Social Icons

Friday, October 08, 2010

RISK MANAGEMENT : Beware while u update with Patches

1. A zero-day exploit as discussed at an earlier post in this blog .....Some thing more to it...

2. A good extract straight lift from Infosecurity-magazine.com

"For a vendor, developing the update is not the part that takes time – testing is. We have more than 600 million downloads when we publish an update. If we “just” break 10% of the systems the update is installed, it would be a huge denial of service. So testing is the name of the game. How well is an unofficial patch tested?Often the vendor publishes workarounds (at least we do). This should be part of your risk mitigation strategy. Would the workaround be acceptable to buy you time?

How far do you trust the author of the unofficial update? How big is the risk that the update comes with pre-installed malware? The question immediately comes up: Why should we trust a vendor? Well, you bought or downloaded the software at the first hand – so, you decided to trust the vendor at the beginning.

What do you do once the vendor releases an update? Can you de-install the unofficial update?

Basically, it is a risk management decision, which should include at least the questions I raised above. Do not just run for the unofficial update – to me it should be really the last resort, if even!"

3. A good site to follow : Check out http://www.infosecurity-magazine.com

0 comments:

Post a Comment