http://www.sqlservercentral.com/blogs/brian_kelley/2006/05/12/nice-article-on-security-myths-in-mayjune-2006-issue-of-technet-magazine/

Printed 2014/10/22 04:00PM

Nice Article on Security Myths in May/June 2006 Issue of TechNet Magazine

2006/05/12

The May/Jone 2006 issue of TechNet Magazine has a feature on security. One of the articles is titled Deconstructing Common Security Myths and it's authored by Jesper Johansson and Steve Riley. One of the things which caught my attention was this:

Myth: It's Always Better to Wait for an Official Solution to a Problem

The authors go on to explain that ultimately you have to make a decision based on the risk. This calendar year we've seen two Microsoft vulnerabilities which had 3rd party patches deployed before Microsoft got theirs out the door. Both sets of patches mitigated the most common attacks against the vulnerabilities and seemed to work well. However, any organization which considered those patches had to think about deploying an unofficial patch to all of their systems, then later deploying the Microsoft patch, and then finally rolling back the unofficial patch. Since the unofficial patches hadn't been regression tested, there was a lot of speculation with both about what would and wouldn't work. Did some organizations roll out the unofficial patches? Absolutely. It made sense based on their analysis of the risk. But other organizations didn't. To them the risk of the 3rd party patch was greater than the risk of being hit.

As for the rest of the article, it covers whether or not to wait on a service pack (how many are waiting to apply SQL Server 2005 Service Pack 1 until all the "bugs are shaken out"), myths about passwords, and myths about firewalls and blacklists. All of the myths are common areas of discussion on the various security forums and mailing lists and this article provides greater food for thought.



Copyright © 2002-2014 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.