Honestly, its all a "risk-based" decision, if you have additional compensating controls, in place, then you can afford the buffer, some organizations don't and have higher-risk to begin with.
I don't agree so-much with the corporate IT comment about testing and validation of MS patches before rolling them out to the organization, that is a sound change management process, and the organization/business understands the risk related with not having the latest patches on the machines, until they are validated. I like to look at it in a view of business impact: If I can take a little more time to validate a patch before I roll it out to 10K+ machines, its better than rolling out an non-validated patch that causes system issues and downtime and you can multiply that times the hours down and the people not working, as the cost to the bottom line you caused your business by rolling out a non-validated non-approved patch to your security baseline. The dollars and the business pain, adds up quiet quickly, Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] -----Original Message----- From: Angus Scott-Fleming [mailto:[email protected]] Sent: Tuesday, April 27, 2010 12:24 AM To: NT System Admin Issues Subject: Re: OT what is the lesson for IT deparments and AV vendors after MCAFEE issue " update" On 26 Apr 2010 at 10:26, Ziots, Edward wrote: > With your situation that probably is a better situation of the "wait and > see" but what happens when the 0day that is being exploited and the patch > comes out of cycle, do you still subscribe to the "wait and see" and allow > the drive by attacks to continue? Hard question I am sure, but it´s a risk > that has to be either accepted or rejected. Depends on the client. For clients where I have been able to put a "nobody runs as an admin user" policy in place I let them go longer. For clients where for business reasons (unusual software, mostly, but sometime inertia) everybody is a local admin I'm aggressive about patching. I still let it go a day or two usually. Needless to say it's more expensive to support those types of clients. > Also if you are supporting multiple small clients any way to do testing in > the office on VM´s before having clients updated accordingly? I like VM´s in > undoable mode, for this especially, either that or do snap-shots before > patching and roll-back as needed. Not cost effective IMHO. In small businesses almost every computer is different, different hardware, different software. Like any insurance policy, AV and patching is a crap-shoot. Most of the time you win. The few times you lose, in a small business the cost is *_usually_* less than the accumulated cost of all the proactive work you would have had to do. In a large business where many people run identical or nearly-identical machines the cost of losing the crap-shoot is so high in terms of lost (wo)man- hours that you don't bet that way. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
