Why a ‘patchwork’ approach to security is right for your biz

There’s a simple way to reduce your network’s exposure to malicious attacks–and I bet most of you aren’t doing it.

The secret? Install security patches as they’re released.

Okay, maybe that’s not such a secret. After all, that’s why vendors write patches. But for a variety of reasons, many organizations ignore security fixes until intruders take highly publicized advantage of the holes the patches are meant to correct.

Some organizations neglect patching their software, simply because they never hear that a patch has been released. How can you avoid this pitfall? The best way I know to stay on top of security holes is to become a regular visitor to SecurityFocus.com. Check daily for new security advisories. Sign up for the appropriate Bugtraq mailing list.

And if you don’t have time to monitor the information yourself, assign it to someone else on your staff.

Some organizations steer clear of patches for a different reason. Every time you change code on a production machine, you risk corrupting something new that the patch’s authors missed when correcting the flaw. It’s a troublesome problem, because, as Clarence Carter sang more than 30 years ago, we depend on patches. Only you can decide which threat is more dangerous–leaving a known hole open, or risking the stability of a server.

To minimize the risk inherent in applying new patches, I suggest a phased deployment. First patch a test server–ideally one that runs a selection of typical applications on your network, or better yet, one that mirrors a critical production server. Then let it run for a day or more.

If nothing bad happens, roll out the patch to a machine that serves a small group of users–ideally, a group not working on mission-critical applications, and one that understands and accepts the need for guinea pigs.

Finally, if all is well, you can deploy the patch to the rest of the network.

Sometimes, all isn’t well. I should hardly have to say it, but you’d be surprised at the foolish things people do in the interest of saving time. So be sure you have a complete backup of your system to recover from, in case a patch is faulty!

One other action to undertake with a clear view: changing platforms. Yes, some vendors are more noted than others for writing software whose security resembles Swiss cheese, and some have better reputations. Even so, it’s not realistic to use that fact as an excuse to change platforms and as part of an attempt to avoid having to deal with patches.

The hard fact is, for better or worse, a given platform usually hosts a raft of critical applications that won’t run on a more secure operating system. Usually, the utility of the applications outweighs the need for airtight security. The time to decide whether features or security take precedence is before developing or purchasing new software.

Given all that, isn’t the end conclusion obvious? Take a patchwork approach to your security needs to help keep your company’s network safe.

Bill Gates ain’t no Moses: Why tablets won’t take off

Bill Gates said in his Comdex keynote address this week that he hopes a lot of people in the audience will be taking notes on a Tablet PC by next year.

I don’t see it. If it takes off at all, expect to see the Tablet PC relegated to home users.

Why? Because businesses don’t need tablets. Hardware only succeeds where there’s an ecological niche for it, and right now there isn’t one for tablets. Those for whom portability is paramount are already well served by Palm OS devices and Pocket PCs. Those who need full client functionality in a portable package have a number of notebooks that weigh less than four pounds to choose from.

What advantage does a tablet have over what’s already out there? Handwriting recognition? Give me a break. It already exists on the Pocket PC, and I don’t know anyone who uses it. Maybe that’s because I’ve yet to see a handwriting recognition application that gets even 90 percent of my words right.

Besides, writing any reasonable amount of text by hand is glacially slow compared to typing it. Sure, you can add a keyboard to a tablet PC, but then what have you got? An awkward laptop computer.

Wireless connectivity? That’s a plus all right, but put a wireless network adapter in your notebook instead. Now you’ve got portability plus power, and a wireless NIC, for about $100, which is far less expensive than a whole new client platform that won’t come in much under $2,000.

E-book reading? We’re grasping at straws here. There are plenty of e-book clients and software environments available now, and no one is clamoring for more.

No, about the only advantage I see to the Tablet PC is that it fits nicely in your lap when you’re sitting with your legs crossed or folded under you. Don’t laugh–that’s not trivial. It means that a tablet PC is a natural client for anyone who wants to watch TV and surf the Web at the same time.

And who’s doing that? Families. Teenagers. Not IT staffers (except maybe you guys on the third shift).

OK, maybe there’s one more advantage, and it’s arguable. With a tablet PC, you’ll no longer need a mouse or TrackPoint nubbin–you can point to items directly on the screen with the same implement you use to enter data. If that’s a big issue for you, stay tuned; all the usual ultralight hardware vendors, including Toshiba, Fujitsu, and NEC, are said to be working on tablet prototypes.

I’m usually willing to try any new gadget in the hope that it will help me work better and smarter. I haven’t tried a tablet yet, but I don’t see it helping anyone outside of the kind of vertical industries that already have adopted handheld PCs.

So don’t take the advent of the Tablet PC as a commandment for your organization. But don’t be surprised, either, if Microsoft makes the official announcement at Mount Sinai. After all, would you put it past them?