lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <12821.1295449970@localhost>
Date: Wed, 19 Jan 2011 10:12:50 -0500
From: Valdis.Kletnieks@...edu
To: noloader@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Getting Off the Patch

On Wed, 19 Jan 2011 06:25:57 EST, Jeffrey Walton said:
> > Bottom line is that patching interferes operations and therefore,
> Its a sad state of affairs when folks put other endeavors, such as
> uptime, above security.

Not necessarily.  It's *usually* true, but not always. Remember - security is
tradeoffs.  If the security saves you $10,000 in incident handling, but
deploying it causes a 20 minute outage that costs you $1,000 a minute in lost
business, that's a *bad* tradeoff - in that case, uptime *is* more valuable
than security.  At that point, the CFO, the CIO, and the head security dude
should *all* be looking for your head if you insist on deploying it anyhow.

It's easy to think of cases where uptime is considered incredibly important, so
they have a load balancer fronting 3 or 4 machines. At the same time, they may
not care *too* much about security on those front-end machines that don't
actually do much themselves, because if one gets pwned they can just take it
out of the load balancer, do forensics, and re-image it without much impact.
You can make this re-imaging *really* fast if you are using VMWare or similar,
and a smart disk array that does snapshotting - snapshot the system and the
disk, then restore to an old known-good snapshot and keep going in literally
seconds.  At that point, your time to recover from not patching is almost zero,
so there's not much incentive to spend time patching.

After all, it would be a *great* place to put an unpatched honeypot to
gather info that can be used to secure the machines you *care* about. You see
the front-end honeypot get hit 3-4 times with an exploit for MS11-093 that
doesn't do anything because there's not much on the front-end boxes, you can
then make sure your *critical* boxes all have that patch installed.  And you
really *do* want really good uptime on your honeypots - if it's down 75% of the
time because you're doing forensics on it, you're only gathering intelligence
from it 25% of the time.

End result - you get better results from having a well-understood older image
than a potentially destabilizing and less well-understood new image.

But yes, those are corner cases where the tradeoffs were thought through and
analyzed. And if some place is *blindly* choosing uptime over security, without
doing the math, that *is* looking for trouble...

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ