 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
"Demand better security from vendors and hold them responsible"Many of my security decisions are also dictated by my applicaiton vendors and not by the OS I run. Let's say I had that same attitude.... even in my small firm enviornment I'm bound by California law [used to be called SB 1386] that should information relating to indentity of my clients get looked at or viewed by an unauthorized party, I must inform all of my affected clients that I've had this intrusion. In my network, my security vulnerabilites are not my servers, they are my desktops. On another listserve a gentlemen told the story of people surfing and gettin CHM exploit attacks via the browser. Now he could and I "could" block those IP addresses at my ISA server gateway but isn't it more prudent for me to patch my ENTIRE network. "A firewall is a speedbump" so sayeth Michael Howard Security dude at Microsoft. Susan Robert Ayoub wrote: We have a similar situation in my environment. Though my problem doesn't stem from management support, but from lack of vendor testing. We run in a 24x7 environment and downtime is unacceptable (9-1-1). The biggest problem I see is that most of our vendors believe that since the networks are closed to the Internet that all parties are safe. Also, our maintenance agreement gets violated if we patch systems beyond what they have tested (Windows NT Sp4...I kid you not) This, of course, really goes against all my security instincts and drives me nuts, but for some reason in this case the vendor is always right, not the customer. The solution in my mind then is to do as much with perimeter security as you can and PRAY REALLY HARD! :-) If anyone has a better solution, I'd love to hear it, Rob Ayoub Systems Administrator -----Original Message-----From: Paul Nelson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 1:37 PMTo: Patch Management Mailing List Subject: Not patching clients?? Hi group, Recently there has been talk in our IS group that patching clients is unnecessary and there will not be a dedicated person to research or resolve outstanding issues. We are primarily a Novell environment and have SUS running for a handful of systems, but that is about it. We can push out patches via ZEN, but this is only done in emergencies (think Blaster). Client-wise, that's absolutely scary. We do however have dedicated individuals to cover any server or back-office system, so we are not in trouble there. Our management's opinion is that network gear and the perimeter will take care of the business, so patching clients is irrelevant.. My question or issue to present to the group is how do you approach a situation when management considers it unnecessary to patch clients? Being a technical person I know the impacts, but of course things don't change even after everyone talks about it. We're in the situation where it almost takes a major exploit to wreck havoc and change opinions. I'm surprised that only the server people are interested in defending the patch issue and they are the only ones taking action. I know many people are (or were) in this situation. After reading the survey posting in the group earlier this morning, it does not shock me that many organizations have only one person to handle this. What do you do if you essentially have no one? I'd like to see other's opinions or unique viewpoints on this. Thanks, Paul Nelson Network Specialist Medical College of Ohio (419) 383-3638 [EMAIL PROTECTED] --- To unsubscribe send a blank email to [EMAIL PROTECTED] --- To unsubscribe send a blank email to [EMAIL PROTECTED] -- http://www.sbslinks.com/really.htm --- To unsubscribe send a blank email to [EMAIL PROTECTED]
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.