User-Centered Security Is a Fine A.R.T.

Cyber Security

While every enterprise is different, there are three fundamental characteristics common to all successful modern enterprises. The successful modern enterprise is:

  • Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.
  • Resilient – able to avoid threats, disasters, and disruptions and to recover rapidly and seamlessly from those that cannot be avoided.
  • Trustworthy – able to credibly demonstrate and document operational transparency in ways that create and justify high levels of trust among all stakeholders.

It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security. Specifically, user-centered security.

User-centered security is a focus on what users use to do their jobs—applications, information, devices, and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important, you can also protect users from being conduits into the enterprise for malware and other threats, all while keeping critical enterprise resources safe.

How to Achieve User-Centered Security

User-centered security is not only desirable, it’s achievable. The Australian Signals Directorate (analogous to the National Security Agency (NSA) in the United States) estimates that up to 85 percent of targeted attacks on IT environments are preventable by taking four simple steps:

  • Application whitelisting
  • Timely application patching
  • Timely operating system patching
  • Restricting administrative privileges to users who really need them

Unfortunately, such protections are like smarter eating and exercise habits. Most of us know what would be best for us to do, but we don’t always do it.

Take patching, for example. In an April 2015 alert, the US Computer Emergency Readiness Team (USCERT) identified the Top 30 Targeted High Risk Vulnerabilities. The newest dates from 2014, the oldest from 2006. That means there are patches designed to remediate all 30 vulnerabilities, but many enterprises have not yet installed those patches, for whatever reasons.

Agility, resilience, and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, beginning with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes, and services that make agility, resilience, and trustworthiness possible.

To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation.

Of course, none of these strengths can be achieved or sustained by processes or technologies alone. As with almost everything else a successful enterprise does, effective security and ART-fulness are achieved and sustained by people. Specifically, you and your people in concert with colleagues from across your enterprise. Evolution into a secure and ART-ful enterprise requires leaders, evangelists, champions, and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience, and trustworthiness— possible.

1020Patching_CTABanner_527x150

A Three-Pronged Approach to Thwarting Healthcare Data Breaches

A 3d render of a large connected network of security padlocks. Online digital security conceptAging software, shared access, and the growing popularity of mobile devices has made the healthcare industry an easy target for hackers.

According to Healthcare Informatics, data breaches at health institutions represent 21 percent of global cyberattacks in the first half of 2015, exposing the personal information of millions of customers. Hackers are selling that data for hundreds of thousands of dollars.

To enhance security significantly, healthcare organizations can and should harness two strategies. One is comprehensive operating system and software application patching. The other is securing access to personal health information, personally identifiable information, and other business-critical information, for fixed-location and mobile users, devices, and applications. Both are relatively simple to implement and unlikely to generate user resistance.

Patch Management

Most breaches start with malware infection and most malware infections exploit vulnerabilities in unpatched software. Comprehensive patching of operating systems and software applications is, therefore, essential for maximum security and for compliance with relevant laws, regulations, and business requirements. This is especially important in environments that include old and shared systems running many different types and versions of operating systems and software.

Many organizations have spent years perfecting their server operating system and Microsoft software patching strategy, using essential tools such as Microsoft System Center Configuration Manager (SCCM). However, hackers seeking softer targets now focus their efforts on vulnerabilities in common, less-widely protected, third-party applications and browser add-ins, such as Adobe Acrobat Reader and Flash Player, Google Chrome, Mozilla Firefox, and Oracle Java.

According to the Center for Strategic and International Studies, 75 percent of attacks use publicly known vulnerabilities in commercial software. The 2016 Verizon Data Breach Investigations Report says that the top 10 vulnerabilities are responsible for 85 percent of all successful breaches and that eight of those are 13 or more years old. Attacks aimed at these and other vulnerabilities can be easily and consistently thwarted by regular patching.

Tools such as Microsoft SCCM excel at automated operating system patching. However, their abilities to patch third-party applications are insufficient.

Secure Information Access

Healthcare organizations looking to support mobile device use among doctors and other healthcare staff should start with a strategy that focuses on comprehensive, consistent protection of information. To be of maximum effectiveness and value, such a strategy must provide protection from threats whether users’ devices are “at rest” or “in motion.”

By far, the most widely used application is email. An effective data protection strategy must therefore be equally effective at guarding against malware hidden in email attachments and in other file types, whether those are being accessed by users of mobile or fixed-location devices. That strategy must also provide effective protection against threats from rogue applications.

The Shavlik Solution

Shavlik offers three essential tools for implementing a comprehensive software patching and information protection strategy:

  1. Shavlik Patch for Microsoft System Center integrates tightly with Microsoft SCCM to extend its patch vulnerability detection and deployment to third-party applications. Using SCCM’s own patch delivery mechanism, Shavlik Patch monitors and patches hundreds of popular, third-party applications, including those of Adobe, Apple, Google, Java, and Firefox. The intuitive Shavlik Patch SCCM console plug-in eliminates the manual steps required to define and load patch information into SCCM.
  2. For organizations that aren’t using SCCM or that lack an existing tool for server patching, Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments.
  3. Advanced Endpoint Protection from BUFFERZONE, a Shavlik partner, provides effective, transparent protection of authorized applications and critical information from a wide variety of threats. This solution uses virtual containers to isolate entire application environments, including memory, files, registries, and network access. Malware, whether known or new, is restricted to the boundaries of the virtual container, never actually reaching the user’s system or the rest of the network. The BUFFERZONE solution can even defeat infections by ransomware or removable storage devices. Its protections provide a strong complement to Shavlik’s patch management offerings

Where hackers are concerned, the worldwide healthcare industry is a prime target, but healthcare organizations can take steps today to ensure that they are protected. A security strategy that encompasses automated, comprehensive application and operating system security patching and secure information and application access can be implemented quickly and cost-effectively. Such a strategy can provide comprehensive protection from both known and emerging threats and attacks.

1020Patching_CTABanner_527x150

The Black Market for Medical Records and What It’s Costing Hospitals

Cybercriminals have discovered how profitable it is to steal and sell personal healthcare information. Now hospitals and medical centers are warding off more cyber-attacks as hackers look to pad their bank accounts.

89% suffered data breaches between 2014-2016

Between 2014 and 2016, 89 percent of healthcare organizations experienced some kind of data breach, according to a study conducted by the Ponemon Institute. The study found 45-percent of those organizations were hit five or more times in that same time period.

A majority of breaches, 68 percent to be exact, can be traced back to lost or stolen devices with access to sensitive data, this according to a Forbes article on the recent trend in attacks on the healthcare industry.

112 million records compromised, selling for $10 to $500 per record

In the first half of 2015, the healthcare industry suffered more than 20 percent of global data breaches in which 84.4 million records were compromised. By the end of that same year, 112 million records had been accessed in a total of 253 breaches, according to Forbes.

So what’s the payout? On the black market of stolen data, sensitive patient information is worth anywhere from $10 to $500 per record, compared to credit card numbers which only sell for about a dollar.

While hackers make money, these attacks are proving to be costly for medical providers. In December of 2014, Anchorage Community Mental Health Services agreed to pay a $150,000 fine for violating HIPAA laws as a result of a data breach.

Hackers are also using stolen information to make fraudulent Medicare claims and pocket the cash. The feds lose roughly $60 billion to Medicare fraud annually.

99.9% of exploited vulnerabilities were compromised more than a year after a patch

With aging software running equipment used by techs, nurses and doctors – plus, the growing popularity of being able to access critical medical data on mobile devices, the time is now for health providers to reinforce their IT defenses.

Don’t let the hackers win!

Shavlik solutions offer superior protection for data centers, endpoints, and mobile devices. A security strategy that encompasses automated, comprehensive application and operating system security patching and secure information and application access can be implemented quickly and cost-effectively. Such a strategy can provide comprehensive protection from both known and emerging threats and attacks.

1020Patching_CTABanner_527x150

Why the Healthcare Industry Is an Easy Score for Hackers

GettyImages-178528836Worldwide, healthcare represents an industry that is worth several trillion dollars—and it is anything but secure. Several billions of dollars are lost each year to healthcare fraud, much of which involves compromised medical records.

In September 2015, Healthcare Informatics reported that in the first half of that year alone, the healthcare industry suffered 187 breaches, 21 percent of the 888 breaches reported worldwide. Those healthcare breaches resulted in 84.4 million compromised records or 34 percent of the worldwide total.

As reported in May 2016 by eSecurity Planet, the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data found that 89 percent of healthcare organizations were breached in the past two years. That same study found that 45 percent of those organizations had been breached five or more times in the same two-year period, the report added.

Healthcare as a target

Clearly, the worldwide healthcare industry is being increasingly targeted by the worldwide hacking industry. There are two main reasons for this: financial gain and opportunity.

  • Financial gain

Hackers have searched out other opportunities. The black-market value of a credit card number has fallen to about $1 per record, as financial organizations have become better at securing their databases, thwarting threats, and remediating successful breaches.

Meanwhile, the value of personally identifiable information (PII) such as Social Security or National Insurance numbers, are now worth 10 to 20 times that much, according to published reports. However, some hackers apparently offer “volume discounts.”

A June 2016 eSecurity Planet report said that a hacker was offering to sell 700,000 stolen records, including Social Security numbers and other PII for $655,000. This may have been a “loss leader,” however.

When personal health information (PHI) is added to the equation the value is even higher. Hackers or their sponsors can pose as doctors and use that PHI to file very profitable fraudulent insurance claims or order and resell controlled substances and medical equipment. Even without specific medical information, criminals can use PII to apply for loans. When combined with other information and counterfeit documents, PHI records can sell for as high as $500 each, according to a December 2014 Forrester Research report.

  • Opportunity

When one type of target becomes hardened, hackers tend to refocus their efforts on less secure types.

For example, after financial and retail organizations became better at securing centralized databases, hackers found ways to breach less-secure retail point-of-sale (POS) systems. Healthcare systems are ripe for this “soft target” approach and have been for some time now.

According to a warning issued in April 2014 by the FBI and obtained by Reuters, “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors. Therefore, the possibility of increased cyber intrusions is likely.” Current reality proves the prescience of that warning, and provides several reasons for its accuracy:

From a cybersecurity perspective, healthcare IT environments are chaotic. PCs are shared by multiple doctors and nurses. Aging medical equipment relies on software that rarely — or never — gets updated, and on outdated, unpatched, and sometimes even unsupported operating systems. In many cases the software provider may no longer even exist, making security updates difficult or impossible.

Doctors and other healthcare providers increasingly insist on using smartphones and tablets to exchange email with colleagues and patients and to view medical images and information at the bedside, at home, and on the road. The number and variety of mobile devices, operating systems, and system versions needing support create an unwieldy management and security quandary for healthcare providers and their IT and security teams.

This growing demand for mobile access to healthcare-related data has led to an escalation of data theft from lost or stolen devices. Some industry watchers estimate that lost and stolen devices account for as many as half of all healthcare cybersecurity breaches.

Solutions for managing and securing mobile devices and information can be unwieldy and generate resistance. Many solutions force users to switch back and forth awkwardly between managed corporate and unmanaged personal applications on the same device.

Other solutions require users to accept having their device usage monitored and managed when they are at home and at work. Many users consider such scrutiny an invasion of their privacy. Unfortunately, such disruptions and perceived intrusions cause some users to find ways to “work around” tools and measures intended to keep those users and the information they access secure.

Thus, many healthcare organizations allow medical staff and employees to connect their mobile devices to corporate networks, with little to no confidence in the security of those devices or their connections to critical corporate or private patient information.

Stay protected with Shavlik Protect + Empower and download your FREE copy of our whitepaper below.

1020Patching_CTABanner_527x150

Patch Tuesday Forecast September 2016

We are only a few days away from September Patch Tuesday and just for a bit of nostalgia I dug up this old image.  Circa 2010 Minimize the Impact of Patch Tuesday banner.

webinar

So, here are a few things to watch our for to help minimize the impact of Patch Tuesday, a quick tip to help you tune your process, and our forecast on what we think you should expect this month.

On the Horizon

Based on the sheer volume of questions I’ve had about this I’m going to go out on a limb and say that the servicing changes Microsoft plans to implement in October are a hot topic right now. Microsoft’s announcement to move all pre-Windows 10 OSs to the same bundled update model has stirred up concerns from their customers. I will start off with the same recommendation I have given everyone so far: keep breathing. But also know the facts. Microsoft will have a security bundle that will release each month that includes updates for IE and the OS. There will be a cumulative bundle option as well that will include non-security fixes and feature changes. The security bundle will be the way to go for most organizations.

The fallout from this event will be a more pronounced need for application compatibility testing. If you recall January’s Patch Tuesday, the Windows 10 cumulative update caused Citrix’s VDA Client to break. This is exactly the type of scenario companies I’ve spoken to are concerned about. Fortunately, Citrix worked with Microsoft and moved quickly to resolve the VDA incompatibility that the cumulative update caused. Microsoft updated its release to detect if VDA was installed, and if it was, then the cumulative update was not installed. This process left their customers exposed to many vulnerabilities in the January release, but Citrix turned a fix-around in short order and together they reduced the risk to their common customers to only a week of not being able to push the January updates.

But this was two software giants working together; the issues will be more pronounced with less common products or vertical specific products, such as healthcare devices or manufacturing systems that run on Windows systems. Home-grown applications and applications developed by vendors who are no longer in business may be less of a concern on Windows 10, but on older systems they are much more common. Which brings us to our tip of the month!

Patch Management Tip of the Month

Application compatibility is the biggest hurdle to effectively remediating software vulnerabilities. Most companies we talk to have an exception list of updates that conflicted with business critical applications. This has been a rising concern for companies as they evaluate Windows 10, and now will become a concern for their existing systems come October. The looming inability to pick and choose which updates to apply to their systems has many companies concerned. The reality is we will have less of a choice in the matter going forward, so what do we do?

Pilot Groups

One tip that I always stress when advising our customers is to have an involved pilot group. Many companies have a small set of test systems for the most critical of assets, but this falls short of truly ensuring you catch application compatibility issues quickly. What you need is to ensure you have a selection of power users in your pilot group to help you flush out issues quickly. These power users will be able to provide you better feedback, and they’re technically savvy enough to help you work through issues as you discover them.

Hitting a few power users who will keep their head and work with IT to resolve issues quickly helps reduce impact to the greater workforce. Someone from IT may be able to verify login works and some basic interfaces load, but the power users will get into the product and find the less obvious things, like updating broke print features or submitting a job or form. Most business managers quickly agree to this arrangement when you put it to them as a partnership where you will work with one or two of their best to keep the majority impact-free.

Your Patch Week Forecast

August was our lightest Microsoft Patch Tuesday this year tied with January at 9 Microsoft bulletins total; the average this year has been closer to 13 bulletins each month. I expect this month will be closer to the average if not a little above. Starting in October, this average will appear to drop significantly as the bulletins will become bundles instead, reducing the average number of Microsoft updates to around four or five each month. At that point, watching vulnerabilities resolved will be a more accurate indicator of how significant the month’s updates were.

On the non-Microsoft front, I would expect an Adobe Flash update, as we have not seen a Flash Player update since July, which is near an eternity in Flash Player terms. Also, be aware that Adobe has updated the looming end of open distribution of Flash message on the distribution download page. The end of September is the new cut off where you will need to have an Adobe ID and login to Adobe’s site to gain access to Flash updates if you need to distribute them internally. We will see if this is really the one.

Google Chrome just released this Wednesday, so plan to include that and some other recent third parties like Wireshark in your patching schedule this month.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

Do you know your Patch Management Posture?

How well do you know the security posture of your environment?  Do you know how effective your Patch Management process is? Can you provide stakeholders with a quick look at the state of your network and show how protected you are in real time?

In today’s world with so many devices connected to a network and with the BYOD option becoming more and more of a norm, it is now more important than ever to have visibility into security risks for an organization.

Visibility into your security posture is the key to providing the knowledge necessary to take action on security measures that you can control. So how do you get visibility into your current security posture and what are valuable insights?

What are valuable insights?

  • When were devices last patched?
  • What are the outstanding patches missing from a device?
  • How many and what are the severity levels of the patches needed?
  • What devices are non-compliant and of those, which ones are the most security risk to the organization?
  • How quickly are patches deployed to devices after each patch is released?

How do you get the visibility into your security posture that is meaningful to you? Xtraction

Xtraction allows an organization:

  • To decide what is meaning information
  • To provide access to that information anywhere from a browser at anytime
  • To report real-time results based on the current state of the production database

Xtraction for Shavlik Protect provides a number of default dashboards as part of the Report Bundle offering.

These dashboards have been designed to give visibility into the security posture of an organization and to provide the insight needed to aid in prioritizing meaningful action.

Since the release of Xtraction for Shavlik Protect Reporting Bundle, 2 additional dashboards have been created and are available on the Xtraction for Shavlik Protect landing page of the community website.

Visibility into Security Posture

Windows Convenience Update causing inconvenience for VMware and Microsoft App-V users!

Cybersecurity(Own)A quick heads up.  The Convenience Update for Windows 7 SP1 and Server 2008 r2 SP1 is causing issues with VMs running VMware VMXNet3 virtual network adapter type.

According to a blog post by VMware and a post by Microsoft uninstalling the update will resolve the issue.  The Microsoft article goes on to talk about an issue with Microsoft App-V where virtual applications may have difficulty loading.

Recommendation in both cases is to defer pushing this update until a resolution is in place.

Java Out of Band! This vulnerability fits the profile…

Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.

The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.

In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.

The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)

VerizonCVEFigure

As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.

Apple Mac OS X Updates for March 2016

AppleBuilding(own)(editorialuseonly)With Macs continuing to expand in the enterprise, and our increased focus on Mac patching, we are overdue to provide analysis on OS X updates as we do with those on Microsoft and third-party vendors on Patch Tuesday. Apple released a number of updates on March 21 that impact Mac OS X, including El Capitan 10.11.4, Security Update 2016-002 for Mavericks 10.9.5 and Yosemite 10.10.5, Safari 9.1, Xcode 7.3, and OS X Server 5.1. In total,

Before diving into the analysis, it is clear that Apple is much less transparent about their security than Microsoft and other vendors. While listing the Common Vulnerabilities and Exposures (CVE) IDs for their vulnerabilities, they did not reveal much information for proprietary components in the CVEs making it difficult to assess risk. Yet, analyzing the impact descriptions for their fixes gives one a sense of the risk.

OS X 10.11.4 and Security Update 2016-002

The last OS X security update was in mid-January and the latest brings fixes to 59 vulnerabilities. Interestingly, 36 of the vulnerabilities fixed were only fixed in El Capitan. Looking through the fixes that apply to Mavericks and Yosemite, they include vulnerabilities that allow malicious PNG and XML files to run arbitrary code and such vulnerabilities are prime candidates for phishing attacks. Among the El Capitan-only fixes was a fix in the FontParser for a vulnerability that could allow a malicious PDF to run arbitrary code that, again, is a prime candidate for phishing and other social engineering techniques. While it isn’t clear if this vulnerability, and others only fixed on El Capitan 10.11, are also found in older versions of OS X. The clear gap in fix applicability suggest that organizations should always update to the latest version of Mac OS X, and not just the latest security update. There were many other types of vulnerabilities fixed across numerous OS X components that have lower risk exposure, but bottom line is one should update their Macs to secure all exposures.

Safari 9.1

Safari 9.1 is available for Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11 to 10.11.3 (it’s included in 10.11.4). There where 12 vulnerabilities fixed, including three where arbitrary code could be executive through malicious XML or web content. These alone are a reason to upgrade. Other vulnerabilities compromise privacy, create denial of service, enable UI spoofing, or provide access to restricted ports. Safari 9.1 includes numerous new features that are the motivation for users to update and drag security fixes along.

Xcode 7.3

For developers, there is Xcode version 7.3 that fixed three vulnerabilities across two components: otool and subversion. The subversion vulnerabilities are the most significant where connection to a malicious server could allow arbitrary code execution. There were many new features in Xcode 7.3, like support for iOS 9.3, watchOS 2.2, tvOS 9.2, along with other improvements. Most developers will update for those features alone. However, the security fixes should be reason unto their own.

OS X Server 5.1

For those not familiar, OS X Server is an application that can be downloaded from the App Store (for $19.99 in the US) to enable server capabilities like website hosting, wikis, backups, file sharing, and many other features.

There were four vulnerabilities fixed in OS X Server that address RC4 exploits, access to sensitive information remotely, and storing backups on a volume without permissions enabled.

Summary

Apple is one of the best companies around for getting people to adopt new components by driving new features, interesting users and wrapping security in with the release. Most Apple users have grown accustomed to updating their devices when prompted. That said, it is still important to assess compliance and update systems in your organization to ensure there are no lingering risks.

Windows 10 Patch Management and Third-Party Application (In)Compatibility

win10

Unlike previous releases of Windows, Windows 10 continues to evolve from month to month and update to update. With the January 2016 Patch Tuesday release, we see some very interesting challenges for customers, due to the cumulative update model and the impact on third-party applications.

Chris Goettl, senior product manager for Shavlik, and resident patch expert, noted in his January 2016 Patch Tuesday blog an impact to Citrix XenDesktop. Let’s drill into what happened and what this means for customers.

Stephen: Chris, quickly recap what happened in this month’s update and how it affected Citrix XenDesktop.

Chris: As many in IT are already aware, patches for Windows 10 are all deployed in a “Cumulative Update” model where you can’t choose which individual update to apply. You either apply them all or none of them. Microsoft’s January Windows 10 update will create issues when Citrix XenDesktop is installed.

Stephen: Wow! That’s painful if you are customer using Citrix on Windows 10. Has Microsoft responded to the issue?

Chris: Microsoft’s noted the following in bulletin MS16-007:

“Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.”

Stephen: Did Microsoft do anything to help prevent the incompatibility?

Chris: Microsoft’s detection logic now detects if Citrix XenDesktop is installed on an endpoint. If it is, the entire cumulative update simply will not be available for the endpoint.

Stephen: What does that mean for the rest of the cumulative update? Will part of the update apply except for the components that have conflict with Citrix?

Chris: None of the cumulative update will apply if Citrix XenDesktop is installed.

Stephen: What does this mean from a security perspective?

Chris: Customers have a difficult choice to make. They either need to uninstall Citrix XenDesktop and install the Windows 10 update or keep Citrix and be vulnerable to everything fixed in the January Update.

Stephen: How many vulnerabilities were in the January 2016 update?

Chris: 14 vulnerabilities were resolved across Windows 10, Edge, and Internet Explorer. Four of those were publicly disclosed, which puts them as significantly higher risk of exploit.

Stephen: So customers will not get Microsoft Edge and Internet Explorer updates without applying this cumulative update?

Chris: That’s correct. With Windows 10, all of those updates are bundled into the single cumulative update.

Stephen: What do you expect will happen with with Citrix XenDesktop?

Chris: We can’t speak for Citrix, but I would expect that they will come out with a patch that makes XenDesktop compatible with the latest Windows 10 update. Users will then need to deploy both the Citrix update and then the Windows 10 update.

Stephen: So this reinforces the need for third-party application patching?

Chris: Absolutely. This is just one example that illustrates the need to have a comprehensive patch management solution for operating system updates and third-party applications. Going a step further, it reinforces the need to patch client systems more frequently.  We don’t know when the Citrix update will be available, but when it is, customers are going to want to know ASAP, so hey will then be able to update Citrix and push the cumulative update for Windows 10.

Stephen: One last question. How does this illustrate the need for an enterprise patch management solution with Windows 10?

Chris: To reiterate and emphasize my earlier point, customers must decide whether to install the cumulative update or remove Citrix. Most likely, they will need to update both in the order I specified earlier. Neither Windows Update or Windows-only patch solutions give the flexibility to address these type of scenarios.

To summarize:

  • Patch Tuesday is no longer a single event, if it ever really was. If an enterprise starts their patch process and runs Citrix XenDesktop, they won’t have a choice: running the update will not apply patches and those systems will be exposed to known security vulnerabilities.  
  • We expect Citrix will come out with a patch. Enterprises will need to be able to detect and distribute that patch to get that third-party patch updated. Windows Update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) are not enough here.
  • After the enterprise patches Citrix XenDesktop, they then will be eligible for the cumulative update for Windows 10.  They then need to be able to rescan the system as soon as possible after the Citrix update to realize they are missing the Microsoft January 2016 Update, and are eligible to apply it. They then need to deploy and install the update.
  • Patching isn’t a once-a-month event: updates are becoming more complex and sometimes out of band. This is even more the case with third-party applications, vendors of which sometimes release multiple updates in a month.
  • Windows 10 does not simplify patching for enterprises. Enterprise need solutions that handle the new complexities with the Windows 10 update model.

Bottom line, third-party patching and flexible Windows 10 patch management is a must for all enterprises.