Skip to main content
Monthly Archives

November 2014

Why IT should be the department of “now,” not the department of “no.”

By NewsNo Comments

In the short span of a decade, innovative electronic devices such as laptops, tablets, smartphones, and Internet engagement channels have made an indelible impact on everyday life, revolutionizing the means and speed in which people communicate, socialize, and purchase goods and services. Combining the personal and business use of high-tech devices and applications, however, is a more recent phenomenon that’s blazing an irreversible trail

While the growing movement of versatile devices in the workplace provides flexibility and offers a range of options to increase employee productivity, it puts the modus operandi of back-office technology in peril, leaving IT departments precariously teetering on the edge of falling from hero to zero.

The Driving Force Behind Advancing Technologies
The consumerization of IT, coupled with Bring Your Own Device (BYOD), is more than just a trend. Steered by a younger, more mobile generation of employees—raised with connected devices and uninhibited by the notion of work/life balance—BYOD is the driving force behind the inspiration of advanced technologies with the potential to make the workplace more efficient and employees more productive. Yet, this same force that is driving technology in a direction of infinite possibilities is also at work in an opposite direction, significantly impacting IT administrators who feel pressured to protect their technology universe with black-hole policies where nothing is allowed to pass through nor escape.

From the outside, some see IT departments as having a reputation for using “no” as the default response to newer technology or operational requests, whether to buy more time or as a genuine attempt to protect company policies and procedures. Although not an ideal or sustainable solution, IT departments may be at risk of becoming marginalized within enterprises as the speed of technology surpasses the speed of IT response. As today’s employees can walk into a store, buy a phone, and access company email within minutes, bypassing IT completely, a “no” from IT often only results in an unproductive and unnecessary game of cat and mouse—inevitably ending in frustration and internal conflicts.

Contrary to popular belief, IT does not intentionally oppose innovation, forcing employees to search for covert means to bypass IT and ultimately risk company security. However, the onus will invariably fall on IT administrators—whose survival depends on a willingness to adapt—to search for solutions that redirect policy-based collaboration and mitigate shadow IT, rather than identify new ways to block users from accessing sensitive information and connecting to company networks.

While providing unmatched technical expertise, IT departments face unique challenges and important decisions, particularly in relation to their shifting roles within the organization, along with employee demands regarding accessibility and flexibility. Bridging the chasm will require administrators to not only provide a common goal and a starting point from which all players have an equal advantage, but also transform from a technology provider to a technology partner. In other words, IT must evolve from the traditional department of “no” to the supportive and collaborative department of “now.”

Harnessing the Power of the Cloud
Traditional IT provisioning is often a slow and manual process, while new cloud-based solutions are automated, allowing for increased flexibility, improved agility for administrators, and enhanced efficiency that helps support a mobile workforce. With cloud management, organizations can cost-effectively support and manage a range of endpoint systems, from desktops to virtual workspaces, while improving access to vital applications and databases. In addition, these advanced solutions optimize performance and support virtualized environments without adding complexity, allow administrators to quickly find and fix infrastructure issues, provide end-to-end performance monitoring and configuration management, minimize disruptions, and reduce time, cost, and risks during migration to new environments.

As new cloud technologies emerge, collaboration between IT and the business is essential. To seize an expanded role while keeping pace with innovation, IT teams must take the lead and assume the position of driver and trusted advisor—allowing organizations to create competitive advantages by utilizing cloud solutions to solve complex technology challenges.

While many enterprises already employ a hybrid of on- and off-premise solutions, how many end users have Dropbox or Box and utilize Salesforce or Office 365? As this major shift occurs—with or without the consent of IT—organizations are bound to question if the IT department is an enabler or roadblock to innovation.

Collaboration and Innovation
By determining where and how IT departments can best support the enterprise and enhance the productivity of employees, they are sure to foster a culture of collaboration and innovation. Ultimately, this protection of the organization’s most valuable assets will secure IT’s place and guide companies through the next wave of new technology.

Ashley Leonard is the president and CEO of Verismic Software and a technology entrepreneur with 25 years of experience in enterprise software, sales, operational leadership and marketing, including nearly two decades as a successful senior corporate executive and providing critical leadership during high-growth stages of well-known technology industry pioneers. Verismic Software, Inc. provides cloud-based IT management technology and “green” solutions focused on enabling greater efficiency, cost-savings and security control for users, all while engaging in endpoint management.

Nov2014, Software Magazine


Network World: 8 tech buzzwords that you need to know

By NewsNo Comments
[vc_single_image image=”1715″ img_size=”medium” alignment=”center”]

Impress your friends at this year’s holiday gatherings by dropping a few of these terms

By  | Network World | Nov 17, 2014 3:00 AM PT

Buzzwords are a fact of life in the technology profession. Whether you’ve been in the industry for 30 years (remember WYSIWYG?) or for five (netiquette, anyone?), it’s a good bet you’ve incorporated techspeak into your everyday conversation, maybe without even knowing it.

As the global data tsunami continues to build, and a new wave of technologies from the consumer world hits IT, it’s not surprising that the buzzword count has surged. Here’s a look at eight of the hottest buzzwords being used today.

1. IoT (Internet of Things) or IoE (Internet of Everything)

The IoT is the chatty network that’s formed when the devices and “things” we use in our everyday lives – automobiles, thermostats, appliances, fitness bands, even toothbrushes – talk to each other through embedded technology and Web connectivity. While this term has been around for at least a decade, it’s only recently that the general public has fathomed its impact on our lifestyles.

“In the not too distant future, consumers will be able to tell their house to turn on the lights, unlock the doors, open the garage and report on how much milk is left in the fridge, all from the comfort of their car on their commute,” says Jeff Remis, branch manager of the IT division at the Addison Group.

“As technology continues to evolve, the more connected and automated every aspect of our lives will be.”

As a result, IoT is almost always brought up when industry pundits discuss “disruptive” technology trends. “Working for Ericsson, I hear this almost every day. With ideas like connected vehicles, M2M, and so on, this is very relevant,” says Samuel Satyanathan, director of strategy and engagement at Ericsson.

With the number of wireless connected devices exceeding 16 billion in 2014, according to ABI Research, which is 20% more than in 2013, some prefer the term “Internet of Everything.” “This is just an expansion of the “Internet of Things” to emphasize that everything is becoming a connected device, from mobile phones, appliances and cars, to animals,” says Ken Piddington, CIO at MRE Consulting. Indeed, ABI forecasts the number of connected devices will more than double from the current level, to 40.9 billion in 2020.

2. BYOE (Bring Your Own Everything)

Of course you’ve heard of BYOD, or “bring your own device,” which is the trend among businesses to allow employees to use their own personal mobile phones, tablets and laptops for work. But with the growth of mobile devices, including wearable technologies, some say the new umbrella term will be BYOE, or “bring your own everything,” Piddington says.

Already, Cognizant Technology Solutions has coined the term BYOHD, or “bring your own health device,” referencing the growing number of embedded or wearable devices that enable patients to collect data on vital signs, genetics, health history, fitness levels, activity levels, body-mass index, sleep patterns and more.

3. Dual Persona

Thanks to BYOE, another buzzword making the rounds is “dual persona,” which refers to mobile phones that enable people to maintain separate environments for personal and business use on the same device. “Users can have both a work and home profile simultaneously, and by separating these two personas, they can segment and protect personal and corporate data,” says Ashley Leonard, president and CEO of Verismic Software, a global provider of IT management solutions delivered from the cloud.

4. Wearables

When Google first released its plans for augmented reality glasses, or Google Glass, it was met with skepticism and a healthy number of parody videos. Even today, the device is seen by many as “odd but interesting,” as one blogger puts it. Still, while commercial success eludes most forms of wearable technologies today, the idea of wearing devices that would automatically consume, share, transmit, analyze and present vital information to or about us is no longer seen as a joke.

“This is a very trending development at the moment, from health devices to new mobile technologies, and is seeing rapid expansion and advancement,” Leonard says.

The wrist has been deemed the most realistic place for a wearable to be worn; witness the assortment of activity trackers and smartwatches that have made their way to the market from industry heavyweights like Samsung, Sony and Apple. However, it seems no area of the body will go unconsidered, with companies developing smart rings,insole sensors, glucose-level detectors inserted under the skin, posture-detecting pins and more. According to IDC, wearables have moved out of the early-adopter realm, with shipments exceeding 19 million units in 2014, more than tripling last year’s sales, and swelling to 111.9 million units in 2018, resulting in a CAGR of 78.4%.

5. Quantified Self

The buzz around wearable technologies is driving interest around what some call the “quantified self,” Leonard says, which is a movement geared toward gathering data about any aspect of your daily life and using that information to optimize your behavior. Chris Dancy, a top proponent of the trend, claims to have lost 100 pounds and kicked a two-pack-per-day smoking habit by logging and analyzing data on his everyday activities, including sleeping, eating and even his moods. Numerous meetups and forums now exist to support people interested in quantifying their own lives.

“If the advent in wearable technology is any indication, this term is one that will stick around, and Iam a huge fan of this idea,” Remis says. “Wearables are emerging to track insulin levels and even the air quality around you. The smart watch will be a big-ticket item this holiday season – and it’s just the beginning.”

6. XaaS (Everything as a service)

It all started with “software as a service,” but the as-a-service trend soon spread to a multitude of areas, including platform, infrastructure, storage, communications, network, monitoring and business process as a service. It’s no wonder, then, that many now simply say “everything as a service,” or XaaS (pronounced “zaas”). “I think it will start to become more widely used, as ‘everything’ is becoming available as a service,” Piddington says, even outside the technology realm. “You’ve got cars (ZIP Cars), housing (AirBnB), legal (LegalZoom) — the list continues to go on and on.”

Others prefer the more traditional nomenclature. “Personally, I am not a fan of this word and would still rather go with specific ones, like SaaS, PaaS, etc.,” Satyanathan says. For SaaS fans, Piddington offers the verb form, “SaaSified,” or the process of taking a traditional on-premise application and moving it to the cloud or making it available as a service. “I first heard this from a vendor of mine as they were describing how they were moving their core products to the cloud. I’ve been using it ever since,” he says. At least it’s more specific than cloud-ified.

7. Small Data

Once buzzwords hit their peak on the hype-o-meter, it’s not uncommon for industry pundits to rethink the meaning behind the word and hit upon more relevant variants. This is why you may have heard talk of “small data” and even “dark data,” Piddington says. Because big data is sometimes overkill for certain purposes, more people are starting to talk about small data, which according to the Small Data Group, connects people with timely, meaningful insights (derived from big data and/or “local” sources), and is organized and packaged – often visually – to be accessible, understandable, and actionable for everyday tasks.

Dark data, meanwhile, is the operational data that businesses collect but don’t optimize for competitive purposes, Piddington says. According to Gartner and other sources, the hazards of dark data range from lost business opportunity and higher than necessary storage costs, to security risks.

8. Ransomware

Ransomware refers to malware that infects a user’s computer and typically encrypts sensitive data until a ransom has been paid, Leonard says. An example is CryptoLocker, a damaging strain of malware that uses encryption to lock the most valued files of victim users. Many malware variants are now being created, “proving that ransomware is going to be an ongoing problem for home users and businesses alike,” Leonard says.

For companies, these types of attacks could have devastating consequences as local drives and corporate network data are all potentially encrypted, he points out. “Many victims who actually paid the ransom later reported that their data was never released, demonstrating the need for requirements of good security practices and strong IT management technology that allows all network endpoints to be actively managed and patched,” Leonard says.

So, where will the next buzzwords come from? If not from tech marketers, the answer will likely come from the “digital native” set, or the younger generations who have never known what it is like to not have constant and easy connectivity to the Web. For his part, Piddington keeps his ear tuned to the conversations of his 12-year-old son and his friends. Hence his use of the word “laggy.” “This is what he and his friends call a slow Internet connection. I seem to hear it said often when a large group of them are playing Minecraft,” Piddington says.

Brandel is a freelance writer. She can be reached at [email protected]

Patch Tuesday: Largest of 2014

By Patch Management, Patch TuesdayNo Comments

With 14 bulletins this month across almost 40 individual Common Vulnerabilities and Exposures [CVEs] means that November Patch Tuesday is fairly significant in size, with one particular update considered fairly urgent; MS14-066, which fixes a vulnerability in Schannel. The component of Windows that implements SSL/TLS. Those of you with eagle eyes will have spotted that two bulletins are missing from the update (MS14-069 and MS14-075) – no release date has been confirmed by Microsoft as yet.

Microsoft’s advice is to apply all of the updates, which shouldn’t be an issue for home users, but for businesses that are geographically spread out, where there may be a slow internet connection, you’ll need to be very considered in the choice of patches you deploy first.

[vc_single_image image=”1712″ img_size=”full” alignment=”center”]

The Common Vulnerability Scoring System (CVSS), included in the table below, is provided independently by US-CERT and looks at the impact that certain vulnerabilities can have. Microsoft’s ‘Critical’ vulnerabilities are rated as such because there is a known active exploit, but using the CVSS score can give you a much better understanding of how easy your systems can be exploited and the potential impact each could have. Looking at the table below we can see some disparities between Microsoft’s rating and the independently scored CVSS.

Critical updates


The first update of November’s Patch Tuesday resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). With a CVSS of 9.3, this is the one of five updates that you need to patch sooner rather than later. The more severe of the two vulnerabilities could allow remote code execution enabling an attacker to run arbitrary code in the context of the current user. If that user has admin rights then the attacker could install programs; view, change, or delete data; or create new user accounts.


I’d argue that this by far the most important update for you to pay attention to as it affects the entire Microsoft estate from the operating system to Internet Explorer. The update resolves seventeen privately reported vulnerabilities in Internet Explorer. An attacker who exploits these vulnerabilities could gain the same user rights as the current user. The most severe of these vulnerabilities would allow for remote code execution if a user views a specially crafted web page using Internet Explorer. Once again, this update has a CVSS of 9.3.


This update has been the focus of most blogs and articles this month, with most suggesting that it is in fact the single most important update to implement – rather than MS14-065 It’s a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows Server. However, the Schannel is not so easy to crack and the extent of the damage that can be caused is not as severe as other Critical updates. With a CVSS score of 6.8 I’d argue that there are other updates you should be prioritising over this one.


This security update (CVSS of 9.3) resolves a vulnerability in Windows that could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke SML Core Services (MSXML) through Internet Explorer. However, in order for an attacker to take advantage of this exploit they would need to convince a user to visit a website using social engineering.

Other notable updates

There are, in fact, two other updates you should be paying close attention to: MS14-069 and MS14-072. Microsoft has rated both of these updates as ‘Important’ but they have each been given an independent CVSS score of 9.3, so US_CERT is saying that these two updates are just as severe as those noted above.

  • MS14-069 is a security update resolving three vulnerabilities in Microsoft Office that could allow remote code execution enabling an attacker to gain the same user access rights as the current user. It is exploited through a specially crafted file that is opened in an affected edition of Microsoft Office 2007.
  • MS14-072 resolves a vulnerability in the .NET framework, which could allow elevation of privilege. According to Microsoft, it is exploited through an attacker sending specially crafted data to an affected workstation that uses .NET Remoting. However, only custom applications that have been specifically designed to use .NET Remoting would expose a system to this vulnerability.

Next steps

Below is the full breakdown of this month’s patch updates. We recommend patching MS14-064, MS14-065, MS14-067, MS14-069, and MS14-072 in the first instance, before working through the rest of the updates. For our customers, we will be analysing the binary code for each update and will be rolling out the patches to all of our customers through the agreed deployment process using Verismic Syxsense.

Update no.
CVSS score
Microsoft score
Affected software
MS14-064 9.3 Critical Microsoft Windows Vulnerabilities in Windows OLE could allow remote code execution (3011443)
MS14-065 9.3 Critical Microsoft Windows,
Internet Explorer
Cumulative security update for Internet Explorer (3003057)
MS14-067 9.3 Critical Microsoft Windows Vulnerability in XML Core Services could allow remote code execution (2993958)
MS14-069 9.3 Important Microsoft Office Vulnerabilities in Microsoft Office could allow remote code execution (3009710)
MS14-072 9.3 Important Microsoft Windows,
Microsoft .NET Framework
Vulnerability in .NET Framework could allow elevation of privilege (3005210)
MS14-073 8.5 Important Microsoft Server Software Vulnerability in Microsoft Sharepoint Foundation could allow elevation of privilege (3000431)
MS14-078 8.5 Moderate Microsoft Windows,
Microsoft Office
Vulnerability in IME (Japanese) could allow elevation of privilege (2992719)
MS14-070 7.2 Important Microsoft Windows Vulnerability in TCP/IP could allow elevation of privilege (2989935)
MS14-079 7.1 Moderate Microsoft Windows Vulnerability in Kernel-Mode driver could allow denial of service (3002885)
MS14-066 6.8 Critical Microsoft Windows Vulnerability in Schannel could allow remote code execution (2992611)
MS14-071 4.3 Important Microsoft Windows Vulnerability in Windows Audio Service could allow elevation of privilege (3005607)
MS14-074 4.3 Important Microsoft Windows Vulnerability in Remote Desktop Protocol could allow security feature bypass (3003743)
MS14-077 4.3 Important Microsoft Windows Vulnerability in Active Directory Federation Services could allow information disclosure (3003381)
MS14-076 2.6 Important Microsoft Windows Vulnerability in Internet Information Services (IIS) could allow security feature bypass (2982998)

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws

By Patch Management, Patch TuesdayNo Comments

Microsoft has issued critical patches for flaws relating to SSL/TLS encryption on Windows systems, as well as the Windows Object Linking and Embedding (OLE) protocol.

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws
On Tuesday morning, the Redmond technology giant issued a news bulletin announcing the release of 14 security patches, including four rated ‘critical’ and eight as ‘important’, as part of its Patch Tuesday programme.

Arguably the most important of all of these was a patch for a flaw in the Microsoft secure channel (Schannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols that are used to handle encryption and authentication in Windows – including on HTTP applications.

According to the Microsoft advisory, the flaw comes down to the “improper processing of specially crafted packets”, which could be exploited by attackers remotely executing attacks on targets by sending malicious traffic to a Windows-based server.

The advisory notes that the flaw (MS14-066) – which has no workaround – is ‘critical’ for servers (Windows Server 2003, 2008 and 2012) and desktop devices, with the latter potentially threatening users running Vista, windows 7, 8 , 8.1 and Windows RT.

Amol Sarwate, director of engineering at Qualys, told newswire Ars Technica that these would be particularly vulnerable if the user had installed software on their client devices to monitor internet ports.

Fortunately, Microsoft says that there is no evidence pointing to in-the-wild exploits being used against Windows users at this point, although observers will note that the flaw itself comes in a year where the TLS stack (including Apple’s Secure Transport, Open SSL, NSS, GNU TLS and now SChannel) have been found with varying vulnerabilities.

The update was one of 16 (two have been postponed) scheduled for the Patch Tuesday batch, which also discloses and issues fixes for two OLE bugs.

The latter affects all supported versions of Windows and is given an ‘exploitability’ rating of “0” as the zero-day (CVE-201406352) is being used in “limited, targeted attacks in the wild.” Specifically, the most severe of the vulnerabilities could allow for remote code execution if a user was directed to a spoofed webpage on Internet Explorer.

“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” reads the advisory. “If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Elsewhere, there are also fixes for bugs in XML Core Services (rated as critical for Vista, Windows 7, 8 and 8.1 devices), Office, Exchange and SharePoint. The full list can be seen here.

In an email to journalists, Ross Barrett, senior manager of security engineering at Rapid7, said that MS14-064 is the most critical flaw, as it relates to OLE which was exploited in the Sandworm exploit – which has been used to target Windows devices within critical infrastructure.

“The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE,” he said.

“After MS14-064, attention goes to MS14-065 and MS14-066, Internet Explorer and SChannel respectively. The SChannel issue is risky, since there is a very good chance that this service could be exposed or accessed via the perimeter. The IE patches are cumulative, as usual, and address 17 CVEs.

He added: “Perimeter systems are often mission critical and need the fastest attention.  Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”

Ethical hacker Gavin Millard, who is technical director EMEA at Tenable Security, added in an email to that MS14-064 and MS14-066 should be the highest priority– noting that the latter is the most concerning as it affects all supported versions of Windows.

“MS14-064, a vulnerability in the Windows Object Linking and Embedding (OLE) library, appears to be a continuation of vulnerabilities disclosed last month in MS14-060. Researchers have already identified this vulnerability being used in the wild for exploitation through the use of malicious PowerPoint files,” he told SC.

“The larger worry for many is MS14-066 though as it’s a remote code execution vulnerability affecting all supported versions of Windows including the server platforms. The bug was discovered in Schannel, a set of security protocols for communication and identification, and is of particular concern due to the possibility of an attacker utilising it without user interaction.

“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.”

Millard admitted it’s hard to say if the flaw could be potentially as dangerous as Shellshock (an open-source flaw which allowed an attacker to perform remote code execution attacks on any server using the Bash shell) and Heartbleed (OpenSSL bug exploited, with thousands of websites and web servers affected).

“Is MS14-066 as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”


Robert Brown, director of services at cloud-based IT endpoint management solution provider Verismicsuggested however that Microsoft’s patches can be hard to manage for security teams with short maintenance windows.

And citing the US National Vulnerability Database where CVEs are scored independently by CERT,  he told “They will probably look at the credibility and if there are any confirmed exploits. In my opinion, they will make these critical if there is active exploit.”

He went onto note that MS14-066 – already named Winshock in some quarters – would still require a user clicking on the link and using a device with administrator rights for an exploit to be effective, and suggested that MS14-065 is more pervasive as the Internet Explorer bug could be used to ‘actively infect a huge amount of the Windows estate’.

Citing the fact that it affects all versions of IE going back to version 6.0, he said: “One problem with Microsoft’s binary is that files remain behind it even if you don’t use [the application]…and lock it from your machine. The little seed is still there.” He added that hackers could remotely exploit the flaw by using a crafted instant messenger message promising Christmas pictures, for example, before delivering the payload.