[Dshield] Microsoft patches

John Holmblad jholmblad at aol.com
Tue Oct 21 03:27:30 GMT 2003


the truth of the matter is that much of information security boils down 
to common sense and "good hygiene" or as some prefer to now call it, 
"safe computing" practices. But such hygiene has a time and economic 
cost which must be paid up front (like insurance) whereas the cost of 
malware cleanup is paid in arrears, so there is  a "time value of money" 
advantage for postponing preemptive defensive action hoping that the 
"pox" will pass over the defenseless or poorly defended enterprise. My 
experience is that large enterprises (my  definition of large is 1000 
workstations/servers and above, say an annual revenue of $100m-$200m and 
above) clearly understand the need for "defense in depth" and pay 
accordingly up front to make it a reality. It is the much larger 
quantity of medium and now, more frequently, small enterprises (and, for 
that matter governments, e.g. state and local) that are learning the 
painful consequences of not making such upfront investments. As 
absorption of broadband Internet connectivity into these market segments 
(medium and small enterprises, that is) increases, so does the quantity 
of access points (albeit of generally lower bandwidth) increase 
dramatically,  and, to the extent that those enterprises are not as well 
defended, they become the proverbial "weakest link" for exploit. Those 
who are not defended are, of course sitting ducks. Unfortunately, it is 
these organizations that, in my perception anyway, are the most stressed 
in terms of sysadmin resources and training to do the right thing, which 
I am sure is what they want, Dilbert style management notwithstanding!

Training and awareness are of course a big part of the problem. To that 
end SANS is just now finalizing a (fee based) service for end user 
INFOSEC awareness training. It covers the basics, and you can run 
through a sample at the www site below. I did so, and in my opinion, 
they will have a real winner and valuable site on their hands if they 
have priced it correctly. Off course, most if not all of it is simply 
common sense to us but not necessarily so to the non-IT person. (e.g. 
Why should I ever have to change my password especially since my bank 
NEVER requires me to change my PIN, which, oh by the way is only 4 
characters and all numeric?)


What we all need to understand is that there are 100's of millions of 
users out there whose understanding of the risks is significantly lower 
than that of this list's members, and whose expectations of software 
reliability and security is MUCH higher. They do not expect nor want the 
burden of having to spend time on INFOSEC, they just want to do their 
jobs whatever those might be.

If you or anyone else on this list are interested in reviewing a draft, 
I am writing a paper targeted to senior business executives that 
synthesizes a set of best INFOSEC practices and attempts to show the 
reader how the application of only a subset of those practices could 
have nailed the recent (pre world series!) virus attacks (Blaster, 
Sobig, SVEN) It is entitled "12 Easy Pieces"
. I have not copied the full list on this because a) it is a draft, and 
b) for many it would be redundant to what they know already. Anyone who 
is interested just send me and email and I will forward a PDF of it.

Best Regards,


John Holmblad


Televerage International


(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388


www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net


text email address:         jholmblad at vtext.com

More information about the list mailing list