Posted on Tue, Jun 29, 2010 @ 09:35 AM
Authored by Michael Gargiullo, Sr. Security Consultant at Pivot Point Security.
I've been working on my old Mustang for about 15 years now. 
It seems like there's always something that needs work; a light bulb here, a bit of polish there. While griping about this with an older car nut, I asked "When does it ever end?". His answer... "When you sell it.".
That term popped back up while discussing a infrastructure patch management policy with a client. We spoke about patching Microsoft servers and Red Hat Servers. We discussed the difficulty in tracking down the more elusive patches for things like switches, routers and third party software. We spoke about testing patches before deployment. Towards the end the customer looked up with a smile and asked, "When does it end?". I smiled back and said... "When you sell it."
While it can sometimes be difficult to track down needed patches for older software, as long as the device is in operation it needs to be kept up to date. So as long as you ‘own' it, you need to patch it. A number of times we've discovered a long forgotten unpatched Windows 98 or NT machine that allowed us that first foothold onto the network. So keep in mind an information security "Golden Rule" - If you can't patch it... it's time to sell it!