Infrastructure Security: System Hardening • Chapter 8  487


                        Good practice indicates that the default permissions allowed in most
                   OS environments are designed for convenience, not security. For this
                   reason, it is important to be diligent in removing and restructuring these
                   permissions.



                 Updates

                 Updates for OSes and NOSes are provided by the manufacturer of the specific
                 component. Updates contain improvements to the OS, and new or improved com-
                 ponents that the manufacturer believes will make the product more stable, usable,
                 secure, or otherwise attractive to end users. For example, Microsoft updates are
                 often specifically labeled Security Updates. If you have never taken a look at these,
                 they can be viewed at www.microsoft.com/athome/security/update/bulletins/
                 200701.mspx.These updates address security concerns recognized by Microsoft,
                 and should be evaluated and installed as needed. In addition, updates may enhance
                 the capability of a function within the system that was underdeveloped at the time
                 the system or application was released.While you may be tempted to rush out and
                 install these updates on all your vulnerable systems, you may want to test their
                 effect first. Updates should be thoroughly tested in non-production environments
                 before implementation. It is possible that a “new and improved” function (especially
                 one that enhances user convenience) may actually allow more potential for a secu-
                 rity breach than the original component. Complete testing is a must.


                   Updates, Hotfixes, Patches, and….
               Damage & Defense…  rity and network professionals had taken the time to download, eval-
                   Affected by the Slammer worm? Problems with MyDoom? Most of those
                   infections and much of the down time could have been avoided if secu-

                   uate, and install patches for known vulnerabilities. Although these two
                   conditions were curable with the use of anti-virus solutions, the prolifer-
                   ation of these problems would not have been as intense had administra-
                   tors and security professionals worked more diligently to protect their
                   systems. As the emphasis over the past couple of years has switched to
                   security and integrity, more problems have been recognized in all plat-
                   forms. Be aware that although you will rarely get recognition for  not
                   being hacked, you will most certainly be recognized (and perhaps no
                   longer employed) if your systems are hacked and negligence is shown on
                   your part. Always be sure to test recommended updates and patches in a
                   non-production environment first, to ensure full compatibility with your
                   systems.


                                                                              www.syngress.com