On 26 Apr 2010 at 10:26, Ziots, Edward wrote: > With your situation that probably is a better situation of the "wait and > see" but what happens when the 0day that is being exploited and the patch > comes out of cycle, do you still subscribe to the "wait and see" and allow > the drive by attacks to continue? Hard question I am sure, but it´s a risk > that has to be either accepted or rejected.
Depends on the client. For clients where I have been able to put a "nobody runs as an admin user" policy in place I let them go longer. For clients where for business reasons (unusual software, mostly, but sometime inertia) everybody is a local admin I'm aggressive about patching. I still let it go a day or two usually. Needless to say it's more expensive to support those types of clients. > Also if you are supporting multiple small clients any way to do testing in > the office on VM´s before having clients updated accordingly? I like VM´s in > undoable mode, for this especially, either that or do snap-shots before > patching and roll-back as needed. Not cost effective IMHO. In small businesses almost every computer is different, different hardware, different software. Like any insurance policy, AV and patching is a crap-shoot. Most of the time you win. The few times you lose, in a small business the cost is *_usually_* less than the accumulated cost of all the proactive work you would have had to do. In a large business where many people run identical or nearly-identical machines the cost of losing the crap-shoot is so high in terms of lost (wo)man- hours that you don't bet that way. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~