posted on Monday, December 13, 2004 7:36 PM
by
bradley
When last they were seen, they were on their way to the airport
Last Friday at Lunchtime... um.. I mean in the afternoon... um... I mean in the evening... two guys flew down.... um...well drove down....in the fog no less to video tape some “sound bytes” for a Mike Nash [Mr. Blue shirt and nothin' but blue shirts] Security 360 video.
I warned them about FresNO's [David Spade commercial] reputation of puddle jumper flights but I forgot to tell them about then even worse issue of cancelled flights. So there they were in San Francisco ...getting delayed...getting delayed... and finally the flight was cancelled, they grabbed a one way rental car from San Francisco [they were coming from Seattle] and started driving....and...hit traffic....and fog....
Poor guys. Needless to say it was fun and hopefully I won't do at much “blinking“ eyes as the soundbyte thing I did for Trend Micro.
One of the questions that they asked that just floored me a bit was .
What are some of the ramifications of not having a patch management program in place? Or, put another way, how do you make a business case for patch management?
Yo, folks? How can you NOT make a business case for patch management? It's just good business. Especially now with AB1950 kicking in in January
"This bill would require a business, other than specified entities, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use,
modification, or disclosure. "
"A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. "
I argued on the Patch Management.org listserve [that I got a plug in for during the soundbyte interview I might add], that Is using an end of life, no longer patched OS "reasonable security procedures"? Me thinks there's going to be a few Attorneys getting rich arguing over that definition.
Mind you this is an argument over EOL for Redhat 9.0, 8.0 etc, not Windows NT.
As I pointed out in the post, ever listened to "Death of the DMZ" by Steve Riley? As Mr. Riley points out the original RFC[a] for tcp/ip states that "security was not taken into consideration".
We've got systems set up that were never intended to be over "untrusted" communication and now we're still using them how many years later on the Internet that these days and we shouldn't be trusting even the people "inside" the wall?
Check this out...
An Applications View on Security:
http://www.eweek.com/article2/0,1759,1738991,00.asp?kc=EWRSS03129TX1K0000614
In fact, more than 80 percent of companies have detected system penetrations of internal origin, according to data compiled by insurance brokerage and risk management company Arthur J. Gallagher & Co., in Itasca, Ill. This means that applications performing their normal function, at the behest of authorized internal users, must be viewed as dwelling in hostile territory rather than in trusted environments.
I mean when you have employees like this... who needs enemies on the outside of your wall? [Well ya guys listen to me why audit logs and ISA logs are a good thing?]
[a] which I think is this one
P.S. For the record I did not wear a blue shirt.