Murad,
Your question is a business question, not a technology question. The
answer therefore is: it depends on the needs of the business.
Personally, my opinion is that for *most* companies, it will be cheaper
(long term) to immediately deploy security updates and roll them back if
problems are encountered, than it would be to do a test pass on the
security updates and then deploy and get hit with a worm in the interim.
(Segregating high-risk machines from the immediate deployment might be
appropriate for some companies as a middle ground: immediately patch all
desktops while doing risk analysis/test/staged deployment on the
servers, for instance.)
Cleaning up from a worm can be very expensive. For reasons unknown to
me, all of the "nasty" worms we've seen have been for the most part very
benign. Imagine how much worse this situation would be if
Zotob/Sasser/Blaster/Slammer authors had put a "Del c:\*.* /s"
instruction somewhere in their code. Imagine how much more expensive
cleaning up from that worm would be. Many firms, quite honestly, would
simply not be able to recover from that. Many firms would go out of
business if that were to happen.
Ultimately, whether and when to install updates is a decision that
management must make based on a risk analysis. Customers not willing or
able to do a risk analysis will simply never know the right answer for
them. Weigh the costs of patching and the probabilities of incurring
those costs. Weigh the costs of not patching and the probabilities of
incurring those costs. This is the classic Expected Value principle
taught in Economics 101.
-Matt
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Friday, August 19, 2005 1:11 AM
To: focus-ms@securityfocus.com
Subject: exploit to vulnerability
With all the issues highlighting the speed that exploits are now being
written (eg http://www.securityfocus.com/news/11285 )
The window between exploit/vuln, appears on average, to be getting
tighter.
We have an SME network and I used to have a week or so to test patches
before rolling them out.
This all begs the question now, with limited resources, do I just patch
and
not worry about testing? I definitely have fewer resources than some of
the
companies that were hit (CNN et al) and less time to dedicate to
patching.
Should I just use auto updates/GP to patch everything regardless?
What do other SME admins do?
Kind Regards
Murad Talukdar
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
