On Wed, 25 Jul 2001, Larry Diffey wrote:
The only way that administrators are going to be diligent about patches/updates is for the bean counters to show the CTO/CIO what the bottom line is for not installing updates when something like code red happens.
Not necessarily bean counters, as I've never seen one who could understand that there is very little if any monetary ROI on security products and services, but putting it in tangible terms that management understands is always a good idea. Sometime it plays out like a comedy of errors. I used to work for a company that took in revenue of several billion dollars a year, and who relied heavily on their corporate image and "industry leader" status. For them, it was as easy as showing them the value of not having your web page appear at attrition.org or a story about your company being hacked on cnn. This was our standard argument with managment. "Buy this and allow us to implement it, and the chance of us being a news item become a lot smaller." Of course, then you also have to explain that this alone will not make you immune to any compromise attempt. So, we got a site license for an IDS package, becoming the specific vendor's largest licensee for their IDS product. And we thought all was going well. Then we tried requesting equipment to deploy the software package across the network, and were told there was no justification for it. Apparently the multimillion dollar site license was not justification for spending a couple hundred thousand on hardware.
Then management will crack the whip and the administrators will have to constantly search for updates.
Many vendors, including Microsoft, have a security updates announcement lists. Then there's always the subscription to bugtraq or their new targeted security updates mailling list.
Of course this is all subject to the Dilbert Principle and some companies will get stupid about it:
And in a perfect world these companies would start to suffer from clue atrophy because of a talent exodus. I've certainly seen it happen. But, with the job market the way it is, I think many of us would live with a certain amount of management stupidity in exchange for a steady paycheck. At this point, after being unemployed for almost 5 months after being laid off and working random contracts as they come up, I'd gladly deal with some stupidity for medical benefits and a steady paycheck. However, I think we might be straying from what could be considered on-topic NANOG content. Regards, -- Joseph W. Shaw II Network Security Specialist/CCNA Unemployed. Will hack for food. God Bless. Apparently I'm overqualified but undereducated to be employed.