“A little rant on patching…” from Eric Byres

From the MU Line blog:  Most IT professionals are pretty confident that we know what applications and operating systems are running on our desktops and servers. So when a vendor like Adobe releases an announcement of some new critical vulnerability (such as last week's beauty here), I know that getting and installing that patch is a very good idea because I use Abode Reader software. Yes, patching is an annoying but at least a manageable activity. Unfortunately, the same doesn't hold true for the control systems running the World's critical national infrastructures like power, water and transportation.  These systems often come as bundled packages from the vendors, so the end-user really doesn't know what is inside and what needs patching to keep the wolves away from the security house doors (Control Global asked me to author this piece earlier in this year). Let me give you a few real-world examples... Read the rest of Eric's rant here.

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Eric's rant is right on the money. I've said similar things myself.

    So, what do we do about it? How do we figure out what components a packaged system has? Once we figure that out, to whom. and how should we communicate that information?

    (and the answer, if you ask the ISACs, appears to be "we want nothing to do with this.")

    I'll ask anyone who will listen: How do we fix this problem?

    Reply

RSS feed for comments on this page | RSS feed for all comments