Security's Everyman

Security's Everyman

Thursday, October 23, 2008

Too patch or not to patch

This morning I slept through my alarm. I woke up at 7:20 am and realized that there was no way that I'd make the last bus into town since it leaves at 7:35 am. That meant that I had to drive the 30 miles to the office. I wasn't happy. Normally I would have declared it a work from the coffee shop day but I had an audit meeting and a couple of other things on the calendar that I needed to take care of. It's now 11:30 pm and I'm still at the office and I'm glad that I didn't make the bus into town. I'd really be stuck here all night. Actually that may still happen.

After jumping into the shower and getting dressed I headed to a coffee shop to get some coffee and wait for traffic to lessen before making the drive into town. I fired up my laptop and started checking my RSS feeds and email. One of the first things I see is that Microsoft has a pre-release announcement of a out-of-cycle patch that they are releasing today. Once Microsoft released info and I thought about it I realized that this has the potential to be bad news. I remember Blaster, SQL Slammer and Nimda all too well.

We called a meeting to discuss the issue and determine what our approach to this would be. The management team is made up of former network engineers who lived through Nimda when it hit the company a few years back. As soon as the word "worm" was mentioned they got that far away look in their eyes. You know the one. It's the same look that you get when someone punches you in the gut. We discussed the pros and cons. We talked about what is the likelihood that we would actually get hit with anything. We talked about the potential impact if we did get hit. Like most companies we live and die by network activity. Due to the nature of our business we are in a little bit of a unique position because if something got loose on our network it could put people in physical danger as well as do damage to the business itself.

Needless to say the decision was made to start patching immediately. We've been at it for several hours now and still have a ways to go. We had to convince applications that this needed to be done. We had to put into place our emergency response team (OK, we don't have a real one but it sounds good). We had to get management buy in. Some would say that we are over reacting but since there has been confirmed reports of active exploits and Immunity Security has released an exploit for their tool and I just read that supposedly there is a new worm in the wild I think a little paranoia is good for the soul.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.