The May/Jone 2006 issue of TechNet Magazine has a feature on security. One of the articles is titled Deconstructing Common Security Myths and it's authored by Jesper Johansson and Steve Riley. One of the things which caught my attention was this:
Myth: It's Always Better to Wait for an Official Solution to a Problem
The authors go on to explain that ultimately you have to make a
decision based on the risk. This calendar year we've seen two Microsoft
vulnerabilities which had 3rd party patches deployed before Microsoft
got theirs out the door. Both sets of patches mitigated the most common
attacks against the vulnerabilities and seemed to work well. However,
any organization which considered those patches had to think about
deploying an unofficial patch to all of their systems, then later
deploying the Microsoft patch, and then finally rolling back the
unofficial patch. Since the unofficial patches hadn't been regression
tested, there was a lot of speculation with both about what would and
wouldn't work. Did some organizations roll out the unofficial patches?
Absolutely. It made sense based on their analysis of the risk. But
other organizations didn't. To them the risk of the 3rd party patch was
greater than the risk of being hit.
As for the rest of the article, it covers whether or not to wait on a
service pack (how many are waiting to apply SQL Server 2005 Service
Pack 1 until all the "bugs are shaken out"), myths about passwords, and
myths about firewalls and blacklists. All of the myths are common areas
of discussion on the various security forums and mailing lists and this
article provides greater food for thought.
