Comments on: Don’t Get Too Caught Up in the Patch Game: How to Tell if a System is “Secure” http://blog.impactalabs.com/2008/12/03/how-to-tell-if-a-system-is-secure/ Mon, 09 Aug 2010 16:41:11 +0000 hourly 1 http://wordpress.com/ By: Kevin Lam (IMPACTA) http://blog.impactalabs.com/2008/12/03/how-to-tell-if-a-system-is-secure/#comment-24 Wed, 17 Dec 2008 16:46:53 +0000 http://impactalabs.wordpress.com/?p=87#comment-24 Just to be fair to Secunia.com, it’s the media that typically skews data like this and makes unfound states indicating that something is “secure” or “not secure” — not Secunia.com. Just in case anyone felt that I was trying to jab at Secunia.com. They have always been a great source of information security insight and knowledge so I would always encourage listening to what they have to say.

–Kevin

]]> By: Reidar Balstad http://blog.impactalabs.com/2008/12/03/how-to-tell-if-a-system-is-secure/#comment-23 Wed, 17 Dec 2008 11:47:11 +0000 http://impactalabs.wordpress.com/?p=87#comment-23 Interesting discussion; *when* is any system deemed “secure” ?! In my personal opinion, as long as we humans operate them; probably never. There will always be new angles of attack to a system, because this is human nature; exploration, discovery, challenges, overcoming obstacles and conquering. Security only exists at a high level, when the operator fully understands every aspect of a) the system’s workings, and b) the consequences of any action taken on the system.

Now, to the origin of the article this blog was based on. We (Secunia) used data from our PSI Patch Scanner, as the basis of a blog of our own: http://secunia.com/blog/37/
Note that we do not, ever, state that a computer is secure when patch management is in place. This is a media spin on things, mostly because they do not fully understand the complexity of “security”.

True, the numbers are probably worse than the data from Secunia reveal. To quote the blog post:
“Please note. Due to the way data is collected by the Secunia PSI all results presented here are to be considered “best case” scenarios, the real numbers are likely to be worse.”
So, to back up Kevin’s statement: yes the numbers are probably worse.

The consensus is that full security is difficult to achieve, and would rely on a number of things (Vulnerability Management, AV, FireWall, Policy management/enforcement, end-user education) but core to the effort is patch management. This is also by far the cheapest, and easiest step in the process. With at least Patch Management in place, an important step has been taken towards relative security.

Stay Secure
psi.secunia.com

]]> By: Pete Herzog http://blog.impactalabs.com/2008/12/03/how-to-tell-if-a-system-is-secure/#comment-22 Tue, 16 Dec 2008 20:14:54 +0000 http://impactalabs.wordpress.com/?p=87#comment-22 You’re right about the patch thing. When we dissected the components of “security” to assure a thorough test can be made for the OSSTMM, one of the first things we realized is that the model and definition for security was off. We ended up going with very specific definitions which actually fits to what you write here. Security is a physical separation between a threat and an asset at a determined vector. Safety is how a threat or its impact is controlled. So to be secure from lightning you would move into a mountain. To be safe from it, you would put up rods and stay indoors, away from windows.

From there we break it down even further but what we find it allows us to handle things like whether patch is or isn’t security.

]]>