Just saw this in Jose Nazario's interview on securityfocus;
>> There's also the issue of time. Downloading a 200MB file means being
online and vulnerable for minutes (or hours). What about an attack or a worm
in this timeframe?
An efficient patch can be distributed in a matter of a hours to days. With
only one exception (the Witty worm), no worm has ever been constructed and
deployed that fast. The time frame between a worm's release and the
disclosure of the vulnerability that the worm uses is, on average, about 4
weeks.
I guess the window, on average, is bigger than I thought, however, the top
end of the exploit bell curve may well mean 0-day(or close enough) for a
few. And as we all know, that one which gets in could be the one that does
enough damage. So I would certainly like to use that scale in my 'lead time'
rather than say, 'What me worry? I've got (on average) four weeks.'
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m (at) subway (dot) com [email concealed]]
Sent: Friday, August 19, 2005 4:11 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: exploit to vulnerability
With all the issues highlighting the speed that exploits are now being
written (eg http://www.securityfocus.com/news/11285 )
The window between exploit/vuln, appears on average, to be getting tighter.
We have an SME network and I used to have a week or so to test patches
before rolling them out.
This all begs the question now, with limited resources, do I just patch and
not worry about testing? I definitely have fewer resources than some of the
companies that were hit (CNN et al) and less time to dedicate to patching.
Should I just use auto updates/GP to patch everything regardless?
What do other SME admins do?
>> There's also the issue of time. Downloading a 200MB file means being
online and vulnerable for minutes (or hours). What about an attack or a worm
in this timeframe?
An efficient patch can be distributed in a matter of a hours to days. With
only one exception (the Witty worm), no worm has ever been constructed and
deployed that fast. The time frame between a worm's release and the
disclosure of the vulnerability that the worm uses is, on average, about 4
weeks.
I guess the window, on average, is bigger than I thought, however, the top
end of the exploit bell curve may well mean 0-day(or close enough) for a
few. And as we all know, that one which gets in could be the one that does
enough damage. So I would certainly like to use that scale in my 'lead time'
rather than say, 'What me worry? I've got (on average) four weeks.'
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m (at) subway (dot) com [email concealed]]
Sent: Friday, August 19, 2005 4:11 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: exploit to vulnerability
With all the issues highlighting the speed that exploits are now being
written (eg http://www.securityfocus.com/news/11285 )
The window between exploit/vuln, appears on average, to be getting tighter.
We have an SME network and I used to have a week or so to test patches
before rolling them out.
This all begs the question now, with limited resources, do I just patch and
not worry about testing? I definitely have fewer resources than some of the
companies that were hit (CNN et al) and less time to dedicate to patching.
Should I just use auto updates/GP to patch everything regardless?
What do other SME admins do?
Kind Regards
Murad Talukdar
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]