At 6:45 PM +0530 10/11/06, iso 27000 wrote:
> One of my customers has a lot of Windows NT servers. MS has already
> withdrawn support for the same. So no more security patches in
> future.
>
> Customer has no plans for immediate upgrade to Win2k or Wwin2k3 . Is
> this an acceptable risk to live with?
Risk is a local judgement. But remember that many of those Microsoft
patches are regarding network vulnerabilities. So long as the machines
in question have no way of connecting to the Internet, some degree of
safety from automated attacks is provided.
That leaves the risk of insider attacks. Even if there is no ability
to connect to the Internet, the phrase "lot of Windows NT servers"
implies there are a lot of insiders, increasing the opportunity for
insider attack.
> Will the auditors have any objection.
That depends on who the auditors are and the nature of the data/business.
> If so , how can it be best addressed?
That depends on what the objections are.
--
Larry Kilgallen
> One of my customers has a lot of Windows NT servers. MS has already
> withdrawn support for the same. So no more security patches in
> future.
>
> Customer has no plans for immediate upgrade to Win2k or Wwin2k3 . Is
> this an acceptable risk to live with?
Risk is a local judgement. But remember that many of those Microsoft
patches are regarding network vulnerabilities. So long as the machines
in question have no way of connecting to the Internet, some degree of
safety from automated attacks is provided.
That leaves the risk of insider attacks. Even if there is no ability
to connect to the Internet, the phrase "lot of Windows NT servers"
implies there are a lot of insiders, increasing the opportunity for
insider attack.
> Will the auditors have any objection.
That depends on who the auditors are and the nature of the data/business.
> If so , how can it be best addressed?
That depends on what the objections are.
--
Larry Kilgallen
[ reply ]