The Changing Fabric Of IT…

The advent of virtualization has changed the very fabric of IT, and has ignited a new era in computing. Virtualization has been a significant catalyst for change – promoting every IT organization to rethink the methods by which they provide computing services to their customers. Today…virtualization and cloud based technologies are becoming much more mainstream, transforming the way IT functions – providing a means of both reducing costs, and driving up efficiency and productivity.

That said…there are corresponding challenges as well. As VM’s continue to sprout up in just about every organization…the dilemma is the ability to manage what’s there. Let me elaborate:

1) Do you know the extent of your virtual infrastructure? VM images that get spun up – that aren’t visible for any reason to IT presents a risk.

2) Are you able to discover VM’s that are offline. An VM image that is maintained in an offline state, and then brought online after an extended period may be improperly secured.

3) Once discovered, can you quickly assess the current state of the VM’s you’ve now discovered – are they patched and configured properly? The ability to manage and secure these images is critical!

4) Additionally, do you know what software assets have been deployed to these systems…that may impact any current software license agreements?

So…to ensure the proper level of security, and facilitate the management of your virtual infrastructure – you’re going to need the right set of tools. That said, the tool should be both easy to use, as well as comprehensive in what it will discover (virtual and non-virtual machines). It should be able to clearly illustrate;

1) The extent of your virtual infrastructure – including systems that are both online and offline.

2) It should also be able to provide a perspective on the complexion of the risk you might be facing…missing security patches, systems configuration issues, unnecessary services that may be running, etc.

3) It should provide a detailed list of your current software assets – to ensure that you’re not over or under spending.

4) Last but not least…if there are risks that are discovered, the ability to remediate or remove the risks (or vulnerabilities) is critical!

As reference to the above, I wanted to comment on an excellent article I just read that really does a good job of illustrating the challenge I’ve just described – which is the gap between the complex new requirements of virtual machine management and the ability of systems tools vendors to meet them. Enjoy

http://www.information-age.com/channels/data-centre-and-it-infrastructure/perspectives-and-trends/1109528/wanted-management-tools-for-the-virtual–cloud-era.thtml

So…to summarize, the proper tools exist to ensure you can keep your virtual environment in check…and you don’t have to look to far 😉

Thanks for reading!!

Dave Eike

Shavlik Technologies

New Hotfix for Shavlik NetChk Protect 7.2

Shavlik has released a stability hotfix for NetChk Protect 7.2.   This will update your build from 155 to 346 when applied.  Shavlik customers running NetChk Protect 7.2 can download this patch manually and apply it to their consoles.  For a complete list of issues resolved you can go to the forum link where they are listed out in detail.

http://forum.shavlik.com/viewtopic.php?f=10&t=15865

If you are on a previous 7.x version and would like to utilize these performance enhancements you can go to www.shavlik.comdownloads.aspx to get the latest 7.2 install (there is also a link to the hotfix just below the 7.2 download link).

– Chris Goettl

Cloud Computing: IT needs to lead, follow, or get out of the way

I’ve been working with system administrators since the 80s. I’ve seen a lot of the changes they have gone through. Software as a Service (SaaS) has been around for a while now and has really helped to change the workday for administrators. By moving specific applications to a SaaS model, admins have been able to eliminate busy role work like backing up systems or recovering Exchange servers. Moving HR, sales force, and finance applications to SaaS meant that admins got time back in their day to find new ways to help grow the business, secure it, and implement the latest technologies.

Change is coming again and this time it’s fueled by Cloud computing and enabled by virtual machine technology. As consumers, we’ve become the “instant gratification generation”. You can print your boarding pass, buy books or shoes, and do all your banking online without help from anyone. We want that level of autonomy for everything we touch. The end user community is tired of waiting for IT to provision a new server or application. They want more control. And, as they demonstrated with SaaS, these folks aren’t shy about bypassing IT to get what they want.

IT should immediately look at providing its services in a more Cloud-like fashion. With virtualization, machines and applications can be provisioned more quickly and services can be migrated to match the ebb and flow of bandwidth needs. Not all services or applications make sense for the Cloud. IT understands the workloads and workflows and can provide the data to make good business decisions. IT can lead the Cloud revolution in several areas, including:

o    Evaluating the Cloud and determining if it should be part of your business strategy

o    Translating end user “need” into delivery/architecture — what are the workloads and workflows

o    Evaluate the Cloud providers — Are they sound financially? Do they have sufficient infrastructure to support your business? Will they be around next month or next year?

o    Monitor SLAs — performance, secure delivery, reliability

And most importantly, IT departments will be required to backup the Cloud provider. Who gets the call when there is an outage? What happens if you have to bring services or applications back in house?

Some IT departments aren’t thrilled with the idea of putting more control in the hands of their end user customers. Administrators don’t have to fear Cloud computing. But they have to embrace it or be left in the dust.

RSA 2010

Heading off to RSA shortly, we do not have a booth there this year. Its a networking event much more than a trade show now. Last year I spent zero time in the booth no matter how hard I tried, this year I am just going to meetings and sessions.

Using Shavlik NetChk Protect to do a Discovery Scan of your environment

One of the biggest advantages of Agentless Technology is the ability to discover machines in an environment.  It would be nice to say that you know exactly what machines are in your environment at any given time, but it is not a claim that many can make with 100% confidence.  In most cases, there is simply too much activity happening on the network that is not in the IT administrator’s control, so they are often left to guess how many machines are in their environment.  The larger the environment, the more teams involved with staging of machines, the addition of virtual technology making it easier and faster to roll out machines, Dev and QA environments where employees hold the power to build and rebuild machines on a regular basis, the list goes on.  The result, however, is the same.  Machines slip through the cracks and go unmanaged as far as Patch, Threat, and Asset Management are concerned.  How do you manage this type of issue?

In NetChk Protect you can do this by doing a discovery scan using Patch or Asset agentless scan technology.  I typically do this with the Default Security Patch Scan template.  Create a new machine group.   Click on the IP AddressIP Range tab and enter the IP range of your entire environment.  Add multiple ranges for multiple subnets depending on how your environment is setup.  Then set credentials on the group.

Select your Discovery Machine Group you created and in the ‘Scan With’: drop down you should see Security Patch Scan.  Click “begin scan” and then “scan now.”  Depending on the size of the environment this could take a while, so let it run and once complete you can look at all the machines discovered and for those that failed to scan you can evaluate which are machines and which are not likely machine at all.

In the scan result you can click on the Machines not Scanned and sort by the Reason Column.  Best way to determine what items are worth investigating further is by the error code.

Understanding the Scan Results:

200, 201, and 235 – Pretty much no machine was on that IP during that scan.

261 – Something is listening, either non MS or firewalled.  Likely try nslookup or rdp to the box to determine if it is something you can connect to.

300s – Admin shares were removed, go to tools options authentication and check Create a temporary system drive if none exists and next time you should be able to scan this machine.

451, 452 – Machine is definitely there but admin creds or another prerequisite prevented us from scanning.  Go to Forum.Shavlik.com and do a search of the 3 digit error code in the Shavlik Knowledgebase for detailed instructions to resolve.

500s – Definitely a windows machine but remote registry access is denied.  Win 7, Vista, and 2k8 disable this service by default.  Older OSs could have had it disabled or winreg permissions modified.  Forum search of 3 digit code will give additional steps to troubleshoot.

600, 700, 800, 900 – Level codes could come up but not likely under these circumstances as they pertain to other types of scanning.

You can run a report of Machines Not Scanned in a date range to get a list of all error codes for a time period.  In the report gallery select the Machines Not Scanned report and check the advanced filter and set a date range to capture the latest discovery scan you have run.  This can then be exported into different formats so you can work with the information easier.  Set up a Discovery Scan on a reoccurring basis and see what comes up.  Some people are very surprised at the findings.

Transforming IT…

Over the past 20 years, information technology has made some radical transformations. The Internet has changed the way we work, and continues to provide an excellent foundation for innovation. That said, IT executives continue to look for ways to improve operational efficiencies, reduce risk and save money. Unfortunately, with the day-to-day demands on IT ever increasing, the opportunity to innovate is an ongoing challenge. With competitive market pressures, and the pressures to lower the cost of doing business, IT organizations need to look for ways to transform themselves.

Now what do I mean by transform? Well, most IT organizations today are forced (because of resource limitations) into having to focus on the “blocking and tackling” aspects of IT (Uptime, Help Desk, Operations, Security, etc.).  While a requirement, the day to day activities consumes both time and energy…not leaving much time to dwell on the strategic.

IT is the most important strategic asset (staff, information, systems, etc.) in any organization. Without IT, business can’t operate. That said, IT needs to continue to elevate it’s level of importance in the organization…and can do so by making time to innovate. This is why I believe IT has to transform itself from the position of service delivery, to critically strategic. This happens when:

1)      The business leaders recognize the strategic importance of IT, and make it a priority vs. purely an necessary expense.

2)      IT is enable to look inside itself…and look for ways to innovate, and employ that innovation / automation to help re-purpose the “people” assets involved in IT towards more important tasks – tasks that will help advance position of the business (i.e., Market Share, Revenue, Profitabilty, etc.)

Allowing IT the opportunity to explore and leverage the concept of innovation will have a marked impact on the capabilities of IT, but more importantly the people involved.

Dave Eike

Shavlik Technologies

Concerns Regarding MS10-015

There is rising concern regarding MS10-015 causing BSOD on machines.  According to Microsoft and other sources in the Security world the issue is linked to Malware already on the machine when the patch is applied.  Microsoft has pulled the patch from WU likely to reduce impact to home users who are more likely to have Malware on their machines that could cause this, but the patch is still available in WSUS, SUS, and SCCM.  The patch is still available to Shavlik Customers as well.

Shavlik Recommendations:

  • Adequate Patch Testing in place – Microsoft tests patches before release and Shavlik does additional testing in our environments to ensure detection logic is correct and there are no widespread issues encountered with patching the machine.  Lab testing can only do so much.  It is highly recommended to implement any level of testing in your environment as well.  This will ensure environment specific variables we cannot reproduce will not cause you issues.  Your testing could be a group of Virtual machines representing a cross section of machines in your environment or it could be IT and a select group of users and servers.
    soft break
  • If you are concerned about the patch, are aware of recent Malware outbreaks in your environment, andor patch testing resulted in machines encountering the BSOD, you can setup a template to scan for all other Security Patches except MS10-015.

Steps to do this:

1. Go to Patch Groups on the Navigation Bar and create a new
patch group.  Call it MS10-015 and click Add Patches.

2.  Scroll down to MS10-015 and check the box and click select then
click Save.

3. Create a New Scan Template.  Call it something like
“Security Patches Except MS10-015”.  This by default is setup to
scan for all security patches.

4. In the Patch section select the Skip Selected and next to Patch
Groups click … to browse and select your new patch group.

5. Scan using this new template and you wills can for all security
patches except MS10-015.

  • If customers are experiencing a BSOD as a result of pushing MS10-015 they can contact Microsoft directly for support using the country specific numbers provided at support.microsoft.com/security. In North America, customers can call 1-866-PCSAFETY for this support.

– Chris Goettl

New Version Of Adobe Flash Available / Reader Coming Soon

If you are still patching for February Patch Tuesday, you will want to consider patching Adobe Flash.  Adobe has released a new version of Adobe Flash with version 10.0.45.2.  Adobe Flash versions 10.0.42.34 and earlier should be patched.  This patch addresses 2 security vulnerabilities rated as Critical.

Adobe AIR has a new version available as well.

Adobe also announced they will be releasing a security update for Adobe Reader and Acrobat next Tuesday, February 16.  This update will address vulnerabilities rated as Critical.

– Jason Miller

MS10-015 Blue Screen Reports

I am a bit late on reporting this, but I have been waiting for the dust to settle on this issue.  Each time reports like this float around the Internet, it is important to wait for the vendor to confirm the reports.

On Wednesday, reports started to surface regarding users who were getting the blue screen of death after installing MS10-015.  The MS10-015 security bulletin was released on patch Tuesday that patches the Windows Kernel.

Last night, Microsoft pulled the bulletin from Windows Update as they are attempting to gather information regarding the reported blue screens on affected computer.  The reports were:

  1. User installs MS10-015 manually or through Windows Update
  2. Computer reboots
  3. Computer blue screens on reboot, the operating system does not load

People have found ways around this blue screen by running the recovery CD and uninstalling the patch.

Microsoft’s Security Response Center has just posted an update on the situation.  They have been finding the blue screen is actually caused by malware on the target systems.  Apparently, some malware programs just do not like the Kernel updates from Microsoft.

As many of you are approaching your patch cycle for February, here are some important reminders on patching in general and with this issue:

  • TEST, TEST, TEST.  Patch management programs make patching very easy.  But, you should never blindly push out updates unless it is necessary.  The issues with MS10-015 are a prime example of what can happen when you blindly push out patches without testing them first.  Microsoft and other vendors make every attempt to ensure their patches do not break functionality.  The last thing Microsoft wants with MS10-015 is to fix vulnerabilities but take a “black eye” from causing system crashes.  Take some time and establish a test environment that contains your commonly used systems and programs.  This may slow down your patch deployment, but it will save you a lot of time fixing issues that can come up with patch management.
  • Research the issue.  The reports came out about MS10-015 and research should be done.  How many people are *actually* affected by this issue?  What is the vendor saying about the issue?  How can this patch affect my network?  What does this patch fix (criticality, publically known vulnerability, actively exploited vulnerability, servers or desktops affected)?  After gathering information, you can make the decision on the patch.  Am I will to accept the risk of not patching this vulnerability?  That is a question only you can answer.
  • Report issues to the vendor.  Most vendors have a response team waiting for issues that may come up with patching.  Don’t be afraid to contact the vendor if you are seeing an issue with the patch.  Yes, you will need to fix the affected machines.  But, you will be doing a great service to the rest of the users who may run into this problem.

 – Jason Miller

Question: What Do NetChk Protect, Schlage Keypad Locks, and the BMW 328i have in common?

Answer: All recently received a “Best Buy” rating.

NetChk Protect received 5 stars in all ratings categories and a “Best Buy” rating from SC Magazine. The magazine, geared to IT security professionals, was performing a rating of patch management solutions.

Shavlik came out on top of a group of 5 vendors who offer patch management. NetChk Protect received recognition as an “Excellent product with a fantastic feature set.” You can see the complete review here.

NetChk Protect was honored for its simplicity and intuitive user interface. The reviewers were especially impressed with how quickly they were able to start managing their physical, virtual, and software assets, patches, and AV.

Getting the honor is great. But I really hope IT administrators take the time to read the article that leads into the reviews. SC Magazine did a great job of identifying what may be the biggest IT nightmare for 2010: patching non-Microsoft software applications.

We all like to pile on Microsoft. It is an easy thing to do given their history of bugs and security flaws. But this isn’t 2004 and Microsoft no longer tops the list of most vulnerable software. No. That honor belongs to…drum roll please…Adobe. And Apple. And Mozilla Firefox. Hackers have turned their attention to client-side vulnerabilities and are exploiting them by turning trusted websites into malicious servers.

I give Microsoft credit. When it comes to patching, they have an established, mature process. They give users structured guidance, share research, offer tools to help with workarounds, have well-known avenues to access support, and are willing to go out-of-band to combat zero-day issues.

Contrast that with Adobe and Apple. They are 100% geared to the home user to the detriment of the business user. Their processes and their attitudes show it.

Business users need to demand more from their vendors. What happens to all those iPhone users if a business is forced to prohibit iTunes because Apple makes it impossible to patch in a corporate environment?