The cost of a compromise

I read a lot of articles this week about the latest Windows patch, one rushed to users.  Computerworld nailed the issue well.

Did you notice the information that Vista and Windows 2008 were less affected and required additional authentication?  Did you notice that those using yesteryear's technology were, in fact, open to anonymous hacking that could automate worm attacks into 0wnership of your system?

As you went to Microsoft's site for even more details, you may have found older technologies at risk, NT 4.0 for example, are not covered.  They are at end of life.  They are vulnerable.

So what is the cost of a compromise?

I don't intend compromise in the sense of a security compromise of the system.  No, I'm talking about the other compromise.  Maybe you've experienced these compromises?

• Upper management says cut costs and so the Window 9x systems remain in production.
• Developers complain that firewalls rules are too severe, hampering 'production' or 'business itself'; and those rules are weakened such that the Zero-Day exploits rip through a company's Internet presence into the Intranet.
• ITSM metrics gods complain that patching will take down systems and cost money.  No matter with what urgency a patch is released, the bean counters advise waiting until the next monthly cycle.

I was happy that this patch was rushed out to us, off-cycle though it may be.  I'm glad that we all have a chance to patch up as the hack tools get readied for attack.  But what concerns me most are the other compromises, compromises to sound Architectural and Security Lifecycle management; these are the compromises that matter more than the security compromises that are the inevitable consequence of the real compromises.

jt