Security Holes Aren't Being Filled
from the of-course-not dept
There’s a new study out talking about how many sysadmins don’t do a very good job patching security holes. The study and its conclusions seem a bit flawed, however. First, the “study” is based on one single flaw that one security consultant decided to follow. He did a Google search to pick servers that had that flaw (he apparently found out about the flaw right before it went public). Then he kept testing those servers over time to see who fixed the flaw. Since it’s only one instance, it’s not clear how conclusive this study is. The conclusions also seem a bit off-base as well. The guy says he thinks that the sysadmins who didn’t patch the hole are clearly lazy. However, with the incredible number of security hole announcements that come out every single day, I think it’s more of a “crying wolf” situation. There are only so many security holes that sysadmins are going to respond to, and after a while they don’t see the threats as being that strong, compared to the actual effort of patching.
Comments on “Security Holes Aren't Being Filled”
don't forget...
A lot of sysadmins are forbidden from installing any software on machines unless management signs off on it, or the software has undergone some sort of QA/qualification process.
Might not be lazy people.. *shrug*
Re: don't forget...
There are even more reasons:
1. there are always a chance that patches will break something…
2, many software products are supported only on certain patch levels. i.e. Service Pack 3 for Windows NT. If admin installs newer service pack –
he is on his own.
3. patches still cannot ( mostly ) be installed without downtimes. By installing patches admin has no chance to reach 99% uptime on unclustered servers. At the same time *ADMIN, YOU DO NOT UNDERSTAND, BUSINESS SIDE NEEDS IT*
Re: Re: don't forget...
Also lets not forget that a lot of companies require patches and fixes to be thoroughly tested in a test lab before being rolled out. What with the pared down staff of some organizations, and the increasing amount of patches being rolled out, I don’t think its a question of laziness.