CyberSecurity Awareness Month: CyberSecurity Tips for Road Warriors

GettyImages-537708180

Security Tips for Road Warriors

A couple months ago one of our product evangelists reached out to me and asked how to better protect himself and his personal information in his travels.  As he settled into a hotel and a day later saw it in a headline as one of the latest exposed to credit card theft he felt a bit exposed.  I would have loved to tell him some magical tips that would 100% safeguard him from that day forward, but in short, you cannot prevent it.  There is no way to know who the next breach target it or when the breach could have been occurring.  The only guarantee you have is that another breach will occur and odds you will have used your card there at some point.  You can, however, reduce the impact when any of your information does get nabbed.  Now, you can go to extremes.  Cancel all credit cards, just use cash, close all of your social media and online accounts of all kinds, but nobody wants to live that way either.  The key is balancing the risks.  I talked to many road warriors within our own company and we have some tips and tricks that can help you out.  Our road warriors range from my light 16-20 weeks or so of travel per year to Simon, Doug and Rob who spend more than 50% of their year on the road and take us to all parts of the globe.  Here are some of the tricks we use to safeguard ourselves and to mitigate the impact if our information becomes exposed.

Phil Richards, Chief Security Officer:

I recommend reporting your credit card as stolen/lost/missing to the credit card issuing company at least annually.  This allows you to receive a new credit card number, and invalidates the old one. Many hotel chains and retailers that have had credit card info breaches. For the road warrior, it is highly likely that your card is among them.  By changing the CC number, the stolen information is useless and cannot harm you.

Rob Juncker, VP of Engineering:  

I never go anywhere without my HooToo.  It’s a wall charger with 2 USB ports, an Ethernet port, a fully portable charger (so it’s like a power brick) and embedded router.  The best part about this device is it has full router capabilities.  I have it setup so my computer always connects to it, and then I bridge the hotel Wifi to my personally secure wifi, or use the Ethernet port to plug into the hotel jack.  – I have it set by default to disable all inbound and just allow outbound.

Doug Knight, VP of Systems Management:

For the record, I told Rob about the HooToo, but since he beat me to it here is a tip for additional layers of security and anonymity if your travels take you to countries where you need some extra protection and ability to bypass some levels of content filtering. I subscribe to a VPN service called Private Internet Access.  I setup a L2TP and then run their default client on top of that.  The IPSEC client gives me encryption and some anonymizing and the L2 VPN even allows me to get thru (pretty reliably) the “Great Firewall of China” to reach content that may otherwise be blocked. For the server setting in the L2TP VPN, it’s best to enter the IP address for the server locale you wish to access instead of the DNS name. To obtain an IP address for this purpose, you can ping it or you can go to http://www.ping.eu/ping and enter the server name to be able to get IPs for the server you would like. Do this before you leave the country.

Simon Townsend, Chief Technologist:

I don’t just evangelize about the great security solutions we have at AppSense.  I use them regularly.  I run as a standard user on my Windows machine and have a local admin account that is used only for installation and initial setup.  I run AppSense Application Manager on my system and by default cannot install or run anything that I download under the context of my own LANDESK account.  If I need to install something locally I use RunAs or AppSense self-elevation to give myself temporary permission to perform those actions.  If I need to do something that is only going to be temporary I will bring up a VM snapshot that is NAT’d.  This provides a Deep Freeze style solution that I can revert easily and separates the task I am performing from local data as it would not be exposed to the VM.

Chris Goettl, Senior Product Manager:

You never know what is observing traffic on public wifi or if the connection you are on has been compromised.  Early in my career I connected to a hotel wifi and their router had been compromised.  My Gmail session was hijacked by a man in the middle attack and within a few hours suspicious email began flooding forth from my account.  Needless to say I changed my password, enabled two factor authentication (also highly recommended) and became infinitely more paranoid during my travels.  Now wherever I go, after connecting to the hotel wifi I immediately connect to the corporate VPN before connecting to email or opening my browser.  The VPN tunnel provides an additional layer of encrypted protection from prying eyes.  I have also just ordered a HooToo and will be adding that to my travel defenses.

 

The CSO Perspective: On the Upcoming Microsoft Service Model Change

Cybersecurity(Own)

The CSO Perspective: What Does the Microsoft Servicing Change Mean?

October is CyberSecurity Awareness month. It’s also the month that Microsoft will implement the new servicing model to pre-Windows 10 systems. Yes, that’s correct. Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 will all be moving to an update servicing model similar to Windows 10. Microsoft first announced this change in June and described it as follows:

  • Internet Explorer and Operating System updates will be packaged in two ways.
    • Security Bundle—All OS and IE (Security only) updates for the month will be bundled in a single update. This is not cumulative: the November Security bundle would not include the October Security updates.
    • Cumulative Update—All OS and IE updates for the month for both security and non-security are included in a cumulative rollup each month. The November rollup would include the updates from the October cumulative update.
  • .NET Framework will be a separate Cumulative Rollup. This update will be a single package no matter how many .NET versions are currently installed on a system. The installer will detect and update the installed versions. It will NOT install net new versions.
  • Adobe Flash for IE will be a separate update.
  • Office, SharePoint, Exchange, SQL, and other products will still be separate updates each month.

I’ve had questions from customers, prospects, writers, vendors, and partners about the real impact of this. I’ve posted my thoughts, but today I thought we would catch up with LANDESK CSO Phil Richards and get his.

Chris: Phil, thanks for taking the time to talk about how you see this change and the improvements and challenges we’ll face in the future.

Phil: Thanks, Chris. This is an interesting development from Microsoft that has potential security improvements, and potential issues, depending on how we, the consumers, respond.

Chris: Phil, Microsoft’s change was prefaced with a message of “You asked for it, we delivered.” They didn’t really say what we “Microsoft customers” asked for. So, based on the changes, what was it you think we asked for?

Phil: Enterprise-level patching is far more complex than patching your personal computer at home. There are three main improvements customers are looking for over today’s patching processes: simplification, quality, and security. I think a good portion of the consumers are looking for a simplified patching experience. The complexity of patching—understanding precedence requirements, identifying installed components that require patching, and anticipating future patch needs—makes the patching experience somewhat painful, error prone, and manually intensive for IT professionals. Unfortunately, this is a double-edged sword: when Microsoft bundles the patches, making the customer interface more simplistic, they increase internal complexity of the patch package. he bundled patches must respond correctly to more configuration permutations. While many customers don’t like the complexity associated with multiple patches, I believe they will be unable to support patch bundles across the entire set of systems that require patching. When an IT department has a particular server that needs special handling because of software that will not work with a specific patch, it’s faced with the very real challenge of not applying the entire patch bundle on that system. Over time, we will see many systems that are not able to take patches at all, lowering the security readiness of the enterprise.

Customers are also asking that Microsoft improve the quality of the patches. But increasing the complexity of the patch package by bundling patches raises quality of the Microsoft package at the cost of adversely impacting other sensitive applications on the system.
Finally, customers also need improved security from their patches. With this new patching delivery method, updates are more frequent and potentially more comprehensive. Unfortunately, security updates often create new security vulnerabilities as quickly as they patch old ones. They are, after all, software. While this happens much more frequently with other providers, it has occurred with Microsoft patches. Another security issue has to do with the volume of patches and the possibility of missing one or more them in your environment. By bundling the patches and providing a cumulative update, IT professionals have the ability to make sure their servers are up to date. Again, the downside is that if I am unable to patch a particular server because of one component, the server remains vulnerable to all threats in the whole patch package.

Chris: Seems like, even with Microsoft’s good intentions, there could be challenges. Digging deeper into some of your points, let me throw a hypothetical situation at you and see how you’d handle it. Let’s say you have a legacy application in your environment that’s critical to your business and very sensitive to patching. You know that each month the security updates need to be tested and often result in one or two OS updates you have to mark as exceptions because they conflict with this application.

If we look at September’s updates and apply the details Microsoft described, the 14 bulletins become 4. The largest is for IE and OS updates. It rolls 10 bulletins and 31 vulnerabilities into a single bulletin. There is another for Office, one for .NET, and one for Flash Player for IE. One of those OS bulletins for September is for the Windows Graphic Components. Under the old model it’s bulletin MS16-106, which resolved 5 vulnerabilities. In this case it will be in the bulletin that includes 31 vulnerabilities, including a Zero Day that was resolved in IE. This GDI change breaks the legacy application and will cause a major disruption to the business. You have to choose to make an exception or break the application and wait for the vendor to fix it. What would you choose to do?

Phil: If I choose to run the critical business application and keep my business afloat, I have to choose not to install multiple patches, which poses a very real threat to my business. If I choose to patch, I have to stop running the application, which poses a very real threat to my business. To address this issue, I’d try to get the vendor of the application to make modifications to support the Microsoft patch. I’d also look at other technologies that will allow me to further isolate the offending application, so I can patch the operating system, or apply network configuration changes to decrease the attack surface of the server. Major technologies in this space include containerization to isolate the application or web application firewalls to decrease the attack surface. While there are workarounds to patching issues, these require heavy lifting by an already overburdened IT organization. These workarounds aren’t efficient and will increase complexity of the environment overall—which is exactly what Microsoft is trying to avoid in the first place.

Chris: Let’s take this scenario one step further. The legacy application is from a vendor that’s no longer in business, so there’s no fix forthcoming. This leaves you with a known exploit for IE exposed in your environment, which is unacceptable. What steps would you take to protect the systems that require this application?

Phil: At this point, the best that can be done is application isolation through containerization and network isolation through a combination of segmentation, firewalls, and web application firewalls. The amount of work involved in this one-off solution is significant, and it’s brittle. I believe this scenario will happen multiple times for customers that have special apps not supported by vendors that are running significant portions of the business. Once the workaround solutions are in place, there is no incentive to fix the underlying problem. It just becomes more walled off, creates higher technical debt, and because of the brittleness of the solution, remains a high risk area of the infrastructure. The problem also compounds. Since the patches need to be cumulative in nature, there is the possibility that by skipping the patch bundle for October, you might not be able to take patches in the future, which increases the network configuration pressure, increases the brittleness of your workaround, and makes it all the more difficult to extricate your business app from the vicious cycle.

Chris: Great feedback, Phil. Thanks again for your time and recommendations. It appears that we should all expect some changes in the near future and some hard questions may come up, but I think you have provided some great takeaways from this discussion.

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

As always the team here will be keeping a close eye on the situation. As we near October Patch Tuesday we will have more details to share. Make sure to sign up for the October Patch Tuesday Webinar; we plan to cover the new servicing model changes in detail once we see the first month of the new model in operation. www.shavlik.com/Patch-Tuesday

Tech Summit Preview: Shavlik Protect Advanced Features

shavlik-technical-summit-logo-640

Think you are a Shavlik Protect expert? Whether you are a Protect veteran or a noob, we would like to expand your expertise during the Shavlik Technical Summit at Interchange in Las Vegas on May 24-25. There are many Shavlik Protect advanced features we will go into including (but not limited to) predictive patching, content updates, distribution servers, scheduled reporting, rollups and other advanced features, including those new to version 9.2.

We know Protect is quick and easy to setup and configure, but there is so much more under the surface. One of our goals is to demystify many of the advanced features that will maximize the value of Shavlik Protect in any environment. We hope to introduce you to capabilities you didn’t even know existed and help you understand how to implement Shavlik Protect’s advanced features in your environment.

We’re bringing some of our best engineers and product managers together to mind meld with you during a few days of training and extracurricular activities. Look forward to seeing you there.

Shavlik Tech Summit Preview: Patch Management Best Practices

Patch Management Best Practices at the Shavlik Technical Sumit 2016

Shavlik has been in the business of patch management for a very long time. From HFNetChk to Shavlik Protect, Shavlik Patch, and now Shavlik Empower, we’ve spent a long time building industry-leading patch management solutions. Along the way, we’ve built up a lot of expertise around patch management best practices. By now, we hope you’ve seen our Patch Tuesday analysis and webinars as well as insights on 3rd party applications, and Apple Mac OS X updates. It’s overdue that we have a face to face to share our cumulative knowledge on patch management best practices and we have just the event to do that.

At the Shavlik Technical Summit at Interchange in Las Vegas on May 24-25, we want to share our insights on patch management best practices so you can have a better understanding of how to address the process, people, and technology to keep your environment secure and stable. We’ll spend time helping you understand our products, but more importantly the processes and approaches to maximize success. We will also discuss how top vendors release patches, potential pitfalls, and changes that are coming. It’s not too late to register, so join us in Vegas and let us help you become a patch management expert for your company.

Tech Summit Preview: Shavlik Empower

shavlik-technical-summit-logo-640

Patch Management from the cloud – why should you care? With clients increasingly mobile, as are you, we saw a need to be able to patch and track what’s going on in your enterprise and see that information anywhere. With Shavlik Empower, we introduced cloud-based, web-accessible patch management with inventory and change tracking and this is just the beginning. We were so excited about what Shavlik Empower can do for our Shavlik Protect customers that we made the base inventory and change tracking free with Protect.

If you missed the launch of Shavlik Empower last fall, we want to give you some hands on training and experience at the first Shavlik Technical Summit at Interchange in Las Vegas on May 24-25. We’re going to go into architecture, integration with Protect, and the ability to manage Windows and Mac OS X systems directly from the cloud. We hope to see you there.

Tech Summit Preview: Shavlik Protect 9.2

shavlik-technical-summit-logo-640

Shavlik Protect 9.2 was released last fall and we know that many of you downloaded it and are already using. This release was jam packed with many new capabilities including turbo charged assessment and remediation, predictive patching, Patch Tuesday + X scheduling, product EOL reporting, redesigned patch view \ group, and so much more. If those capabilities don’t sound familiar, you may be asking, where can I get training on Shavlik Protect 9.2? We’ve got an answer: the first Shavlik Technical Summit at Interchange in Las Vegas on May 24-25.

We plan on going into many of the new features in sessions as well as hands on labs. We’ll give you a chance to learn how they work, how to implement them, and give you the experience to go home and apply the new capabilities to your environment. You will get a chance to mingle with our product managers and engineers and get answers to the questions you’ve had around Protect. We look forward to having you join us next month.

Invitation to the Shavlik Technical Summit

Shavlik Technical Summit at Interchange 2016

If you haven’t noticed from the homepage, we’re holding the first ever Shavlik Technical Summit at Interchange in Las Vegas on May 24-25. So I know what you’re thinking, “What the %^&* is a technical summit and why should I attend?” Let’s start with the why. We’re passionate about security: patch management in particular. We believe patching is one of the most fundamental parts of any security program. We know you are busy administrating multiple systems and applications and patching is one important part of your overall responsibilities. We want to make you to stand out in your company as an expert in patch management and Shavlik.

So how are we going to make you an expert? Well imagine if you blended hands on labs, best practices, product introductions, deep dives, roadmap, and access to product experts all mixed in with some fun on the side. As you can see, coming up with a name wasn’t easy, but our goal is to help you get the most out of Shavlik Protect and related solutions and have fun along the way. I guess we could have called it a boot-camp-expert-presentations-labs-roadmap-peer-experience-conference, but we settled on the Shavlik Technical Summit.

We’ve priced it to be very reasonable so whether you’re a long time customer with Shavlik or brand new, we believe these two days you will do more towards your become a patching and Shavlik expert that anything else you could do. We hope to see you there.

Java Out of Band! This vulnerability fits the profile…

Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.

The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.

In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.

The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)

VerizonCVEFigure

As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.

Mobile Data Security + User Freedom = Shavlik’s Newest Product: Secure Mobile Email by LetMobile

Shavlik is happy to announce that we have added a new product, Secure Mobile Email by LetMobile, to our product line. LetMobile is a secure email solution that brings the same effectiveness and ease of management that you have come to expect from Shavlik to the challenge of protecting corporate information on mobile devices.

Today, I sat down with product manager Eran Livne to learn more about Secure Mobile Email by LetMobile. Eran has led this product from its inception and has spent years studying the mobile device management space.

 

Anne: Why LetMobile? What problem does it solve for our friends in IT?

Eran:  There’s a new challenge with all of these smart devices.  Users buy devices and want to use them for work; however, they don’t want IT to control them and have less concern about security. IT is used to managing and controlling, owns security, and is held responsible if a data breach occurs. There is a huge gap between the interests of these two sides.

 

Anne:  How do we bridge this gap?

Eran:  LetMobile was built to find this balance and to bridge this gap. We provide the best of both worlds; IT gets security compliance management and data protection, and users get a native email experience on the device of their choosing. They don’t have to use subpar email clients to consume corporate emails or separate the process of reading work email from reading personal email.

With LetMobile security policies apply only to corporate data, so the solution has no knowledge or control over personal data or app’s. This means users are free to use their devices how they wish, do not need to fear corporate “big brother,” and don’t have to comply with annoying policies like being forced to lock their devices or granting the company access to wipe their devices.

 

LetMobile diagramAnne:  Wow, that sounds almost too good to be true. How does LetMobile work?

Eran:  LetMobile is a gateway solution. We offer on-premise and SaaS offerings that act as an intermediary between Exchange (or your email service) and user devices. The LetMobile gateway streams email to the device, so email and email attachments are never stored on the device. Additionally, corporate credentials are never stored on the mobile device, so if the device is lost, the user’s corporate creds cannot be compromised.

 

Anne:  Beyond basic email security what are some of the other cool capabilities of LetMobile?

Eran:  LetMobile includes data loss prevention (DLP) capabilities that look into the “body” of emails and attachments and can take action based on the presence of keywords or regular expressions. This coupled with LetMobile’s geo-fencing capabilities means say a financial institution could enforce a policy where customer account numbers are masked in emails unless the device is in a trusted location. LetMobile can keep confidential information from leaving the four walls of your corporate headquarters and even your country’s borders.

 

Anne:  If readers want to learn more about LetMobile or see a demo, what should they do?

Eran:  We have a wealth of information out there on our website. Check out…

Also, Shavlik will be hosting a number of live LetMobile webinars in the coming weeks, so stay tuned to our webinars page for more information.

Shavlik Security Advisory: Insufficient Patch Management Could Lead to Attacks From More Than Just Hackers

Two months ago, Shavlik released a security advisory alerting our customer community to the availability of off-the-shelf, exploit kits that enable less sophisticated hackers to mimic a Target-like attack.

In that advisory, Rob Juncker, Vice President of R&D for Shavlik, accurately predicted the availability of these exploit kits would lead to the following.

  • More companies will be coming forward to report breaches.
  • The scope of these breaches will go beyond retailers to impact all types of business that have valuable and private information.

Earlier this month, the game changed again, but this time the threat doesn’t come from hackers alone; it’s coming from the court room, the halls of government, and maybe even from your own employees. For the first time we are seeing companies being held legally and financially responsible for security breaches that occurred due to insufficient and/or negligent security practices.

Today, Shavlik is issuing another security advisory to draw your attention to three landmark cases that made headlines earlier this month.

 

$150K HIPAA Fine for Unpatched Software  

Anchorage Community Health Services was fined $150,000 by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) for “failure to apply software patches [that] contributed to a 2012 malware-related breach affecting more than 2,700 individuals,” according to GovInfoSecurity.

This incident is the first where a company has been held liable by OCR for failing to patch software, and now a precedent has been set, making disciplined patch management a critical part of HIPAA compliance.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities,” OCR Director Jocelyn Samuels said to GovInfoSecurity.

 

Target Ruling Raises Stakes for Cybersecurity Vigilance 

U.S. District Court in Minnesota denied Target Corporation’s motion to have litigation dismissed that has been filed by financial institutions who suffered losses as a result of Target’s 2013 data breach.

According to Reuters, Judge Paul Magnuson found “…banks were foreseeable victims of Target’s allegedly negligent conduct.”The report went on to say, “Importantly, Judge Magnuson said that imposing a duty of care on Target ‘will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.’”

This case may set a precedent for companies to be financially liable to both consumers and financial institutions for breaches that compromise customer data.

 

Employee Data Breach the Worst Part of Sony Hack

Two employees filed a class action lawsuit against Sony for allegedly not taking adequate precautions to secure employee data.

According to an article posted on TechCrunch, “The complaint references a tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk.”

It has been confirmed that employee emails, website viewing activities, credit card website credentials, and social security numbers were among the data made public as a result of the Sony breach, and now after having already lost an estimated $100 million, Sony could be in for more expense at the hands of its own employees.

 

In a month where the security stakes have never been higher for corporations, CIO Magazine reported that Most Companies Fail at Keeping Track of Patches, Sensitive Data. According to its report,

  • 12% of companies have no patch management process at all
  • 58% of companies have a patch management process that is not fully mature (e.g. may patch the OS but not third-party applications)
  • 19% of companies have no control or tracking of sensitive data at all

If you see your organization in any of these statistics, now is the time to act. Your response will not only help keep your company out of the headlines but also out of the court room.