To Patch or Not To Patch, That is the Question!

Posted on by

Ahhh, the big question of tradeoffs. Do you apply the new Microsoft patch and stop Exchange from working with your Blackberry users or do you risk being compromised and worm infected when attackers release malware based on the vulnerability?

That is a HUGE question for many organizations. Right now, as I write this, several folks are contemplating that very question. Do you take the risk of a breach or keep your users happy? Both have large political fallout issues and long term impacts. Both have highly visible outcomes.

How do you make such a decision? Well, our suggestion is to evaluate the risks to your organization. But, that said, we are risk management folks, and others might not agree. We suggest you evaluate the potential of damage to your business that a compromise or worm infection could cause (perhaps based on your latest risk assessment) and compare that to the losses from having some members of your user population (the Blackberry users) partially unable to access some services in Exchange. Complete the process by converting these risks to real dollar damages to the bottom line and then decide. Of course, don’t forget to include regulatory and reputational damages in the comparison.

For some organizations, who are truly dependent on the Blackberry technology, the case may be that patching is the greater risk. For those organizations with additional controls and security mechanisms to protect their Exchange implementations, the risk may be partially mitigated and thus much less. For most, however, the answer will be to apply the patch. Then the question becomes, how can you explain to users the tradeoff you have been forced to accept?

For those organizations choosing not to patch, be very careful. It is very likely that a widely available target, such as Exchange, would make a ripe target for attackers and worms. Make sure you monitor the systems, networks and log files continually until you can apply the patch.

For those that patch and have to explain the solution to users who won’t be praying the “Blackberry prayer” for a while, be honest, open and up front. The more we explain the ideas of risk management to our users, the better decisions we empower them to make in the future. Awareness truly may be the key to a more secure future for all of us.

This entry was posted in General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply