Shavlik Security Advisory: Insufficient Patch Management Could Lead to Attacks From More Than Just Hackers

Two months ago, Shavlik released a security advisory alerting our customer community to the availability of off-the-shelf, exploit kits that enable less sophisticated hackers to mimic a Target-like attack.

In that advisory, Rob Juncker, Vice President of R&D for Shavlik, accurately predicted the availability of these exploit kits would lead to the following.

  • More companies will be coming forward to report breaches.
  • The scope of these breaches will go beyond retailers to impact all types of business that have valuable and private information.

Earlier this month, the game changed again, but this time the threat doesn’t come from hackers alone; it’s coming from the court room, the halls of government, and maybe even from your own employees. For the first time we are seeing companies being held legally and financially responsible for security breaches that occurred due to insufficient and/or negligent security practices.

Today, Shavlik is issuing another security advisory to draw your attention to three landmark cases that made headlines earlier this month.

 

$150K HIPAA Fine for Unpatched Software  

Anchorage Community Health Services was fined $150,000 by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) for “failure to apply software patches [that] contributed to a 2012 malware-related breach affecting more than 2,700 individuals,” according to GovInfoSecurity.

This incident is the first where a company has been held liable by OCR for failing to patch software, and now a precedent has been set, making disciplined patch management a critical part of HIPAA compliance.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities,” OCR Director Jocelyn Samuels said to GovInfoSecurity.

 

Target Ruling Raises Stakes for Cybersecurity Vigilance 

U.S. District Court in Minnesota denied Target Corporation’s motion to have litigation dismissed that has been filed by financial institutions who suffered losses as a result of Target’s 2013 data breach.

According to Reuters, Judge Paul Magnuson found “…banks were foreseeable victims of Target’s allegedly negligent conduct.”The report went on to say, “Importantly, Judge Magnuson said that imposing a duty of care on Target ‘will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.’”

This case may set a precedent for companies to be financially liable to both consumers and financial institutions for breaches that compromise customer data.

 

Employee Data Breach the Worst Part of Sony Hack

Two employees filed a class action lawsuit against Sony for allegedly not taking adequate precautions to secure employee data.

According to an article posted on TechCrunch, “The complaint references a tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk.”

It has been confirmed that employee emails, website viewing activities, credit card website credentials, and social security numbers were among the data made public as a result of the Sony breach, and now after having already lost an estimated $100 million, Sony could be in for more expense at the hands of its own employees.

 

In a month where the security stakes have never been higher for corporations, CIO Magazine reported that Most Companies Fail at Keeping Track of Patches, Sensitive Data. According to its report,

  • 12% of companies have no patch management process at all
  • 58% of companies have a patch management process that is not fully mature (e.g. may patch the OS but not third-party applications)
  • 19% of companies have no control or tracking of sensitive data at all

If you see your organization in any of these statistics, now is the time to act. Your response will not only help keep your company out of the headlines but also out of the court room.

Beyond Patch: Shavlik Protect IT Scripts

As we continue in our “Beyond Patch” video blog series, let’s examine Shavlik Protect’s ITScripts capabilities.

Protect’s ITScripts allow you to run PowerShell scripts on targeted machines at a scheduled time.

Why is this important?

  • You can automate the performance of mundane maintenance tasks like Check Disk or defrags. Tasks that often get left undone due to time constraints can now be done automatically at a time of your choosing.
  • You can acquire information about the machines in your environment. For example, you can run scripts to report on disk space or when the machine was last rebooted.
  • Shavlik Protect provides a library of scripts you can use OOTB or…
  • You can create your own PowerShell scripts and use Protect to schedule and to deploy them. This means that nearly any operation can be automated.

Check out this video where Shavlik Product Evangelist John Rush walks you through the ITScripts capabilities within Shavlik Protect. For more information, please contact us at sales@shavlik.com.

Windows IT Pro Weighs in on Shavlik Patch

You’ve heard a lot of talk from us about the new Shavlik Patch for Microsoft System Center, but you may be wondering, “What are people who don’t have the word ‘Shavlik’ on their business cards saying about this new product?”

Windows IT Pro Community Manager Rod Trent answered just that in his article Shavlik Patch for System Center Simplifies Securing the Other 86 Percent of Windows Vulnerabilities. Trent is a leading expert on Microsoft System Center technologies and has more than 25 years of IT experience.

Here are some of his insights.

  • “…86% of reported vulnerabilities come from third-party applications, 10% comes from the operating system itself, and 4% is attributed to the hardware.”
  • “Shavlik Patch for System Center takes a normally manual process for third party application patches and automates it such that administrators can have the confidence that the ‘other 86%’ of known vulnerabilities are covered.”
  • “Shavlik was one of the first vendors to understand the need to patch products other than those provided by Microsoft. …the company knows patching.”
  • “Configuration is easy and scheduling is provided to automate the download of deployable .cab files and publishing of updates.”
  • “In addition to the console integration, the product also takes full advantage of the capabilities built into ConfigMgr for targeted deployments of software patches.”

Learn more about Shavlik Patch for Microsoft System Center or download a free trial here.

 

The Next Generation of SCUPdates, Shavlik Patch for Microsoft System Center, Is Here

Shavlik is happy to announce the release of Shavlik Patch for Microsoft System Center. This follow-on to Shavlik SCUPdates provides third-party patching within Microsoft System Center Configuration Manager (SCCM) and does it in such a manner that third-party patching has never been easier.

 

What’s cool in Shavlik Patch?

If you are using SCCM 2012 (or later versions)…

  • Ability to patch more than 100 popular applications completely within Configuration Manager
  • An integrated add-in for the Configuration Manager console that no longer requires the use of System Center Updates Publisher (SCUP)
  • Automatically check for and download patch data from Shavlik
  • Publish new patches through SCCM manually or automatically
  • Smart handling of difficult to install patches like Java

If you are using SCCM 2007…

  • Continue to enjoy the goodness of SCUPdates just with a new name

 

Want to see it in action?

Join Shavlik Chief Marketing Officer Steve Morton, Systems Engineer John Rush, and I as we discuss the details of the new release and show you how Shavlik Patch will revolutionize the way you perform third-party patching within Configuration Manager.

Introducing the New Shavlik Patch for Microsoft System Center
Wednesday, February 12, 2014 10:00 a.m. CST
Register Now

 

Download it now and see for yourself

  • Learn more about Shavlik Patch here.
  • View quick videos about how to install and configure Shavlik Patch here.
  • Download a free trial of Shavlik Patch here.
  • View user documentation for Shavlik Patch here.

See you all at the webinar on Wednesday and check back later this week for an additional post providing more info on what this release means to existing SCUPdates customers.

Reflecting on 2013: A Transitional Year

Shavlik Vice President of R&D Rob Juncker reflects on 2013 and the transitions that have occurred within our industry and within the Shavlik business this past year.

 

For Shavlik, probably more than any other product line, 2013 was a year of transition for us.  We came into this year as part of VMware focused on delivering patch management solutions to the Small-to-Medium Sized Businesses with a keen eye for virtualization.  We exit this year as a new product line at LANDesk, focused on delivering patch management solutions to anyone of any-size with a focus on virtualization, hybrid cloud, and enabling Microsoft SCCM to achieve this mission.  That’s quite a change from where we started.

With this kind of volatility, I had to sit back and think about the two major shifts that I witnessed this year.  One for our business, and one for our industry.

Our Industry in Transition

I really do sometimes feel bad for all of us in security.  If there was a switch on the wall that we could flip to turn off the darkness, we really would.  This is especially true when you consider the magnitude of attacks, breaches and exploits that occurred in 2013 and with that came an extraordinary volume of patches to accompany those exploits.

Back in 2011, there were some Patch Tuesdays where I remember seeing 10 security bulletins on a patch Tuesday and thought, “Wow, this is going to be fun.”  Those thoughts were clearly just setting the stage of what was to come as in 2013 we saw record numbers of patches due to the wide variety and versions of platforms all of us were supporting.  Each month, the numbers grew as the impacted products created a seemingly endless matrix of applications and targets.  As we here at Shavlik look at a list of bulletins, we quickly know to get our game faces on when we see a .NET, Internet Explorer or cumulative update bulletin.

On top of the volume of patches that were coming down the pipe, the severity of these patches also began to set new standards.  No longer did we have a single-focus on an isolated breech, in 2013 we saw continual and repetitive zero-day vulnerabilities and when one arose, it sometimes was quickly followed up with multiple zero-days for the same product.  (While many of us would like to forget about it, early this year we seemed to coin a new term called “Java Friday” during a nearly weekly release of Java for critical security exploits.

Finally, the security threats themselves took a turn.  I was searching my email last night to see how many notices I received from software providers like Adobe, and retailers that were hacked this year.  At a quick glance, I had more than 11 of these notices.  Suddenly it wasn’t the software itself that was being exploited, it was weaknesses in the provider.
In 2013, our challenge to manage a plurality of platforms with a growing number of attack vectors kept us all on our toes.

Our Growth in Greatness

We made news again this year as we departed VMware in April for LANDesk.  It was a bitter-sweet move for many of us.  We had enjoyed our time at VMware, but knew it was time for us to depart.  In so doing, we found a great home at LANDesk.  This organization has been a pioneer in endpoint protection and they welcomed the Shavlik Product Line with open arms.  We’ve increased our investment in Protect, SCUPdates (which… soon will have a major release) and our OEM work.

We recognize that this has been a transition for many of our customers and we want to thank you for sticking with us during this time.  We are committed as ever to our customer-first culture and with advancements we’ve made in the last two years, our world-class patch testing infrastructure truly will safeguard the quality of content we will provide to you in years to come.

As we close out this quarter though, there has been plenty of great news to celebrate.  First, we’re excited to be re-aligned with Microsoft.  At Shavlik they were a great partner of ours and we’re happy to be part of the Microsoft System Center Alliance program again.  On top of achieving this status with them, we’ve worked hard alongside their team to bring exciting and innovative technologies alongside SCCM which you will see early next year.

Thanks

Once again, we’re excited to end the year with great success.  The journey this year was not the one that we necessarily had in mind, but all is well that ends well, and for us it ended great.  Next year, we have exciting plans to push into new spaces and grow our product breadth.  All of this would not be possible though without our customers and your support, investment and time.  For that reason, on behalf of the entire Shavlik R&D team, we wish you and your family a safe and Happy Holidays.

Learn more about Shavlik patch

Join Shavlik System Engineer John Rush in this latest webinar as he reviews Shavlik’s patch management product offerings – Shavlik Protect and Shavlik SCUPdates.

Protect is Shavlik’s on-premise IT management solution that bundles best-in-class patch management with asset inventory, power management, and antivirus. SCUPdates is a catalog of patch meta data that enables SCCM shops to patch third-party applications (e.g. Adobe, Oracle, browsers) in the same manner as they patch Microsoft products.

This webinar provides an overview of the patch management process, explains how both products can make that process more thorough with less effort, and lets you know how you can obtain a free trail of Shavlik Protect and/or Shavlik SCUPdates.

Check out the “Looking for patching or more? Discover what Shavlik products can do for you.” webinar at http://www.shavlik.com/webinars/.

From there if you want to learn more about Protect or SCUPdates, you can also view “Shavlik Protect: Patching Beyond WSUS” and “Extend Patching in Microsoft System Center with SCUPdates” at http://www.shavlik.com/webinars/.

Public Cloud? No Problem With Shavlik Protect 9.0

Last week one of our Sales Engineers took the new Cloud Agent feature of Protect 9.0 for a spin.  Within minutes he had registered and installed Agents on several servers he had spun up in Amazon’s Public Cloud.  From the same console he uses to demo network discovery and agentless scan and deployment he also manages agents covering servers outside the network.  All of this without opening security risks on the network.  Once again, this shows that there can be simple ways to support and manage machines no matter where they may reside.

Shavlik Protect 9.0 is available as an early access release currently.  For more details you can contact us at Protect-Help@Shavlik.com.  Also take a look at some upcoming webinars covering the official product launch on May 15th. The “Introducing Shavlik Protect 9.0” webinar will discuss the new features in a demonstration geared toward new customers.  The “Upgrading to Shavlik Protect 9.0” will discuss the upgrade path and things that current customers will want to know about behavioral changes, etc.

 

 

vCenter Protect 9.0 Public Beta Coming Soon!

Hey Everyone!

This is the first of many announcements to come.  We are currently gearing up for the vCenter Protect 9.0 public beta and looking for participants.  Invitations will start being sent at the end of this week.  We are targeting to launch the public beta on March 11th, 2013.  If you would like to participate in the beta you can send an email to Shavlik-Beta@vmware.com.   The beta will be fully supported in production environments.  This means full upgrade support for the beta version when the GA version releases.   Now, on to the good stuff, WHATS NEW in vCenter Protect 9.0!

This is a HUGE release!  We have been in development on this release for over a year so it is packed with great new features, enhancements, and usability improvements.  Here are the highlights:

Major Features:

  • Cloud Agents – break free from your visio network and bring order to chaos!  Ok, that was a little melodramatic, but this feature is really cool.  Come check it out.
  • Virtual View and ESXi Hypervisor Patching – Standalone or managed.
  • 64 bit edition
  • Install support for console on Windows 8, Server 2012, and SQL 2012

Enhancements:

  • Updated workflow and more flexible scheduling options for Distribution Server sync
  • Add detected threats to allowed threats list as right click action
  • **Machines Not Scanned right click options have returned! **  (Yes, we heard you and have brought them back.)
  • Machine Group Comment Field (at entity level)
  • Edit entities in Machine Group
  • **Supersedence support for Patch Groups** (Another one I know many of you are anxiously awaiting)

These and other new features await you in vCenter Protect 9.0!  Over the next few weeks we will be sharing more details, screenshots, and videos on vCenter Protect 9.0, so stay tuned.

Regards,

Chris Goettl
Product ManagerProduct Owner
vCenter Protect Team

New ITScripts Available

Hey Everybody,

Just a quick update on the latest XML release for VMware vCenter Protect Essentials Plus as you will notice some new items have been released.  As many of you know, vCenter Protect Essentials Plus 8.0 offers a new feature called ITScripts.   This integration with Microsoft Powershell  delivers powerful scripting capabilities through vCenter Protect Essentials Plus.  In the XML release yesterday we did release three new script into the VMware Script Catalog.

A little about XML Announcements for those who may not be familiar.  vCenter Protect Essentials Plus has regular data releases to update patch data.  Typically you will see a release every Tuesday and Thursday, but it can vary.  ITScripts is now driven by the same data releases.  Although scripts will not be releasing nearly as often as patch data, you will be able to keep up on what is releasing through the XML Announcements.   In the announcment you will see [Patch-ITScripts] in the subject line indicating this release includes additions or changes to the script catalog.

So in yesterday’s release we included three new scripts.

  • Disable Adobe Reader and Acrobat Updater (version 1.0.0.5)
  • Get Security Center Status (version 1.0.0.40)
  • Local Administrator Password Change (version 1.0.0.6)

These new scripts are available in vCenter Protect Essentials Plus 8.0 today and can be approved by going to Manage > ITScripts.  From there you can approve the scripts for use in vCenter Protect Essentials Plus.  Depending on your license and if you are a vCenter Protect Essentials or Essentials Plus customer you will see the scripts available to you.

For more details you can go to the ITScripts Community Site.  Here you can find a write up on each of the scripts in the VMware Script Catalog. You can also find answers to common questions and post questions relating to the scripts as well.  One specific thing that customers have asked is which scripts should I see as a vCenter Protect Essentials or Essentials Plus customer.  Each script is tagged with Essentials or Essentials Plus to show what license level you need to see them.  vCenter Protect Essentials Plus customers see all Essentials scripts with the addition of the Essentials Plus scripts.

Regards,

Chris Goettl
Customer-Product Owner
SMB Management Solutions
VMware

VMware vCenter Protect Essentials Plus available for download

It is patch week once again, but before the patch announcements and Patch Tuesday webinar start to fill your week I wanted to let you know what a couple hundred of our customers have already found out.  VMware vCenter Protect Essentials Plus 8.0 (formerly Shavlik NetChk Protect) is now available.  For those of you who have not seen the new features of the latest release they are focused on making day to day IT Management easier.

Check out the ITScripts feature and integration with RDP which provide some handy and quick solutions for any IT Administrator. From the machine view or scan view you could make a selection of machines and check the last boot time of machines to see if they have rebooted after patch deployment. Also right click and RDP into machines and have vCenter Protect Essentials Plus provide the credential for you. Those and many more handy scripts are available with a few clicks.

Next, the credentials management enhancements make updating passwords and setting credentials a breeze.

Also, for those of you who share a console between multiple admins, this release also supports multiple admin access on the same console.   So by upgrading to vCenter Protect Essentials Plus, as you prep for Patch Tuesday you will no longer have to coordinate time on the console to setup or modify machine groups, update patch groups, or schedule operations.

If you are a current customer and are interested in upgrading to vCenter Protect Essentials Plus, register here to attend this live webinar on November 15th at 10am CST in which I will walk you through the new features and the product upgrade path.

Download is available here.

Happy Patching!

Chris Goettl
Customer-Product Owner
SMB Management Solutions
VMware