Article 43


Friday, December 12, 2008

Sorry State Of Computer Patch Management


Here’s ANOTHER ARTICLE that got me thinking about a day the office, and the GOOD OLD DAYS AT AT&T.

I work at a technical training center with a bunch of MSCEs, UNIX gurus, networking experts, and Bell Labs certified instructors.

The words patch management are alien to all but a few of us.


Patching is still trouble

For various reasons, users—even administrators—do not patch properly. Here’s how to get a handle on security patch pain

By Roger A Gromes
December 12, 2008

Over the last week I’ve had two clients who’ve had computers broken into because their computers were not appropriately patched. One client’s Internet-facing server lacked a critical system patch, and the other was exploited by an unpatched client system infected by a “trusted” Web site.

I know at times that I sound like a broken record about this issue, but I’ve yet to visit a client (and I consult, on average, about three per month) that has acceptable PATCHING PRACTICES in place. They all have patch management software, but for various reasons, my spot-check auditing usually reveals significant deficiencies.

A study by Secunia showed that only 1.91 percent of the computers scanned by their Software Inspector product were completely patched. EVEN WORSE (see table below), nearly half of the PCs inspected had 11 or more unpatched programs.

Table 1
0 Insecure Programs 1.91% of PCs
1 - 5 Insecure Programs 30.27% of PCs
6 - 10 Insecure Programs 25.07% of PCs
11+ Insecure Programs 45.76% of PCs

And you have to believe that the people running the Software Inspector program are among the security-savvy.

WHY don’t people—and in particular, administrators—patch properly? First, it’s a difficult job to keep on top of. The patches come frequently throughout the week. Microsoft may only release patches on one Tuesday a month, but most vendors release them ad hoc, often without warning. You may hate Patch Tuesday, but I’ve heard Linux and Apple administrators complaining about how they get their teams together and apply a patch, only to discover yet another new patch the day after, and another the day after that. If you live in that world, Patch Tuesday doesn’t seem so bad. And that’s only one vendor’s software. Add in every software product you have, each with a different patching cycle, and it’s a plan for chaos.

Sometimes you patch software and the older versions remain behind. This is a problem with Sun Java Virtual Machines, Microsoft .Net, Macromedia Flash, and several other applications. You may not even know the older version is still installed, but a malicious JavaScriptlink can ferret it out.

Oftentimes, even when using rock-solid patch management software, a certain percentage of upgrades will fail. In my 20-year-plus experience, the problem rate is somewhere between 1 and 5 percent. That means a machine left unpatched and possibly even a visit by tech support to resolve. And all of us have stories of horrible patch recovery problems that took formatting and complete re-installs to resolve.

Some companies have great patch management software, but policies and necessary regression testing mean it could be a month or more until patches are installed.

Solutions for patch pain

Get on top of your patching. If you don’t have systemwide patch management software, get some. Make sure to patch everything on the computer: the operating system, large applications, browser add-ons, everything. If someone else is in charge of patching, spot-check their efficiency. Run Secunia’s Software Inspector and see what comes up unpatched.

Except in the rarest of cases (e.g., medical devices requiring regulatory approval, etc.), it’s no longer acceptable in today’s world to wait more than a week or two to apply a critical patch. Internet-facing servers and computers with access to the Internet need to be patched the fastest. Rank assets by criticality and patch the highest risk assets first. If you can’t perform thorough regression testing in a timely manner, create a trustworthy rollback strategy and patch away.

If you cannot patch in a timely manner, look into offsetting controls, like IPS solutions and inline patching solutions. My former favorite inline patching solution, BlueLane’s PatchPoint, has been acquired by VMware and doesn’t appear to be available at the moment. Anti-malware solutions, firewalls, and auditing certainly have their place in any patching strategy. But all these offsetting controls are doomed to eventual failure. Having fully patched software is one of the best things you can do to improve your security posture.

Many readers might find this topic boring, but I plan to keep covering it until I find more clients fully patched than unpatched. Top echelon computer security administrators know that the best computer security comes from doing the boring stuff consistently great.


Posted by Elvis on 12/12/08 •
Section Privacy And Rights
View (0) comment(s) or add a new one
Printable viewLink to this article

Human Rights Day 2008

We celebrate 60 years of Failure

By Cindy Sheehan
Information Clearninghouse
December 11, 2008

WE CELIBRATE 60 years of FAILURE. Human Rights have been converted from a noble goal into an instrument of foreign policy used by rich and powerful nations against the poorest and weakest people of the world.

In 2008, almost 3 billion people throughout the world suffer the most basic privations.

After 60 years of empty human rights rhetoric, we demand that governments focus their attention on fulfilling the promises of 1948. We writethis documenton the parchment of the environment, which everyone shares, and has warned us all to drastically change the ways in which mass production and consumerism take place.

1. The United State is a member of the Commonwealth of Nations.

2. Benefits accrue to those who cooperate with the global community and view other countries as potential partners for the upliftment of humankind.

3. Unfortunately, the leadership of the United States Government has consistently been a disappointment to those of us who value the tenets and possibilities for humankind embodied in the UNIVERSAL DECLARATION FO HUMAN RIGHTS.

4. The Universal Declaration of Human Rights affirms the rights of self-determination, the rights of women, the rights of the indigenous, and the rights of association and expression and resistance to protect and preserve these precious rights.

5. Poverty and severe income inequality on the one hand and greed and over consumption by a few on the other hand deny for far too many on the planet universal application of the Universal Declaration.

6. Climate change, unsustainable agriculture, unbridled militarism, terrorism with impunity nuclear proliferation represent threats to our planet and threats to humankind.

7. The current implosion of the engine of US Imperialism and global capitalism contains the seeds of a new global order in which the rights of humankind and the Universal Declaration can find universal application.

8. The incoming Barack Obama administration has a unique opportunity to make a clean break with the policies of the past, which include installation of dictatorships, campaigns of invasion, terror and slander, torture and occupation, and can build bridges of peace and justice with respect to African, Latin America, Asia and Europe.

9. Therefore, we call on the President-elect to put the United States on a clear course of global fraternity by invoking the Universal Declaration of human Rights, rejecting torture and demonstrating this by closing and vacating the Guantanamo Bay facility and ceding to Cuba its rightful patrimony, ending the US embargo of Cuba, releasing the Cuban 5 and other political prisoners, and extraditing Luis Posado Carriles to Venezuela for his act of terrorism against a Cuban airliner, which killed dozens of people.

10. While this list is not exhaustive, it represents a much needed down payment on hope and change.

11. This documentwill be disseminated through our respective networks.


Saul Landau, Film maker from Alameda, California, USA
Nelson Valdez, Retired professor from Albuquerque, N.M., USA
Cynthia McKinney, Green Party Presidential Candidate, Former U. S. Congresswoman from Atlanta, Georgia, USA
Cindy Sheehan, Peace and Human Rights Activist from San Francisco, California, USA
Dede Miller, Peace and Human Rights Activist from San Francisco, California, USA


Posted by Elvis on 12/12/08 •
Section Dying America
View (0) comment(s) or add a new one
Printable viewLink to this article

Rising Of The Telecom Equipment Vendor Underclass Part 3

Nortel sheds 1,300 jobs, key executives

By Bert Hill, The Ottawa Citizen
Canada News
November 10, 2008

Nortel Networks announced 1,300 more layoffs Monday morning, the departure of several top executives and pay and hiring freezes as it struggles with tough economic conditions and internal trouble.

But the company had no news to announce on efforts to sell the metropolitan ethernet division and find wireless joint ventures to raise money, cut costs and preserve falling cash reserves.

The struggling company also announced big writedowns of assets and other costs, which drove losses to $3.41 billion in the third quarter ending in September, compared to a profit of $27 million a year earlier and almost 30 times the losses of $113 million in the June quarter.

Sales fell 14 per cent to $2.32 billion and the company warned that overall sales for the full year will fall by four per cent, at the low end of a major warning announcement in September.



Nortel seeking bankruptcy advice

Nortel Networks Corp has sought legal counsel to explore bankruptcy-court protection from creditors in the event that its restructuring plan fails. The move comes as the company grapples with plummeting sales for its wireless gear and as the credit crunch hobbles the sale of key assets.

Ronald Alepian, a spokesman for Nortel, said that “no bankruptcy filing is imminent,” but added that the company has engaged several advisers to help it chart a way forward. “We remain focused on carrying out the restructuring we outlined on Nov. 10 to cut costs,” he said. Alepian said Standard & Poor’s in November reaffirmed Nortel’s ratings, saying the company “should be able to sustain adequate levels of liquidity in the next 12-18 months” despite difficult market conditions.

Nortel also has been exploring potential assistance from the Canadian government, but the disarray within the government is clouding those prospects. Last week, Prime Minister Stephen Harper shut down Parliament until late January to avoid attempts by opposition legislators to topple his government.

Nortel was once Canada’s largest company. Its market value topped $250 billion in 2000, but has since shriveled to $275 million. The company’s stock has been trading below the $1 minimum on the New York Stock Exchange for a month.

Chief Executive Mike Zafirovski joined Nortel three years ago after helping to revive the cellphone division of Motorola. He swelled profits from selling Nortel’s wireless equipment to US carriers and used the money to fund new businesses. But a sudden drop in contracts by US carriers, themselves seeking to cut spending, choked the company. Nortel burned through $478 million during the first nine months of this year, as sales of the company’s CDMA technology atrophied.

In September, Zafirovski decided Nortel should sell assets to cut expenses and raise cash. It said it would sell an unprofitable new business called Metro Ethernet, which makes gear to transmit Internet and video feeds.

Until the announcement, many Wall Street analysts believed that Nortel still had time: It had an estimated $2.6 billion in cash and no payment on its $4.5 billion in debt until July 2011. But $500 million of Nortel’s cash was tied up in overseas joint ventures and it needed $1 billion cash for daily working capital.

Nearly a dozen companies and investment firms looked at the Metro Ethernet business, and bankers encouraged suitors to consider buying the entire company. But no deal to sell the business has emerged. In hopes of finding better prices, Nortel recently hired new investment bankers. Suitors for all of Nortel have been waiting on the sidelines, betting that its assets can be picked up without at least $6 billion in liabilities if the company seeks protection from creditors.

Uncertainty surrounding Nortel’s finances has limited its ability to find new business, as its customers seek safety in contracts with better-financed rivals.


Posted by Elvis on 12/12/08 •
Section Dying America
View (0) comment(s) or add a new one
Printable viewLink to this article
Page 1 of 1 pages


Total page hits 12268754
Page rendered in 0.6933 seconds
40 queries executed
Debug mode is off
Total Entries: 3455
Total Comments: 339
Most Recent Entry: 01/27/2023 09:58 am
Most Recent Comment on: 09/26/2021 05:03 pm
Total Logged in members: 0
Total guests: 19
Total anonymous users: 0
The most visitors ever was 588 on 01/11/2023 03:46 pm

Email Us


Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

In the age-old contest between popularity and principle, only those willing to loose for their convictions are deserving of posterity's approval. -- Gerald Ford


Advanced Search



December 2008
 1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Must Read

Most recent entries

RSS Feeds

CNN Top Stories

ARS Technica

External Links

Elvis Favorites

BLS and FRED Pages


Other Links

All Posts



Creative Commons License

Support Bloggers' Rights