Bruce Schneier, well known security expert and CTO of Counterpane Security, has a letter in the New York Times about the dilemma faced by CIO who run large numbers of Microsoft machines: there are too many patches and they can't be installed automatically because they often break, and yet if you don't, you're vulnerable to worms like Slammer.

I was having lunch this week with the CIO of a company you've all heard of. He's responsible for thousands of machines and they've had a policy of selectively installing patches after testing them for compatibility and effectiveness (i.e. doing Microsoft's QA work for them). Slammer hit them hard, in a matter of minutes. Now he's rethinking that and wondering if its not better to automatically install the patches and live with the clean-up problems that will inevitably result. This isn't some theoretical discussion. Its critical to the enterprise. If Slammer had hit at the end of a quarter, it would have had devastating consequences to sales at many companies. Yet, the cost of patching is inordinately high. No good choices here.


Please leave comments using the Hypothes.is sidebar.

Last modified: Thu Oct 10 12:47:20 2019.