The Myth of Patch Management

From an old video recording of a security session held at Technet:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=991

“The Air Force had an environment where they standardized , based on a limited number of server build and client build using images and vhd files.. and then they allow them to make another decision. They did a risk assessment of patch delays and came to the following conclusion...

If we delay installation of a patch because we have to test it, then there is a time window between patch download date and install date, of when their machines are vulnerable to attack…

and their risk assessment concluded, that getting attacked in that time window, is much more likely than immediately installing the patch and see if an application breaks. That was their risk assessment. So they have done what I have been begging people to do for years. They have turned their patch management over to Microsoft (outsourced it to us). When we issue a patch, they install it right away.”

- Steve Riley, Former Senior Security Strategist - Microsoft Trustworthy Computing

Book author of "Protect Your Windows Network, from Perimeter to Data"

However, there is one point I would disagree with the Air Force. Newly released operating system service packs and IE versions must be tested in a business environments first regardless how small or large the business is, and if there is a testing team or not. At the same time, I do not recommend delaying installing those updates. I have seen security experts who test the new service pack updates even for their home environment.

Note: Steve Riley is now with Amazon Cloud Computing. He can be found here: http://stvrly.wordpress.com/

Barnes & Noble Sucks! The Rogue Online Bookstore.

A very close friend of mine was ordering books online and I asked him to order 2 books (a business book and a windows security book) with him since I couldnt find them in the bookstores in my region. He noticed that the shipping options at Barnes & Noble were very attractive compared to other major online stores. In addition we had a discount coupon. So he decided to try it out and little we did know that the experience we were about to get was extremely horrible.

During the order the discount coupon was accepted and clearly indicated that $xx was successfully deducted from our total purchase. Everything seems great and placed our order. A day later we received a notification that our order is being shipped. The next day, my friend received an unexpected email from B&N and that's where several problems started to appear.

He received a no-reply email that one books in the order has been canceled without any justification:

We apologize, but despite our efforts, we weren't able to fulfill some or all of the items in your order, as noted below. These items have been canceled from your order.

We apologize for any inconvenience this has caused and look forward to your next visit to Come back and visit anytime at http://www.bn.com.

I am not sure why they canceled the shipment of one of the books. I doubt it is availability issues, since all the books we ordered clearly indicated on their website that they are in stock. Anyhow, when my friend reviewed his paypal account, he found that the new B&N transaction charged far more than the total order details on B&N site. There was a clear inconsistency between what they charged for and what they display in thier total purchase details.
We decided to do some calculations and found that the price difference equals to all the discounts that he was entitled to including the members discount. Nevertheless, my friend contacted them to clarify with them why an item was canceled and why they charged more than the B&N account indicates. Four business days has passed and they have not responded. My friend will call them tomorrow morning to straighten things with them. At worst case, we will likely cancel all purchases with them.

In summary, B&N sucks because:
1. They cancel items in the order without justification or warning
2. They charge more than the total shipment price that they display to you on their website and via email without notification or consent
3. They show that your discount coupons are in use, but once they cancel one of the items without your consent, all your discounts will go as well without your notice.
4. They do not respond to 'customer care' emails.

Personally, I will stick to Amazon as I have been always been doing, despite their pricy international shipment options. I have purchased over a $1000 worth of books from Amazon, and I am completely satisfied with their excellent and transparent service.