Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Patch Management on Critical Servers (Healthcare)

from [Michael Scheidell] Network Security [Permanent Link]
Subject: RE: Patch Management on Critical Servers (Healthcare)
Date: Mon, 8 May 2006 17:38:13 -0400 


-----Original Message-----
From: beinm@ummhc.org [mailto:beinm@ummhc.org] 
Sent: Monday, May 08, 2006 9:02 AM
To: focus-ms@securityfocus.com
Subject: Patch Management on Critical Servers (Healthcare)


Hello

 

I'm just curious to hear how people in the field have been 
handling patch management with critical servers. Have you 
setup maintenance windows? If, so how did you manage the down 
time? What have people been doing if the device or server has 
an approved FDA configuration? Are you using thing like WSUS?


Since critical server patching should be done according to normal,
standard it best practices (test them and QA them first) I will address
the FDA validated systems.

You are in a catch22 (to, I guess 33)
#1, you can't modify a validated system in such a was as to it having
even the slightest possibility of change the results (this is especially
true for a 'medical device')

If the system 'a medical device' was provided by the manufacturer, get
all patches and updates from them.
(this is a dead end, mostly, they won't change them)

#2, you can't put anti-virus software on it (that could change results)

#3, you can't let a hacker change it either :-)

So, what to do?
If it is a FDA validated system, ask supplier to patch it.  If they
won't, its usually due to the above rules.
Only option is to put them on isolated networks, vlans, separated by
their own firewalls or ACL's so that only the VERY LIMITED access is
given.


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Patch Management on Critical Servers (Healthcare), Jim Stagg
Next by Date:  Sniffer question, ricci
Previous by Thread:  Re: Patch Management on Critical Servers (Healthcare), Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  Re: Patch Management on Critical Servers (Healthcare), Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Indexes:  [Date] [Thread] [Top] [All Lists]