- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Oct 28, 2002 (Vol. 7, #68 - Issue #399)
Why Not Patch?
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Whoops! My Math Was Way Off
  2. TECH BRIEFING
    • Why Not Patch?
  3. NT/2000 RELATED NEWS
    • Microsoft Unleashes Office 11 On Beta Testers
    • Next NT Version After .Net
  4. NT/2000 THIRD PARTY NEWS
    • Are You Finally Using Active Directory?
    • What Categories Of Security Tools Are There Anyway?
    • HIPAA Additional Deadline Data
    • Information Security Policies Made Easy, Version 9
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Information Security Policies Made Easy, Version 9
  SPONSOR: Aelita
FREE ERDisk 6.5 for Active Directory Eval!

Migrating to Active Directory and Exchange 2000? Don't do it
without new Aelita ERDisk(tm) 6.5 for Active Directory! It's the
only solution that allows you to granularly restore AD objects,
attributes and Group Policies without taking AD offline. If you
need to keep your business critical AD and Exchange 2000 up
and running, then get ERDisk for AD 6.5.
Download your FREE eval TODAY!
Visit Aelita for more information.

  EDITORS CORNER

Whoops! My Math Was Way Off

Do not know where I was "hanging out" but it was certainly not in "present time" for about 10 minutes when I wrote the article about double the amount of patches last week. MS have issued 61 patches so far this year (nearly the end of October) compared with 60 last year. I guess I was still thinking about my summer vacation so I was "living in the past" when I simply doubled up the number. But elementary extrapolation suggest an expected 20% (ish) increase. Mea Maxima culpa. [grin]

Nevertheless, (I'm never discouraged!) I have some more data about the headaches of patching fixes which you may like. See the "Tech Briefing" in this issue: Why Not Patch?

Three Quotes of the day:

  1. Answering Machine...
    Hi. If you are a burglar, checking to see if anyone is home, then we're probably at home cleaning our weapons right now and can't come to the phone. Otherwise, we probably aren't at home and it's safe to leave us a message.
  2. Work... 'The harder I work, the luckier I get.' Thomas Edison.
  3. Webbies... Computers make very fast, very accurate mistakes.
Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])
  SPONSOR: Double-Take
Your #2 headache is High Availability. It's your job to keep
mission critical data available for your users. Double-Take is
the World's Number One tool for data replication and disaster
recovery. Verified for all W2K Platforms. How it works? "Server
A dies, Server B takes over transparently". Your users won't even
know there was downtime. Double-Take outsells all other solutions
for W2K combined. It's time you check it out too. This is the
ultimate job security tool:
Visit Double-Take for more information.
  TECH BRIEFING

Why Not Patch?

We are now at the end of October, and Microsoft has already released 8 security bulletins for its OS and applications. Every month, it is an unrelenting, constant reminder that your machines need to be patched. To give you an idea of the kind of security and data integrity problems being announced on a regular basis, take a look at this list directly from Microsoft's TechNet Website.

MS02-061 : Elevation of Privilege in SQL Server Web Tasks (Q316333)
MS02-060 : Flaw in Windows XP Help and Support Center Could Enable File Deletion (Q328940)
MS02-059 : Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008)
MS02-058 : Unchecked Buffer in Outlook Express S/MIME Parsing Could Enable System Compromise (Q328676)
MS02-057 : Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209)
MS02-056 : Cumulative Patch for SQL Server (Q316333)
MS02-055 : Unchecked Buffer in Windows Help Facility Could Enable Code Execution (Q323255)
MS02-054 : Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048)

It still surprises some in the industry that so many computers are not being patched. The eternal question is, "Why?" With so many patches that make businesses vulnerable to attack and so many businesses being attacked, one wonders if we are simply burying our collective head in the sand. While this statement seems harsh, the facts are sobering.

In the 2002 CSI/FBI Computer Crime and Security Survey, there are two startling facts:

  1. In 2001, 64% of the respondents stated that they were victims of some kind of unauthorized use of their systems. This is a substantial figure, but the next one is more frightening.
  2. In the same year, 11% said they did not know if their systems were invaded in this way.
(Survey results were obtained from the following site:
http://www.w2knews.com/rd/rd.cfm?id=021028TB-Survey_Results)

It is interesting enough that the majority of respondents (64%) experienced some kind of intrusion, but the real number could be as high as 75%. You may have to add the other 11%, because not knowing means that those respondents have not configured their systems to detect security threats.

The SANS Institute and FBI produce an informative list of the top-20 vulnerabilities in the world today. You can read about them at:
http://www.w2knews.com/rd/rd.cfm?id=021028TB-Top20

Half of the entries are directly related to patching. The other half relate to settings configuration. The latter half is why most administrators do not patch their systems. Here is the logic.

  1. The systems are properly configured, firewalls in place, and/or intrusion detection systems installed. This means the systems are configured optimally.
  2. Patching is inherently dangerous. I cannot afford the risk of downtime.
  3. I have most of the security problems covered. So, why worry?
This line of thinking is flawed, because the proper configuration of a system is an on-going process requiring the most secured settings and current patches. One cannot wait for service packs as a means to mitigate the risk of downtime.

With the volume of security flaws being detected in software every month and the risk of being a victim as a result of poor patching practices, everyone agrees that patching is essential for security. Yet, most organizations do not patch their systems regularly. This is a fundamental disconnect. It is widely understood that most systems are not being patched as a result of two fears.

  1. Downtime risk is perceived to be too great to mitigate.
  2. There are so many patches, no one has time to research them, and the deployment is too complicated.
By addressing these important concerns, one can join the ranks of administrators regularly patching systems to help make them secure. Only a handful of solutions address these risks. One solution that solves these problems is the best selling remedy tool in the market, UpdateEXPERT. Here's how these problems are solved:
  1. Downtime risk is mitigated by a team of developers and quality assurance technicians who research and test every patch for even the most obscure, unpublished tidbits of information. This research provides key information that UpdateEXPERT's management console uses to ensure quality deployment. Since this information is researched independently, UpdateEXPERT does not rely on one source from Microsoft to determine the proper deployment course.
  2. UpdateEXPERT does not require any programming. Once the user knows the patches required, it is a simple matter to just manage all systems at once. UpdateEXPERT knows what patches are applicable to each system and in what order patches should be deployed without requiring a client agent. Finally, the independent research and testing provide info that keeps users from deploying patch combinations that the UpdateEXPERT team knows can create conflict.
By building intelligence into their independent deployment database, UpdateEXPERT is the reliable solution for dedicated administrators. There is a free, 15-day, 5-machine, functional trial available for download. The price is very affordable, and the time you save using this product means that you can get back to doing what you really love... assuming that's not patching.
http://www.w2knews.com/rd/rd.cfm?id=021028TB-UpdateEXPERT
  NT/2000 RELATED NEWS

Microsoft Unleashes Office 11 On Beta Testers

MS will deliver to selected beta testers on Tuesday an early version of its long-awaited Office 11 desktop suite that will feature versions of Word, Excel, and Access that fully support XML.

To be made available to only a "few thousand" testers, MS will be heavily emphasizing the new suite's ability to better connect people with each other in order to better collaborate and share data more seamlessly, but also to connect business processes both inside and outside the firewall. For the full story at the InfoWorld site:
http://www.w2knews.com/rd/rd.cfm?id=021028RN-Office11

Next NT Version After .Net

Well, it looks like WinNet (2003) goes gold before Christmas and you should be able to get your hands on it mid Feb next year. They are at around build 3700 so it better be shaping up. [grin] Release Candidate 1 was pretty good and RC2 should be even better. Oh well, just a heads-up for some potentially heavy traffic in server rebuilds Q1 next year.

The next version after WinNet I'd expect a couple of years later. Perhaps 2005 or even 2006. It's code named Blackcomb and the really new feature will be its object file system. This really is all based on the new SQL version which is code named Yukon. You could also call it unified storage, but I still need to get some details about that. Stay tuned.

  THIRD PARTY NEWS

Are You Finally Using Active Directory?

And discovered that managing AD really is a [email protected]? Found yourself with large binders trying to keep track of everything? Well, it's as simple as this: you need tools to manage AD better. You asked for it. We're delivering it: Active Administrator.

  • Manages Active Directory Security and Group Policies
  • Manage and Report on Delegation of Control
  • Report on Active Directory Security and Group Policy Objects
  • View Resultant Set of Policies (RSoP)
  • Copy Group Policy Objects between domains and forests
  • Backup and Restore Group Policy Objects
  • Easy to use GUI as well as command line functionality
This is really worth checking out. And the licensing is dirt cheap compared to what else is out there.
http://www.w2knews.com/rd/rd.cfm?id=021028TP-ActiveAdministrator

What Categories Of Security Tools Are There Anyway?

In the Tech Briefing above, we mentioned SANS. This institute is a great resource for security conscious system admins. I recently received a mailer from them and was astounded to see how many different categories of security tools there are now. So I was thinking well, here are the different layers you can use to defend your networks.

  • Active Content Monitoring/Filtering
  • Database Security
  • Risk Assessment
  • Intrusion Detection - Host Based
  • Firewalls
  • Intrusion Detection - Network Based
  • Authorization
  • Network Authentication
  • Security Appliances
  • Security Services: Penetration Testing
  • Authentication
  • Certificate Authority
  • File & Session Encryption
  • VPNs & Cryptographic Communications
  • Secure Web Servers
  • Single Sign-On
  • Web Application Security
  • Vulnerability Scanners - Network
  • Vulnerability Scanners - Host Based
  • Real-Time Security Awareness / Incident Response
  • Enterprise Security Policy Implementation
  • Enterprise Security Administration
  • Managed Security Services
  • Security Services: Policy Development
  • Trusted Operating Systems
  • Anti D.D.o.S. Tools
Quite the collection don't you think? Let me know if you want the definitions for these categories. My feedback email address is above, at the end of the Editor's Corner.

HIPAA Additional Deadline Data

Michael White was so friendly to send me additional data regarding the deadlines healthcare industry organizations are under:

"I do have to point out one thing that was mentioned related to the compliance date for network security. "Under HIPAA, firms not meeting network security compliancy by April, 2003..." The April, 2003 deadline is specifically related to the Privacy rule (45 CFR Parts 160 and 164). The proposed Security Rule (45 CFR 142) was published as an NPRM in the Federal Register on August 12, 1998. As far as I am aware - and I have been looking for this final rule - the final Security Rule has yet to be published in the Federal Register. When the final rule does get published, covered entities would have 24-months after the effective date (36-months for small health plans). The effective date of the final rule will be 60 days after the final rule is published in the Federal Register (Federal Register vol. 63 No. 155 p. 43249).

While network security must be in place to protect the privacy of protected health information there are different standards that must be complied with related to HIPAA and the compliance dates for those standards are different."

Information Security Policies Made Easy, Version 9

The most comprehensive set of information security policies at your fingertips. Information Security Policies Made Easy v.9 contains a completely revised text, policies organized in ISO17799 format and a web based CD-ROM version which is fully linked and searchable. Take the work out of creating, writing and implementing policies.

Information Security Policies Made Easy, the ultimate policy development resource guide, now includes an updated collection of 1360+ security policies and templates covering virtually every aspect of corporate security. Used by over 70% of the Fortune 100, Information Security Policies Made Easy is written by security policy expert and consultant Charles Cresson Wood, CISA, CISSP, who has over 20 years writing and implementing security policies for companies worldwide.

Mr. Wood includes advice and instructions to help you generate practical, clear, and compelling information security policies for your organization - whether your organization is large or small. Simply find the policy you need in the book or on the CD and then just cut, paste, and customize! You'll save hours of time and thousands of dollars developing best practice information security policies. For additional information:
http://www.w2knews.com/rd/rd.cfm?id=021028TP-PentaSafe

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • The recent interview with Steve Ballmer about Software Assurance. Here is all the data from the horse's mouth:

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-Ballmer
  • A few issues ago we sent you to a site that had cyberfireworks, but the traffic was too much and they took it down. Here's another one!

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-fireworks
  • Remember I asked for a coffee machine with a chip in it? A subscriber sent us this: Now this is a COFFEE MACHINE, and a pretty wild case mod to boot:

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-Coffee_Machine
  • No, this commercial is NOT what you think when you first see it. Your mind is going to play a trick on you, be warned: (MPG file, 600K)

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-Commercial
  • Got kids? Here's a story about a kid that got lost in a (big) store and the policies they have in place to make sure they get found ASAP. This is a read:

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-Wal-Mart
  • Extremely useful to check on your internet domain information:

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-Domain_Info
  • The Golden Age of hacking rolls on. Good article in InfoWorld:

  • http://www.w2knews.com/rd/rd.cfm?id=021028FA-Hacking
      PRODUCT OF THE WEEK

    Information Security Policies Made Easy, Version 9

    The most comprehensive set of information security policies at your fingertips. Information Security Policies Made Easy v.9 contains a completely revised text, policies organized in ISO17799 format and a web based CD-ROM version which is fully linked and searchable. Take the work out of creating, writing and implementing policies.

    Information Security Policies Made Easy, the ultimate policy development resource guide, now includes an updated collection of 1360 + security policies and templates covering virtually every aspect of corporate security. Used by over 70% of the Fortune 100, Information Security Policies Made Easy is written by security policy expert and consultant Charles Cresson Wood, CISA, CISSP, who has over 20 years writing and implementing security policies for companies worldwide.

    Mr. Wood includes advice and instructions to help you generate practical, clear, and compelling information security policies for your organization - whether your organization is large or small. Simply find the policy you need in the book or on the CD and then just cut, paste, and customize! You'll save hours of time and thousands of dollars developing best practice info-security policies.

    http://www.w2knews.com/rd/rd.cfm?id=021028PW-PentaSafe