5 Secrets to Achieving and Sustaining Resilience

GettyImages-608512524There is one thing you must do – and keep doing – to start down the path toward true enterprise resilience: Patch everything. All the time. Starting now.

To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are a few reasons:

According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years.”

Gartner analyst Anton Chuvakin addressed this grave security concern in one of his blog posts.

“Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today—and struggle mightily,” he observed. “In the darkest woods of IT, patching third party applications on a desktop remains a significant challenge for many organizations.”

By the way, the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST) states that some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.

Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers, and user devices are patched and updated consistently and in a timely fashion. Then begin the following actions:

  1. Plan – To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same—maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.
  2. Analyze – Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.
  3. Engage – To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such marketing and sales efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.
  4. Update – Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly and for regular review of all relevant policies, plans, processes, and procedures.

No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.

Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need and deserve.


Surviving the Storm With Agility and Resilience

Data warping into safe box - 3D Rendering“The oak fought the wind and was broken, the willow bent when it must and survived.” – Robert Jordan, The Fires of Heaven

Many businesses are suffering the same fate as the oak mentioned in Robert Jordan’s quote. It’s Jordan’s willow that is standing the test of time thanks to its agility and resilience.

Business resilience

As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject.

Discussions surrounding resiliency tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery and even more than business continuity.

True enterprise resilience is a strategic focus on maintaining operational integrity and restoring it as quickly and completely as possible after any disruption—planned or unplanned, minor or catastrophic.


ISACA (formerly the Information Systems Audit and Control Association) is a membership organization that provides certifications, information, and guidance focused on auditing controls for computer systems.

Volume 3 of the 2009 ISACA Journal features an article by information security expert John P. Pironti called “Key Considerations for Business Resiliency.” That article provides both a comprehensive definition and a significant caveat for those pursuing business resilience (or resiliency).

“Business resiliency is the maturation and amalgamation of the individual processes of crisis management, incident response, business continuance and disaster recovery into one succinct set of processes and capabilities that work collectively, instead of independently.

This combination allows organizations to have minimal disruption in the event of a business-impacting incident that affects the entire organization, instead of focusing on incidents that involve specific information infrastructure areas.

“When evaluating these capabilities, it is important to understand that they are only as effective as the proactive planning and considerations that go into their development. Too often, planning accounts for only the most obvious considerations and does not incorporate crucial and essential considerations that have a greater effect on the business.”

Resilience defines the bottom line

As the ISACA quote above states, resilience includes multiple other elements beyond DR/BC. Despite the inclusion of BC in the description and intent of most DR/BC plans, these tend to focus on DR and IT.

True resilience, however, focuses more on the needs of and effects upon the business.

The goal of true resilience is to enable the business to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

A specific focus area for resilience plans and strategies is the availability of essential IT and business services. Small-seeming differences can mean a lot.

For example, the difference between 99 percent availability and 99.9 percent availability is the difference between just more than 10 minutes and 1.68 hours of downtime every week. Most IT service level agreements (SLAs) focus on availability levels of 99.99 percent, or “four nines,” and 99.999 percent, or “five nines.”

These differences merely hint at the range of options available to those seeking to balance availability with cost, since higher availability almost always requires higher investment in infrastructure. IT decision makers are often significantly challenged by the need to associate costs with availability levels in ways meaningful to their business colleagues.

This challenge is a primary driver behind the growth of enhanced reporting and “chargeback” and “showback” features in IT infrastructure and service management offerings.

However, these can only improve the presentation of relevant information. They do nothing to make the underlying infrastructures and the services they enable more available, resilient, or robust. Such features can and should be included in resilience strategies and solutions, but they cannot and should not stand alone.


The One Thing Leading Businesses All Have in Common

GettyImages-513642194Agility is more than simple, reactive adaptability. It’s even more than what’s usually covered by the discipline known as “change management.” (An aside: to succeed with change management, it is often necessary to… change management.)

So, what exactly is agility?

In August 2014, The Center for Effective Organizations (CEO) at the University of Southern California (USC) published its first book, The Agility Factor: Building Adaptable Organizations for Superior Performance. The Center has conducted its Organization Agility Research Program for more than a decade and studied more than 230 companies as part of the research that led to the book.

The authors found that “consistently high performers possess a capability to change their resources and processes repeatedly.” Such enterprises also “have the strategies, structures, resources, processes, and routines that allow them to both sense and adapt to environmental threats and opportunities as well as intentionally execute on strategic initiatives.”

This comparatively broad and proactive view of agility requires an equally agile IT infrastructure—and to be truly, reliably agile, that infrastructure must be secure.

Agility’s bottom-line benefits

Security obviously matters to those focused on agility, but why should those who focus on security care about agility?

In 2006, organizational effectiveness experts Edward Lawler and Christopher Worley wrote the book Built to Change: How to Achieve Sustained Organizational Effectiveness. According to Lawler and Worley, between 1973 and 1983, 35 percent of the top 20 Fortune 1000 companies were new to that list. That percentage of new top-20 companies grew to 45 percent between 1983 and 1993, and to 60 percent between 1993 and 2003.

Many, if not most, of the companies displaced by newcomers to the Fortune 1000 top-20 list not only fell to lower positions but ceased to exist entirely. Why? Because they were not sufficiently agile. So agility can be seen as a type of job security for security teams and their colleagues across the enterprise.

Agility also has more direct and positive effects on an enterprise’s bottom line, as a separate USC CEO study revealed. For that research, the Center evaluated the financial performance of more than 240 large firms across 17 industries and 30 years. “In every industry we studied, there were two or three ‘outperformers’: companies that achieved above average industry…performance more than 80 percent of the time.

When we compared our survey and interview data with the performance data, we observed a strong relationship between a company’s basic approach to management and its long-term profitability patterns. When markets and technologies changed rapidly and unpredictably—as they did in every industry over these 30 years—the outperformers had the capability to anticipate and respond to events, solve problems, and implement change better than thrashers. They successfully adapted. They were agile.”


User-Centered Security Is a Fine A.R.T.

Cyber Security

While every enterprise is different, there are three fundamental characteristics common to all successful modern enterprises. The successful modern enterprise is:

  • Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.
  • Resilient – able to avoid threats, disasters, and disruptions and to recover rapidly and seamlessly from those that cannot be avoided.
  • Trustworthy – able to credibly demonstrate and document operational transparency in ways that create and justify high levels of trust among all stakeholders.

It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security. Specifically, user-centered security.

User-centered security is a focus on what users use to do their jobs—applications, information, devices, and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important, you can also protect users from being conduits into the enterprise for malware and other threats, all while keeping critical enterprise resources safe.

How to Achieve User-Centered Security

User-centered security is not only desirable, it’s achievable. The Australian Signals Directorate (analogous to the National Security Agency (NSA) in the United States) estimates that up to 85 percent of targeted attacks on IT environments are preventable by taking four simple steps:

  • Application whitelisting
  • Timely application patching
  • Timely operating system patching
  • Restricting administrative privileges to users who really need them

Unfortunately, such protections are like smarter eating and exercise habits. Most of us know what would be best for us to do, but we don’t always do it.

Take patching, for example. In an April 2015 alert, the US Computer Emergency Readiness Team (USCERT) identified the Top 30 Targeted High Risk Vulnerabilities. The newest dates from 2014, the oldest from 2006. That means there are patches designed to remediate all 30 vulnerabilities, but many enterprises have not yet installed those patches, for whatever reasons.

Agility, resilience, and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, beginning with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes, and services that make agility, resilience, and trustworthiness possible.

To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation.

Of course, none of these strengths can be achieved or sustained by processes or technologies alone. As with almost everything else a successful enterprise does, effective security and ART-fulness are achieved and sustained by people. Specifically, you and your people in concert with colleagues from across your enterprise. Evolution into a secure and ART-ful enterprise requires leaders, evangelists, champions, and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience, and trustworthiness— possible.


A Three-Pronged Approach to Thwarting Healthcare Data Breaches

A 3d render of a large connected network of security padlocks. Online digital security conceptAging software, shared access, and the growing popularity of mobile devices has made the healthcare industry an easy target for hackers.

According to Healthcare Informatics, data breaches at health institutions represent 21 percent of global cyberattacks in the first half of 2015, exposing the personal information of millions of customers. Hackers are selling that data for hundreds of thousands of dollars.

To enhance security significantly, healthcare organizations can and should harness two strategies. One is comprehensive operating system and software application patching. The other is securing access to personal health information, personally identifiable information, and other business-critical information, for fixed-location and mobile users, devices, and applications. Both are relatively simple to implement and unlikely to generate user resistance.

Patch Management

Most breaches start with malware infection and most malware infections exploit vulnerabilities in unpatched software. Comprehensive patching of operating systems and software applications is, therefore, essential for maximum security and for compliance with relevant laws, regulations, and business requirements. This is especially important in environments that include old and shared systems running many different types and versions of operating systems and software.

Many organizations have spent years perfecting their server operating system and Microsoft software patching strategy, using essential tools such as Microsoft System Center Configuration Manager (SCCM). However, hackers seeking softer targets now focus their efforts on vulnerabilities in common, less-widely protected, third-party applications and browser add-ins, such as Adobe Acrobat Reader and Flash Player, Google Chrome, Mozilla Firefox, and Oracle Java.

According to the Center for Strategic and International Studies, 75 percent of attacks use publicly known vulnerabilities in commercial software. The 2016 Verizon Data Breach Investigations Report says that the top 10 vulnerabilities are responsible for 85 percent of all successful breaches and that eight of those are 13 or more years old. Attacks aimed at these and other vulnerabilities can be easily and consistently thwarted by regular patching.

Tools such as Microsoft SCCM excel at automated operating system patching. However, their abilities to patch third-party applications are insufficient.

Secure Information Access

Healthcare organizations looking to support mobile device use among doctors and other healthcare staff should start with a strategy that focuses on comprehensive, consistent protection of information. To be of maximum effectiveness and value, such a strategy must provide protection from threats whether users’ devices are “at rest” or “in motion.”

By far, the most widely used application is email. An effective data protection strategy must therefore be equally effective at guarding against malware hidden in email attachments and in other file types, whether those are being accessed by users of mobile or fixed-location devices. That strategy must also provide effective protection against threats from rogue applications.

The Shavlik Solution

Shavlik offers three essential tools for implementing a comprehensive software patching and information protection strategy:

  1. Shavlik Patch for Microsoft System Center integrates tightly with Microsoft SCCM to extend its patch vulnerability detection and deployment to third-party applications. Using SCCM’s own patch delivery mechanism, Shavlik Patch monitors and patches hundreds of popular, third-party applications, including those of Adobe, Apple, Google, Java, and Firefox. The intuitive Shavlik Patch SCCM console plug-in eliminates the manual steps required to define and load patch information into SCCM.
  2. For organizations that aren’t using SCCM or that lack an existing tool for server patching, Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments.
  3. Advanced Endpoint Protection from BUFFERZONE, a Shavlik partner, provides effective, transparent protection of authorized applications and critical information from a wide variety of threats. This solution uses virtual containers to isolate entire application environments, including memory, files, registries, and network access. Malware, whether known or new, is restricted to the boundaries of the virtual container, never actually reaching the user’s system or the rest of the network. The BUFFERZONE solution can even defeat infections by ransomware or removable storage devices. Its protections provide a strong complement to Shavlik’s patch management offerings

Where hackers are concerned, the worldwide healthcare industry is a prime target, but healthcare organizations can take steps today to ensure that they are protected. A security strategy that encompasses automated, comprehensive application and operating system security patching and secure information and application access can be implemented quickly and cost-effectively. Such a strategy can provide comprehensive protection from both known and emerging threats and attacks.


The Black Market for Medical Records and What It’s Costing Hospitals

Cybercriminals have discovered how profitable it is to steal and sell personal healthcare information. Now hospitals and medical centers are warding off more cyber-attacks as hackers look to pad their bank accounts.

89% suffered data breaches between 2014-2016

Between 2014 and 2016, 89 percent of healthcare organizations experienced some kind of data breach, according to a study conducted by the Ponemon Institute. The study found 45-percent of those organizations were hit five or more times in that same time period.

A majority of breaches, 68 percent to be exact, can be traced back to lost or stolen devices with access to sensitive data, this according to a Forbes article on the recent trend in attacks on the healthcare industry.

112 million records compromised, selling for $10 to $500 per record

In the first half of 2015, the healthcare industry suffered more than 20 percent of global data breaches in which 84.4 million records were compromised. By the end of that same year, 112 million records had been accessed in a total of 253 breaches, according to Forbes.

So what’s the payout? On the black market of stolen data, sensitive patient information is worth anywhere from $10 to $500 per record, compared to credit card numbers which only sell for about a dollar.

While hackers make money, these attacks are proving to be costly for medical providers. In December of 2014, Anchorage Community Mental Health Services agreed to pay a $150,000 fine for violating HIPAA laws as a result of a data breach.

Hackers are also using stolen information to make fraudulent Medicare claims and pocket the cash. The feds lose roughly $60 billion to Medicare fraud annually.

99.9% of exploited vulnerabilities were compromised more than a year after a patch

With aging software running equipment used by techs, nurses and doctors – plus, the growing popularity of being able to access critical medical data on mobile devices, the time is now for health providers to reinforce their IT defenses.

Don’t let the hackers win!

Shavlik solutions offer superior protection for data centers, endpoints, and mobile devices. A security strategy that encompasses automated, comprehensive application and operating system security patching and secure information and application access can be implemented quickly and cost-effectively. Such a strategy can provide comprehensive protection from both known and emerging threats and attacks.


Why the Healthcare Industry Is an Easy Score for Hackers

GettyImages-178528836Worldwide, healthcare represents an industry that is worth several trillion dollars—and it is anything but secure. Several billions of dollars are lost each year to healthcare fraud, much of which involves compromised medical records.

In September 2015, Healthcare Informatics reported that in the first half of that year alone, the healthcare industry suffered 187 breaches, 21 percent of the 888 breaches reported worldwide. Those healthcare breaches resulted in 84.4 million compromised records or 34 percent of the worldwide total.

As reported in May 2016 by eSecurity Planet, the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data found that 89 percent of healthcare organizations were breached in the past two years. That same study found that 45 percent of those organizations had been breached five or more times in the same two-year period, the report added.

Healthcare as a target

Clearly, the worldwide healthcare industry is being increasingly targeted by the worldwide hacking industry. There are two main reasons for this: financial gain and opportunity.

  • Financial gain

Hackers have searched out other opportunities. The black-market value of a credit card number has fallen to about $1 per record, as financial organizations have become better at securing their databases, thwarting threats, and remediating successful breaches.

Meanwhile, the value of personally identifiable information (PII) such as Social Security or National Insurance numbers, are now worth 10 to 20 times that much, according to published reports. However, some hackers apparently offer “volume discounts.”

A June 2016 eSecurity Planet report said that a hacker was offering to sell 700,000 stolen records, including Social Security numbers and other PII for $655,000. This may have been a “loss leader,” however.

When personal health information (PHI) is added to the equation the value is even higher. Hackers or their sponsors can pose as doctors and use that PHI to file very profitable fraudulent insurance claims or order and resell controlled substances and medical equipment. Even without specific medical information, criminals can use PII to apply for loans. When combined with other information and counterfeit documents, PHI records can sell for as high as $500 each, according to a December 2014 Forrester Research report.

  • Opportunity

When one type of target becomes hardened, hackers tend to refocus their efforts on less secure types.

For example, after financial and retail organizations became better at securing centralized databases, hackers found ways to breach less-secure retail point-of-sale (POS) systems. Healthcare systems are ripe for this “soft target” approach and have been for some time now.

According to a warning issued in April 2014 by the FBI and obtained by Reuters, “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors. Therefore, the possibility of increased cyber intrusions is likely.” Current reality proves the prescience of that warning, and provides several reasons for its accuracy:

From a cybersecurity perspective, healthcare IT environments are chaotic. PCs are shared by multiple doctors and nurses. Aging medical equipment relies on software that rarely — or never — gets updated, and on outdated, unpatched, and sometimes even unsupported operating systems. In many cases the software provider may no longer even exist, making security updates difficult or impossible.

Doctors and other healthcare providers increasingly insist on using smartphones and tablets to exchange email with colleagues and patients and to view medical images and information at the bedside, at home, and on the road. The number and variety of mobile devices, operating systems, and system versions needing support create an unwieldy management and security quandary for healthcare providers and their IT and security teams.

This growing demand for mobile access to healthcare-related data has led to an escalation of data theft from lost or stolen devices. Some industry watchers estimate that lost and stolen devices account for as many as half of all healthcare cybersecurity breaches.

Solutions for managing and securing mobile devices and information can be unwieldy and generate resistance. Many solutions force users to switch back and forth awkwardly between managed corporate and unmanaged personal applications on the same device.

Other solutions require users to accept having their device usage monitored and managed when they are at home and at work. Many users consider such scrutiny an invasion of their privacy. Unfortunately, such disruptions and perceived intrusions cause some users to find ways to “work around” tools and measures intended to keep those users and the information they access secure.

Thus, many healthcare organizations allow medical staff and employees to connect their mobile devices to corporate networks, with little to no confidence in the security of those devices or their connections to critical corporate or private patient information.

Stay protected with Shavlik Protect + Empower and download your FREE copy of our whitepaper below.


macOS Sierra and Safari 10 Security Updates

Apple Mac OS X Updates

Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.

macOS Sierra

macOS Sierra 10.12 fixed 60 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
  • CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10

Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.


With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.

September Patch Tuesday 2016


Patch Tuesday September 2016

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.



Patch Tuesday Forecast September 2016

We are only a few days away from September Patch Tuesday and just for a bit of nostalgia I dug up this old image.  Circa 2010 Minimize the Impact of Patch Tuesday banner.


So, here are a few things to watch our for to help minimize the impact of Patch Tuesday, a quick tip to help you tune your process, and our forecast on what we think you should expect this month.

On the Horizon

Based on the sheer volume of questions I’ve had about this I’m going to go out on a limb and say that the servicing changes Microsoft plans to implement in October are a hot topic right now. Microsoft’s announcement to move all pre-Windows 10 OSs to the same bundled update model has stirred up concerns from their customers. I will start off with the same recommendation I have given everyone so far: keep breathing. But also know the facts. Microsoft will have a security bundle that will release each month that includes updates for IE and the OS. There will be a cumulative bundle option as well that will include non-security fixes and feature changes. The security bundle will be the way to go for most organizations.

The fallout from this event will be a more pronounced need for application compatibility testing. If you recall January’s Patch Tuesday, the Windows 10 cumulative update caused Citrix’s VDA Client to break. This is exactly the type of scenario companies I’ve spoken to are concerned about. Fortunately, Citrix worked with Microsoft and moved quickly to resolve the VDA incompatibility that the cumulative update caused. Microsoft updated its release to detect if VDA was installed, and if it was, then the cumulative update was not installed. This process left their customers exposed to many vulnerabilities in the January release, but Citrix turned a fix-around in short order and together they reduced the risk to their common customers to only a week of not being able to push the January updates.

But this was two software giants working together; the issues will be more pronounced with less common products or vertical specific products, such as healthcare devices or manufacturing systems that run on Windows systems. Home-grown applications and applications developed by vendors who are no longer in business may be less of a concern on Windows 10, but on older systems they are much more common. Which brings us to our tip of the month!

Patch Management Tip of the Month

Application compatibility is the biggest hurdle to effectively remediating software vulnerabilities. Most companies we talk to have an exception list of updates that conflicted with business critical applications. This has been a rising concern for companies as they evaluate Windows 10, and now will become a concern for their existing systems come October. The looming inability to pick and choose which updates to apply to their systems has many companies concerned. The reality is we will have less of a choice in the matter going forward, so what do we do?

Pilot Groups

One tip that I always stress when advising our customers is to have an involved pilot group. Many companies have a small set of test systems for the most critical of assets, but this falls short of truly ensuring you catch application compatibility issues quickly. What you need is to ensure you have a selection of power users in your pilot group to help you flush out issues quickly. These power users will be able to provide you better feedback, and they’re technically savvy enough to help you work through issues as you discover them.

Hitting a few power users who will keep their head and work with IT to resolve issues quickly helps reduce impact to the greater workforce. Someone from IT may be able to verify login works and some basic interfaces load, but the power users will get into the product and find the less obvious things, like updating broke print features or submitting a job or form. Most business managers quickly agree to this arrangement when you put it to them as a partnership where you will work with one or two of their best to keep the majority impact-free.

Your Patch Week Forecast

August was our lightest Microsoft Patch Tuesday this year tied with January at 9 Microsoft bulletins total; the average this year has been closer to 13 bulletins each month. I expect this month will be closer to the average if not a little above. Starting in October, this average will appear to drop significantly as the bulletins will become bundles instead, reducing the average number of Microsoft updates to around four or five each month. At that point, watching vulnerabilities resolved will be a more accurate indicator of how significant the month’s updates were.

On the non-Microsoft front, I would expect an Adobe Flash update, as we have not seen a Flash Player update since July, which is near an eternity in Flash Player terms. Also, be aware that Adobe has updated the looming end of open distribution of Flash message on the distribution download page. The end of September is the new cut off where you will need to have an Adobe ID and login to Adobe’s site to gain access to Flash updates if you need to distribute them internally. We will see if this is really the one.

Google Chrome just released this Wednesday, so plan to include that and some other recent third parties like Wireshark in your patching schedule this month.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.