The Security Patch Treadmill
Counterpane Internet Security, Inc – Crypto-Gram — March 15, 2001.
Notable In this issue:
- The Security Patch Treadmill
Security based on patches is inherently fragile. Any large network is going to have hundreds of vulnerabilities. If there’s a vulnerability in your system, you can be attacked successfully and there’s nothing you can do about it. Even if you manage to install every patch you know about, what about the vulnerabilities that haven’t been patched yet? (That same alert service listed 10 new vulnerabilities for which there is no defense.) Or the vulnerabilities discovered but not reported yet? Or the ones still undiscovered?
Good security is resilient. It’s resilient to user errors. It’s resilient to network changes. And it’s resilient to administrators not installing every patch. For the past two years I have been championing monitoring as a way to provide this resilient security. If there are enough motion sensors, electric eyes, and pressure plates in your house, you’ll catch the burglar regardless of how he got in. If you are monitoring your network carefully enough, you’ll catch a hacker regardless of what vulnerability he exploited to gain access. Monitoring makes a network less dependent on keeping patches up to date; it’s a process that provides security even in the face of ever-present vulnerabilities, uninstalled patches, and imperfect products.
- Insurance and the Future of Network Security
- TCP/IP Initial Sequence Number Flaw
- The “Death” of IDS?
- 802.11 Security
