. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
