Oracle releases large Critical Patch Update!


Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.

The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.

Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.

For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.

Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.

January 2017 Patch Tuesday Forecast – Shavlik


Goodbye 2016; Hello 2017!

We have survived another year and what a year that was.

As we start off 2017, I am sure most of you have already heard about the joining of forces between LANDESK and Heat Software to further the expertise stronghold on security and patching. This marrying of the minds comes just in time for those who have not yet picked a new year’s resolution.  Now is the time to make a resolution to increase the health of your security posture and patch your systems regularly.

Even though there are no known zero days or hints of nasty exploits on the horizon, we all know that it is just a matter of time before someone will find something to hack and expose potential vulnerabilities. So, with that in mind, let’s start the year off with good habits and make sure we are following the steps to better Security Hygiene now that the holiday fun and distractions are behind us.

Steps to Better Security Hygiene

  • Make sure you have sanitized incoming email with junk mail and phishing filters. Remember that user targeted vulnerability is where some of the highest risk lies.
  • Make sure you have sanitized the machines and devices of users who have come into contact with public WiFi while traveling in and out of the office and private secured networks. Since users will likely browse the internet, open email with attachments, and in general be exposed to potential attack vectors daily, it is important to sanitize their machines with good signature, non-signature, and behavioral threat assessments.  Remember that signature based threat assessment alone is not enough anymore.
  • Make sure your systems are frequently patched, both the OS and software, and make use of least privilege rules and proper application control. Remember that preventative security measures can mitigate or eliminate 85% of the threats in today’s market.

Honorable Mentions

Chrome announced at the end of 2016 that beginning in the new year they will be identifying web pages as “Not Secure” if the page includes login or credit card fields AND the page is not served using HTTPS. For additional information on this announcement, see the following article posted on

Your Patch Tuesday Forecast

Based on the trends we saw in 2016, the January 2017 Patch Tuesday will likely include updates for the following:

From Microsoft we are likely looking at around 1-4 installable packages:

  • OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
  • Office is likely since there were updates consistently pretty much every month in 2016.

From Adobe you can expect 1-3 updates:

  • Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all of 2016, so expect that update.
  • Adobe Reader and Acrobat both released an update back in October of 2016 and have been pretty consistently having an update every 2-3 months this year. Those two are a high possibility this month since they did not release last month.

From Chrome you may have 1 update this month:

  • Chrome released a beta version after last Patch Tuesday making it likely there could be an update on or around Patch Tuesday this month.

Total Update Accumulation 3-8 updates for Patch Tuesday next week.

As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, January 11th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

12 Beers of Christmas 2016 Edition


Happy holiday’s everyone! This marks year three of our annual 12 Beers of Christmas blog post where the team gives you recommendations of their favorite beers from 2016. This is a tradition that actually started from a now nine-year practice of doing a beer exchange in our office instead of cookies or Secret Santa. So for all you beer fans out there, here is the 2016 edition of the Shavlik 12 Beers of Christmas. Enjoy!

Brent, Software Engineer
Beer recommendation: Black Sheep Best Bitter
Style: Bitter
ABV: 3.8%
Description: Brent spent a bit of time across the pond this year after LANDESK acquired AppSense. “It was my nightly beer one trip to England during an AppSense visit. Very solid English bitter that paired well with any of the pub food.”

A well hopped, light golden session bitter with a distinctive, dry, refreshing taste enjoyed through a rich creamy head. Brewed in traditional cast iron and copper vessels using the finest ingredients.

Mark, Software Engineer
Beer Recommendation: Able BLK WLF Stout
Style: Stout
ABV: 3.8
IBU: 32
Description: It is a coffee forward stout with a satisfying finish. The best part is since it as a low ABV at 3.8%, I can have a few without having to rely on my friends to carry me home.

Clear dark brown, large creamy tan head, good retention. Aroma of chocolate, roasted malts, piney hops. The taste is citrus, roasted malts, chocolate. Medium bodied, lingering bitterness.

Neil, Manager, Territory Sales
Beer Recommendation: Weihenstephaner Original
Style: Helles
ABV: 5.1%
IBU: 21
Description: A cheeky little number from the oldest brewery in the world. Not sure if you can get this in the US but the brewery is a 15 minute drive from Munich airport. It is worth the trip!!

A good beer takes its time. The long storage makes our yellow bright lager, “Original”, a flavourful beer enjoyed with fine poured, white foam. With a mild hoppy note and its pleasant fresh spicy taste, it goes very well with salads, poultry, stews or with a hearty snack. Brewed according to our centuries-old brewing tradition on the Weihenstephan hill.

Robert, Senior Product Marketing Manager 
Beer Recommendation: Samuel Adams Nitro White Ale
Style: Witbier
ABV: 5.5%
IBU: 15
Description: From America’s largest Craft Brewer, and from the city (Boston) known for more than just the revolution of craft beer. This beer is smooth as silk, refreshingly cold, and a joy to consume year round. Crisp enough for the Summer, hearty enough to keep you warm in Winter. I enjoyed this guy while watching summer sunsets over Lake Winnipesaukee in NH this past summer.

Brad, Software Engineer
Beer Recommendation: Fitger’s Big Boat Oatmeal Stout
Style: Stout – Oatmeal
ABV: 6.6%
IBU: 45
Description: Good stout, nice chocolate and coffee combination for sipping on MN winter days.  Enough alcohol to keep you warm and toasty on the inside but not stumble out of the bar and die from hypothermia when you slip and fall on the ice.

Simon, Chief Technologist
Beer Recommendation: Peroni Original
Style: Lager – Pale
ABV: 4.7%
Description:  Served at Ultra cold temperature and great for the British summer when we get them. Added benefit is that it doesn’t seem to cause those dreadful headaches I seem to get more of as I get older. The downside is that its currently one of the most expensive you can buy.

Ken, QA Director
Beer recommendation: Surly Gose (pronounced “Go-zuh”)
Style: Kettle Sour Ale
ABV: 5.3%
Description:  Just had this at the brewery during our holiday party.  A great sour beer with a crisp taste with little surprise extra tartness in the end.  Pairs extremely well with co-workers.

The base beer for our series of kettle souref ales, surly Gose had has a light, crisp body with a refreshing tartness and a fleeting saltiness.

Randy, Manager, Software Engineering
Beer Recommendation:
Style: IPA
ABV: 7%
IBU: 74
Description: I’m going to put in my official favorite for the year as Fulton Batch 300.  I’m not sure how widely available it is, but it is a fantastic West Coast style IPA brewed right here in Minneapolis.  Like many great beers, it was originally a limited edition but was so popular they decided to brew it year-round.  It is very hoppy, but has a nice balance and smooth finish.

Batch 300 is built on a base of Weyermann Pilsner malt, and heavily hopped from start to finish with Mosaic, one of our favorite American hop varieties. At 74 IBU and just under 7% ABV, Batch 300 will delight your palate without wearing it out.

Frank, Software Engineer
Beer Recommendation:
Style: Porter – Peanut Butter
ABV: 5.3%
Description: Smells like peanuts, tastes likes peanuts and beer.  When you want a peanut butter sandwich and you also want a beer, but you can’t be bothered to get both: this is the beer for you.  Dark color with a nice full head.  Really good on nitro if you can get it.

Brian, QA Engineer
Beer Recommendation: Ballast Point Grapefruit Sculpin
Style: American IPA
ABV: 7%
Description: Bright, citrusy IPAs are becoming increasingly common and I am not complaining. The Sculpin IPA is hopped at five separate stages and has notes of apricot, peach, mango, and lemon. This award winning IPA is then complimented with grapefruit, creating a flavorful and surprisingly drinkable IPA. A perfect beer to compliment warm summer days or the bitter cold winters of Minnesota.

Derek, Manager, Cloud Operations
Beer Recommendation: Surly Darkness (2016)
Style: Imperial Stout
ABV: 9-12% (Depending on the year)
IBU: 85
Description: Knocks you on your a$$!

This massive Russian Imperial Stout brings waves of flavors; chocolate, cherries, raisins, coffee, and toffee. We add a touch of hops to make this delicious brew even tastier.

Chris, Manager, Product Management
Beer Recommendation: O’Town Triple
Style: Belgian Triple
ABV: 7.4%
IBU: 27
Description: From the fine brewer at Lamada Brewing comes fine example of a Belgian abbey style ale.  Not as dark as a St Bernardus ABT 12 or Chimay Grand Reserve.   Has a fruity aroma and complex flavors with a mix of malty, slightly bitter, and a fruity sweetness.  Actually this is my own home brew and a recipe I am continuing to perfect.  I just brewed batch three this fall and it should be ready to drink sometime around June!  Perfection takes time.  If you really want to try some you will have to come visit me in June.

Honorable Mentions:

Joe, Technical Writer
Beer Recommendation: Grain Belt Nordeast
Style: Amber Lager/Vienna
ABV: 4.7%
Description: For anyone wishing to experience some local Minnesota flavor, I highly recommend Grain Belt Nordeast. It’s a great tasting beer that meets my main requirements: it is reasonably priced and almost always available wherever I go. Unlike most of the other beers you’ll see on this list, there’s no need to take out a loan or drive 100 miles to an obscure liquor store to purchase it. And that makes Nordeast satisfying in a number of different ways.

John, Channel Account Manager
Beer Recommendation: George Killian’s Irish Red
Style: American Amber\Red Lager
ABV: 4.9%
IBU: 14
Description: A full and well-balanced American Amber / Red Lager style beer, and honestly, my go to if I’m hanging out with relatives or friends who don’t really enjoy craft beer and would rather depend on boring domestics.  Like an IPA, has a body more similar to a Scotch ale than a lager or porter, offering a blend of dark fruit, caramel, bread and toast swells in a tight bouquet. While it’s aroma is complex, it’s easy on the tongue.  A malt-forward profile flows across the palate with easy transitions:  Light bready malts pick up hints of toast, and then caramel and dark fruit as it washes back. A quiet bitterness counters the sweetness and guides this straightforward beer to a refreshingly clean finish.  Joyeaux Noël !

The Peanut Gallery (there is always a comedian in the bunch.  This year we have two.) :

Brian, QA Engineer (his first attempt that was rejected)
Beer Recommendation: Camo Black Ice High Gravity Lager
Style: Malt Liquor
ABV: 10.5%
Description: The Camo Beer Company in Lacrosse WI describes this beer as “Ice brewed for extra smooth taste”. This true star of the north is best served in a paper bag. At a size of 24 ounces, an ABV 10.5%, and a price around $2 it is truly a symbol of efficiency. Who needs hydration from six and a half 3.2 beers when you can fit the same punch into one fine paper bag?

Rob, VP Engineering (remember 2014 when he recommended Coors?  Yeah this one is worse)
Beer Recommendation: Hamms
Style: Pale Lager
ABV: 4.7%
Description: If it looks like a Coors, smells like a Coors, and tastes like a Coors then it must be a Coors….except it’s not. It’s Hamm’s American Lager and it doesn’t smell like Coors… in fact, it has no aroma at all.  But for days when you feel like punishing yourself, grab a can… or 48 of these.  This beer is very much a synthesizer of taste and takes on the taste of whatever you are pairing it with making it the perfect beer to pair with any meal that you like the taste of… be warned though, if you are using it to wash the taste of a burnt garlic meatloaf out of your mouth, all you have done is captured and amplified that tragic flavor.  I hear if you mix a little Mio in there though, you can work your way right past that.

Happy Holidays – New Updates for MAC OS


It is the holiday season and with that comes presents for the MAC OS in the form of updates for a number of issues, including several denial of service.

Released on December 13th, Apple has new security updates for macOS Sierra 10.12.2, El Capitan 2016-003 and Yosemite 2016-007.

The winner for most CVE updates for this release is macOS Sierra 10.12.2 with 71 CVEs to address a wide variety of vulnerabilities. These vulnerabilities include 8 denial of service issues

  • CVE-2016-7609 : AppleGraphicsPowerManagement  – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7605 : Bluetooth – Improved input validation has been added to address the possible impact of an application being able to cause a system denial of service.
  • CVE-2016-7604 : CoreCapture – Improved state management has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7603 : CoreStorage – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7667 : CoreText – Improved validation of overlapping ranges has been added to address the possible processing of a maliciously crafted string being able to cause a denial of service.
  • CVE-2016-7615 : Kernel  – Improved memory handling has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-6304 : LibreSSL and OpenSSL – Improved memory handling in unbounded OCSP growth has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.
  • CVE-2016-7636 : Security – Verification of OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.

This security update addresses memory corruption and shared memory issues, use after free issues, validation and system privilege issues on top of the denial of service critical vulnerabilities.

New security content is also available for Safari 10.0.2 which is made up of 25 CVEs to address vulnerabilities focusing on arbitrary code execution in both Safari Reader and WebKit. Given the number of user targeted vulnerabilities, it would be a good idea to look at installing this security update sooner rather than later.

With the pending end to 2016, now is the perfect time to start a new habit of patching your MAC regularly and having a more secure 2017.

Updates for MAC including recent Zero Day – Are you caught up?

updates for macOS Sierra

It’s December; let’s not forget about the MAC community and the recent updates available for the MAC OS.

Since the release of macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite on the 24th of October 2016, there have been a number of updates to both Apple and 3rd-party products.

Here are some highlights to consider and possible updates you may want to verify you have.

November 30th – Zero Day Critical update CVE-2016-9079 for a use-after-free vulnerability in SVG Animation in Mozilla Firefox, Firefox ESR, and Thunderbird allowing attackers to execute arbitrary malicious code on a target machine.

Although there have only been documented active exploits on computers running Windows, the vulnerability is present in the Mac OS X version of the browser.

November 29th – Update CVE-2016-4780 for a null pointer de-reference issue in macOS Sierra 10.12 Thunderbolt allowing applications to execute arbitrary code with kernel privileges. This update includes improved input validation.

November 27th – 2 Updates for macOS Sierra 10.12:

  • AppleMobileFileIntegrity had a validation issue where a signed executable could substitute code with the same team ID. Update CVE-2016-7584 added additional validation.

  • FontParser had a buffer overflow in the handling of font files where a maliciously crafted font file could lead to arbitrary code execution. Update CVE-2016-4688 added improved bounds checking.

November 14th – Update CVE-2016-7580 for an issue in macOS Sierra 10.12 Mail where a malicious website could cause a denial of service. This update includes improved URL handling.

November 8th – Critical update APSB16-37 for Adobe Flash Player.  This update contains 9 different CVEs to address a vulnerability that could allow malicious native code to execute without a user being aware.


How to Achieve and Sustain Secure Agility

GettyImages-532034284The long-term success if a business depends on its agility – the ability to sense and adapt to changes within the industry in order to stay competitive. The same can be said for your IT operation, but it’s not as daunting as it sounds.

Start at the bottom—and at the top

An agile enterprise requires agile, user-centered, comprehensive, integrated security. If security at your enterprise isn’t already all of those things, start making it all of those things.

For most of you, that effort can and should begin with patching your key applications, operating systems, client systems, and servers more consistently and regularly than you are now. As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

Secure agility can be built from the ground up, but the will and commitment to become and remain securely agile must come from enterprise leadership. That means executives, IT, security, and business unit leaders must be visibly and demonstrably behind security- and agility-enhancing initiatives.

Walk the talk

Declared commitments to secure agility must extend beyond platitudes and media quotes. Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise. This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise.

This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Build it in

Every process and control upon which your enterprise’s competitiveness depends must incorporate security- and agility-enhancing elements.

This means those processes and controls must be driven by and measured against your enterprise’s performance requirements and goals. They must also incorporate specific features for integration with and support of efforts to achieve and sustain user-centered security.

Controls and processes that do not include these characteristics will likely contribute little to your organization’s agility, and might even impede it. (This means all controls and processes must be reviewed and tested regularly and designed to be easily modified or retired as changes demand.)

Show your work

It’s not enough to preach the gospel of secure agility. It’s not even enough to achieve a sustainable level of secure agility. For your efforts to have maximum business value, you must show and tell all of your most important stakeholders the details of those efforts and their effects. This means that consolidated, integrated, timely, business-driven reporting of all things related to security and agility should be a critical element of your secure agility efforts.

Be securely agile everywhere

Pursuit of secure agility may begin in one or more departments or business units, but for maximum business benefit, it must be pervasive.

For many enterprises, the best way to make this happen is to start with IT. IT powers most of the services that run an enterprise’s business and is already focused on (if not preoccupied with) security. Secure agility initiatives that prove successful within IT can therefore likely be incorporated into the delivery and management of other business services.

This means that a single, integrated, process-driven platform for service management and security management can be a powerful enabler of enterprise agility.

Secure agility is an operational and competitive requirement for every successful enterprise. By taking concrete steps toward inculcating a culture that is focused on user-centered security and enterprise agility, you can accelerate your enterprise’s journey to true, sustainable, secure agility.

If you choose or are forced to remain focused on reactive firefighting as an operational approach to security, neither secure agility nor your career are likely to advance much further at your enterprise.

Moving to a proactive, holistic approach to user-centered security and enterprise agility, however, will have salutary effects on your enterprise and your career.


Reshaping Your Enterprise With Agility, Resilience, and Trust

GettyImages-537708180It is critical to understand that success in establishing and cultivating ART-fulness (agility, resilience, trust) at your enterprise—like success in establishing and cultivating comprehensive security—is largely an outreach-driven effort.

Both require consistently high levels of internal marketing, sales, and evangelism.

These requirements may constitute the bulk of your challenges as you seek to establish, grow, and promote both ART-fulness and security at your enterprise.

Fortunately, there are some straightforward steps you can take to tame these challenges, steps based on some fundamental, consistently successful marketing and outreach techniques.

How to Make Your Enterprise More Secure and More ART-ful

  • Engage

Security and ART-fulness are things you simply cannot achieve and do not even want to attempt without lots of help and support. Identify the influencers, leaders, and stakeholders who matter most to your efforts. Then, make sure their voices are heard and matter, and make sure that they know these things are true.

  • Inform

Once you’ve identified those who matter most, get and stay in touch with them. Tell them what you’re doing and why. Tell them how their support is contributing to your efforts and why those contributions matter. Regular, non-disruptive, nonintrusive communications, perhaps via a short e-mail newsletter, a dedicated internal Web site or portal, or both, can be low-effort, high-impact tools here.

  • Persuade

Use the activities and information with which you engage and inform your constituents to persuade them that comprehensive security and ART-fulness are essential to your enterprise’s success. Find and share supporting external examples of secure, ARTful enterprises.

Identify and tout credible data that underscores the business value of security and ARTfulness—and the costs and risks of not having enough of either. Free, simple, Web content monitoring tools such as Google Alerts can make finding such points of persuasion easier.

Also, when you and your colleagues successfully improve security, agility, resilience, and/or trustworthiness within your enterprise, promote these successes to as many stakeholders and influencers as possible. Nothing persuades like success.

  • Invite

This is one of the most critical and frequently overlooked elements of successful outreach. Every communication should include a call to action—an invitation to do something to continue the conversation. Ask your constituents for their opinions and suggestions wherever possible.

Hold events such as webinars and Tweet chats, and invite constituents to participate. Solicit success stories or even “epic fails” related to security, ART-fulness, or both, and share these with attribution. Welcome input and feedback, and incorporate these explicitly into your enterprise’s journey to greater security and ART-fulness. This is one of the most effective ways to turn the disinterested and skeptical into observers, stakeholders, and advocates.

An enterprise that is optimally secure and ART-ful is one that is well positioned for sustained success, whatever its primary business. But neither optimal security nor ART-fulness ever just happens. Each requires careful, consistent nurturing and support from a committed community of advocates.


Trust Us, the Cornerstone to Business Is ‘Trust’

GettyImages-77188102Let’s cut to the chase. There are likely no circumstances under which you would choose to do business with any person or entity you could not trust.

It is equally likely that every client (internal and external), partner, and prospect of your enterprise thinks and feels exactly the same way.

Trustworthiness is therefore at least as critical to your enterprise’s success as agility or resilience.

To quote perhaps the world’s best-known investor and businessperson, Warren Buffett, “Trust is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.”

This is especially true for companies that sell products or services, which is just about all companies.

Trust and the Bottom Line

Stephen M.R. Covey is the author of the book The Speed of Trust: The One Thing That Changes Everything. He is also the son of Stephen R. Covey, who wrote the worldwide bestseller The 7 Habits of Highly Effective People, and CEO of the Covey Leadership Center. A central element of Stephen M.R. Covey’s thesis is that deals get closed faster and are more successful when those involved share high levels of trust.

Specifically, Covey argues that success in business requires a winning competitive strategy, and superb organizational execution—and that distrust is an enemy of both. He adds that while high trust levels won’t necessarily make a poor strategy effective, even the best strategy can be derailed by a lack of trust.

The bottom line? Edelman, the world’s largest PR firm, surveyed some 33,000 people worldwide for its 2015 Edelman Trust Barometer. Of those respondents, 63 percent said they simply refuse to buy anything from those they don’t trust. Further, 80 of those respondents said that they will buy only from those they trust.

Zig Ziglar, one of the best known and widely read sales professionals in the world, once said, “If people like you, they will listen to you. But if they trust you, they’ll do business with you.”.

How to Achieve and Sustain Trustworthiness

  • Know where you are. Bite the bullet, and ask your most important constituent groups (privately, of course) questions that help you assess how much they trust your team or company. At minimum, ask if they’d do business with your team or company again, if they’d recommend your team or company to peers, and why or why not.
  • Fix what’s broken. Use those questions and answers to identify any unsatisfied constituents, find out why they’re unsatisfied, and fix it. Every unsatisfied constituent is a detriment to trustworthiness, and you should assume that your constituents talk with each other.
  • Cultivate advocacy. Use those questions and answers to identify your happiest, most trusting clients and partners, then ask them to let you make them stars. That is, ask for their permission and cooperation to showcase them in your outreach efforts. Then, make it as easy as possible for them to be featured in the success stories, presentations, interviews, and other content you produce with their cooperation and support.
  • Show your work. It’s one thing to claim to be trustworthy. It’s another to be able to demonstrate and document trustworthiness credibly and on demand to any and all stakeholders—from customers, partners, and prospects to auditors and regulators. This is a major, long-term, continuing effort. And everything you do to make and keep your organization’s IT infrastructure comprehensively, demonstrably secure greatly aids these efforts. Comprehensive, proactive, user-centered security is a firm foundation for managing governance, operational transparency, and reporting. All of these, in turn, enhance your organization’s ability to both claim and credibly demonstrate trustworthiness.

Make the goal of trustworthiness a significant part of every plan, strategy, and process that governs your business, especially those focused on IT security, since the security of your IT infrastructure has direct and profound effects on your organization’s ability to be trusted. Include your internal and external clients and partners in this effort wherever practical. It may be the single most significant thing you can do to minimize time to success and maximize the number and value of constituent relationships, for your constituents, your team, and your enterprise.


Shavlik is Your Single Solution to Creating an ART-ful Enterprise

GettyImages-519491604While tools alone will not guarantee comprehensive, effective, user-centered security, the right tools can enable and accelerate your progress toward that goal.

Shavlik offers a number of tools that can support your efforts to maximize your organization’s IT security.

Shavlik Protect

When the majority of vulnerabilities come from third-party applications, patching operating systems isn’t enough protection for your organization.

Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments. It automates patching of not only Microsoft Windows and Office software but also third-party applications from hundreds of vendors, including Adobe, Google, and Oracle.

Shavlik Protect can be configured to deliver agentless or agent-based patch management, and can patch both online and offline virtual machines, including templates and the hypervisor itself. It can even take snapshots prior to patch deployment, so you have a rollback option if something goes wrong. Other capabilities include a library of ITScripts (pre-created PowerShell scripts) that can be customized easily to automate scores of IT maintenance tasks, on demand or on a regular schedule.

Shavlik Protect is also intuitive and easy to configure and use. For many users, Shavlik Protect can be deployed and begin delivering value in as little as 30 minutes.

Shavlik Empower: Heterogeneous Patching in the Cloud

This cloud-based solution delivers patch management for and asset intelligence about Windows and Mac OS X devices. Empower sentinels scan for devices across your environment, then leverage Microsoft Active Directory to extract and map significant intelligence about your organization’s IT assets. Empower then deploys agents that enable comprehensive, flexible patching of Windows and Mac OS X systems, wherever they are.

A browser-based interface enables administrators to view and manage the information collected by Empower sentinels and agents from almost any Web-connected device. Empower can be deployed independently, or as an add-on for Shavlik Protect, Shavlik’s patch management automation solution for datacenter servers, client workstations, and virtual environments.

Fully automate Windows patching, with the flexibility to define policies that lets you filter what you patch by severity, vendor, product family, or product version. Employ the same workflows to manage Mac OS X patching (with some slight differences in filtering options). Minimize user disruption with flexible scheduling and reboot control. Create a firm, flexible foundation for pervasive, effective, transparent security at your enterprise with Shavlik Empower.

Shavlik Patch for Microsoft System Center

For organizations that already know and use Microsoft System Center Configuration Manager (SCCM), Shavlik Patch is an ideal add-on for enabling SCCM to patch third-party applications. Shavlik Patch delivers updates for more than 1,500 application versions from an easyto-use plug-in that snaps right into the SCCM console. Shavlik Patch enhances security and extends the value of Microsoft SCCM investments, with no additional infrastructure or expertise required.

Secure Mobile Email by LetMobile

LetMobile also supports comprehensive, configurable data loss prevention (DLP) filtering rules for both inbound and outbound traffic based on device, user, location, network and time. LetMobile also integrates with any incumbent corporate DLP systems to inherit existing rules and policies. It’s the best of all worlds for a “bring your own device” (“BYOD”) or “company owned, personally enabled” (“COPE”) environment, since it provides robust data security without interfering in any way with personal use of the mobile device.

The Shavlik Team: Your Expert Security Partners

The Shavlik website features authoritative, timely blog posts, as well as white papers, forums and security alerts. The site is an ideal go-to resource for your ongoing security education and promotion efforts.


5 Secrets to Achieving and Sustaining Resilience

GettyImages-608512524There is one thing you must do – and keep doing – to start down the path toward true enterprise resilience: Patch everything. All the time. Starting now.

To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are a few reasons:

According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years.”

Gartner analyst Anton Chuvakin addressed this grave security concern in one of his blog posts.

“Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today—and struggle mightily,” he observed. “In the darkest woods of IT, patching third party applications on a desktop remains a significant challenge for many organizations.”

By the way, the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST) states that some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.

Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers, and user devices are patched and updated consistently and in a timely fashion. Then begin the following actions:

  1. Plan – To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same—maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.
  2. Analyze – Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.
  3. Engage – To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such marketing and sales efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.
  4. Update – Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly and for regular review of all relevant policies, plans, processes, and procedures.

No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.

Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need and deserve.