Re: Impressions - April Microsoft Patches

[Brian Parent <[EMAIL PROTECTED]>]

This might be too much of a digression for the moderator to allow,
but basically, I don't think the CAIDA anaylsis concludes that people
should stop patching, just that efforts be redirected, because the
current game of whack-a-mole is a losing effort.

For those who haven't read the study, another important quote from
it:

	When users participating in the best security practice that can be
	reasonably expected get infected with a virulent and damaging worm, we
	need to reconsider the notion that end user behavior can solve or even
	effectively mitigate the malicious software problem and turn our
	attention toward both preventing software vulnerabilities in the first
	place and developing large-scale, robust and reliable infrastructure
	that can mitigate current security problems without relying on end user
	intervention.

"Preventing software vulnerabilities in the first place" is the most
effective and efficient, but possibly also the least likely solution to
surface in the short term.  I'm hopeful that future generations of
programmers will obtain better training, but they'll always be human,
and hence prone to mistakes, and the timeline of the results of such
changes are eons away in internet time.

As long as there is a business pressure to be first to market, and as 
long as the effort to be first to market is rewarded with market share,
software companies will continue to produce lower quality code with
more bugs, security and otherwise.

It might be suggested that reversing such a market pressure is up to
the consumer, yet it isn't reasonable to expect the general consumer, 
a non software expert, to judge software quality.  We might consider
setting up some way that software experts' opinions of quality could
be researched in an easy way by consumers, yet maintaining the integrity
of such a system might become the insurmountable problem.  Plus, 
differences of opinion on technical matters don't necessarily boil down
to terms decipherable by non-technical consumers.

CAIDA's second suggestion,

	...and developing large-scale, robust and reliable infrastructure
        that can mitigate current security problems without relying on end user
        intervention.

Is beyond my expertise to comment on, though it seems the more likely to
bear fruit.  I look forward to reading comments from experts about the 
viability and outlines of such an option.

Re:
> Date: Tue, 13 Apr 2004 22:53:39 -0600
> From: Jon Pitts <[EMAIL PROTECTED]>
> To: "Patch Management Mailing List" <[EMAIL PROTECTED]>
> Subject: RE: Impressions - April Microsoft Patches
> 
> I wonder if anyone would like to comment on this analysis of the Witty Worm
> outbreak by CAIDA.
> 
> http://www.caida.org/analysis/security/witty/
> 
> The part that got my attention was "The patch model for Internet security has
> failed spectacularly" These folks at CAIDA are no chumps, however the study
> was sponsered in part by Cisco (the makers of NAS). Anyway, it says..
> 
> "The vulnerable host population pool for the Witty worm was quite different
> from that of previous virulent worms....In contrast, the Witty worm infected a
> population of hosts that were proactive about security -- they were running
> firewall software. The Witty worm also started to spread the day after
> information about the exploit and the software upgrades to fix the bug were
> available"
> 
> and goes on to say..
> 
> .."Witty was the first widespread Internet worm to attack a security
> product. .. the fact that all victims were compromised via their firewall
> software the day after a vulnerability in that software was publicized
> indicates that the security model in which end-users apply patches to plug
> security holes is not viable"...
> 
> ..."The patch model for Internet security has failed spectacularly"...
> 
> Don't shoot the mailman. CAIDA is addressing the Internet at large, and is
> recognizing home/end users. I was wondering if there are any big plans for the
> future of Patch Management as an Internet security solution in light of Zero
> Day attacks, Network device attacks, and End User weaknesses.
> 
> 
> thanks
> jon
> 
> 
> 
> 
> 
> Quoting Kerry Steele <[EMAIL PROTECTED]>:
> 
>  With exploit code surfacing the same day, it would be nice to have some
>  form of advanced warning about possible mitigation techniques ahead of
>  time (if any).  Seems like a repeat of the lack of timely information
>  similar to MS04-007.
> 
>  What good is a patch management tool when the vendors don't release
>  patches for 6-9 months, by which time the security researchers are ready
>  to pull the trigger on their PoC exploit code?
> 
>  Good configuration management, user mgmt/education, and good
>  old-fashioned system hardening/lockdown techniques must always accompany
>  a PM solution.
> 
>  With the release of these particular patches, I sympathize for the folks
>  that don't have a good PM program in place already.
> 
>  Cheers,
>  Kerry Steele
> 
>  ________________________________
> 
>  From: Paul Nelson [mailto:[EMAIL PROTECTED]
>  Sent: Tuesday, April 13, 2004 4:38 PM
>  To: Patch Management Mailing List
>  Subject: Impressions - April Microsoft Patches
> 
> 
>  Although I am applauding Microsoft for making some more efficient moves
>  in patch releases to save admins from running around and screaming all
>  of the time, this seems like a lot of holes to cover at once.
> 
>  What is everyone's reaction to the seriousness of these?  With more
>  vulnerabilities against domain controllers, ASN.1, and RPC services for
>  example, we are facing a very difficult time to keep from being
>  exploited.  I'm just concerned about the testing I need to do prior to
>  rollout of these....it needs to be pretty extensive due to the impact.
>  (even with extensive patch management tools in place)
> 
>  I'm not complaining as I'm glad that these have all been identified, but
>  it comes as a surprise to see this may issues that were all released
>  today.
> 
>  I'm interested in seeing other viewpoints and opinions.....
> 
> 
> 
>  Paul Nelson
>  Network Specialist
>  Medical College of Ohio
>  (419) 383-3638
>  [EMAIL PROTECTED]
>  ---
>  To unsubscribe send a blank email to
>  [EMAIL PROTECTED]
> 
> 
>  ---
>  To unsubscribe send a blank email to [EMAIL PROTECTED]
> 
> 
> 
> ---
> To unsubscribe send a blank email to [EMAIL PROTECTED]

---
To unsubscribe send a blank email to [EMAIL PROTECTED]