Obviously you all know I’m obsessive about security (which is to say I may have bored some of you to tears over the issue). So let me bore you with some psychology instead.
B.F. Skinner conducted a series of experiments (or more accurately observations) about caged pigeons fed on a simple scheduled interval. The birds apparently came to associate whatever they happened to be doing at the time food appeared, with the food appearance itself: a simple, and simply wrong, assumption of causality. I was ducking my head when the pigeon pellet popped out, so ducking my head *caused* the pellet to appear! What did Skinner call this behavior? Superstition. (http://en.wikipedia.org/wiki/B._F._Skinner#Superstition_in_the_pigeon)
There’s a degree of superstition in the practice of security, too. One superstition-candidate might be obsessing over patches, which actually introduce unknown elements into your attack surface. Would I personally cease to patch? No way. But I’m already highly selective about what I patch and how. If you’re curious why, do a quick Google on Evilgrade, among other reasons. Or see http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html.
Pete Herzog passes along a link to an Infosecisland article by Cor Rosielle below on exactly this topic. Check it out, and the theoretical underpinnings, which are quite solid. I’d also suggest that if you haven’t already, get familiar with ISECOM and the OSSTMM (http://www.isecom.org/osstmm/). Pete will change the way you think about security, I guarantee. See the very last line of this message for a URL to join this news list, if you’re interested.
Thanks everyone, and *study study study*. Especially you recent PhDs.
Glenn
——– Original Message ——–
Subject: [ISECOM-news] Do You Need to Patch?
Date: Tue, 13 Sep 2011 12:53:29 +0200
From: Pete Herzog <[email protected]>
Reply-To: [email protected], ISECOM News <[email protected]>
Organization: ISECOM
To: ISECOM News <[email protected]>
Hi,
Just to let you know that ISECOM Trainer, Cor Rosielle, translated his
recent article from Dutch to English: “Do You Always Need to Install
Software Updates?”
One of the areas we found most interesting in developing the OSSTMM
attack surface metrics is how software patching seemed to be at odds
with security. It was a wild card at best. Even though this seemed to
go against everything we have heard as part of the bigger security
picture, the numbers showed differently. Now it appears there’s more
and more efforts going into investigating this.
Thanks Cor for contributing to this effort with this article! Check it
out:
https://infosecisland.com/blogview/16401-Do-You-Always-Need-to-Install-Software-Updates.html
Sincerely,
-pete.
—
Pete Herzog – Managing Director – [email protected]
ISECOM – Institute for Security and Open Methodologies
www.isecom.org – www.osstmm.org
www.hackerhighschool.org – www.badpeopleproject.org
——————————————————————————
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1
ISECOM-news mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/isecom-news