One more note:
Commentary: People, process secure the enterprise
By Forrester Research
Special to CNET News.com
July 31, 2003, 4:30 AM PT
Michael Rasmussen, Director, Forrester Research
Last week, Microsoft and Cisco Systems announced two major vulnerabilities.
Organizations need an action plan to respond to vulnerabilities and exposures, and should not rely on products alone for protection.
This is a people and process problem that works with technology. The Microsoft vulnerability is a significant exposure into every operating system running the NT code base from NT to 2003.
Security pros talk,
but can they walk?
A new national policy and
months of Microsoft initiative
haven't shown a significant
improvement in security.
The Cisco vulnerability is an exposure that can crash every router. Both can be devastating to enterprises if used by the miscreants of the world. Additionally, we have seen exploit code in the wild for both. Jumping on the bandwagon, as usual, are myriad security vendors claiming they have the solution to protect the enterprise.
Vendor claims are far-fetched and provide a false sense of security. No vendor today resolves these vulnerabilities, except Microsoft and Cisco with the patches they implement. Security vendor solutions may hold back the evil hordes of hackers should they come knocking, but the deviant will break through given enough time and motive.
The only true answer is to patch systems. Organizations should focus on the process and policy portion of security as much or more than the technology aspect. Do not put blind trust into security vendor claims of protection, rather, honestly evaluate how the product works and the time it potentially buys you.
Develop a patch management process based on business risk so the critical business applications and support systems (e.g., network, desktop) are expedited and patched in accordance with the risk the organization faces.