I wonder how many of you watch for new security problems and take action to correct any new problems that surface? Apparently, a large number of Windows NT users aren't very diligent in their quest for secure networks. This lack of diligence became apparent to me on July 19 when Microsoft rereleased a year-old security bulletin regarding a serious security problem with Internet Information Server (IIS) (covered in this issue). If administrators had noticed the bulletin a year ago and taken appropriate measures, Microsoft wouldn't have needed to rerelease that bulletin. Do people expect Microsoft to continually remind them about old security issues that they should have corrected long ago?
The reality is that we can't expect Microsoft to continually rerelease security bulletins to get people's attention. Securing a system using the available tools and information is the responsibility of the system owner—not Microsoft. If you don't look for new information, you won't find new information and, therefore, you won't be able to adequately secure your systems in a timely manner. So you must pay close attention and gather all the security-related information you can find. Toward this end, I highly recommend that you join the BugTraq, NTBugTraq, NTSD, and Microsoft Security Advisor mailing lists. Each list offers valuable and timely information regarding new risks related to Microsoft products. To join, see the subscription information later in this newsletter.
What's the cost of not correcting security problems quickly? As my colleague David LeBlanc so adequately pointed out on the NTBugTraq mailing list recently, the cost is probably measurable. David said that many administrators complain that applying a hotfix, service pack, or Registry change might break mission-critical applications on rare occasions. He went on to ask, Which is worse—fixing a broken application or eradicating an intruder that has penetrated your network defenses? If you've ever had to remove an intruder's access after a break-in, the answer is clear: It's far easier to fix a broken application than to remove an intruder. So keep that in mind the next time you contemplate fixing a security problem, because the wrong decision might cost you the entire business. Until next time, have a great week.