Skip to main content
Monthly Archives

December 2014

|

Who Polices the Security Service?

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1679″ img_size=”full” css=”.vc_custom_1486577956970{padding-top: 10px !important;padding-bottom: 50px !important;}”][vc_single_image image=”2115″ img_size=”full”]

Questions need to be asked of Patch Tuesday and Microsoft’s approach to it, says Robert Brown.

SC Magazine  |  Dec 17, 2014

The next Patch Tuesday, Microsoft’s usual day to issue security updates for its software, is looming again. It will be the 13th of January 2015, then in February and so on. It’s so frequent it’s easy to treat it as a’ business as usual’ exercise, so humdrum that it requires no second-thought or intelligence.

However, it really does need that a second-thought. Patching is obviously essential, companies do need to protect themselves from known software vulnerabilities, but there are problems with Microsoft’s approach to patching and simply installing every patch with the quick click of a button could be costly; worse, you might just see the Blue Screen of Death (BSOD) across your device fleet.

Microsoft’s approach to patching is very much a ‘fire and forget’ exercise where it issues patch updates each month and expects businesses to roll out the patches as soon as possible.  However, this is where your second thought is needed, as many IT managers will attest, they cannot and, should not, deploy them right away.  IT must take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems.

Just take a look at MS14-066 – a lot of users reported problems when implementing the update, forcing Microsoft to reissue the patch. Imagine if every business had implemented that immediately! If there is a compatibility issue with a patch and systems need to be rolled back, this extends downtime and can impact the business’s bottom line.

Compatibility aside, my real issue with Patch Tuesday is Microsoft’s rating system. It is relatively simple to follow:

  • ‘Critical’ – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  • ‘Important’ – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.’
  • Moderate’ – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  • ‘Low’ – The impact is comprehensively mitigated by the characteristics of the component.

Keep in mind that Microsoft self-certifies vulnerabilities for its products and November’s Patch Tuesday contained 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later; five of the updates, including the out of band patch, were rated by Microsoft as Critical, eight Important and two Moderate.

Where to start? With the obvious, surely? Patch the Critical updates first and take the rest in turn. Better still, do them all at once! This couldn’t be more wrong. My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS) to get a more informed view. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving a much better understanding of the risk a particular vulnerability poses to the business.

If we look again at November’s Patch Tuesday, US-CERT gave the out of band patch, rated as Critical by Microsoft, a score of 10.0 – that’s as serious as it can get and gives a good starting point for patching activities. It’s now top priority.

Three other Critical patches were scored 9.3 by US-CERT, which suggests Microsoft has got this right and they should be the next area of focus. Time to get to work.

But, the last remaining Critical patch only scored 6.8 by US-CERT. This is a really important discovery, because actually six other patches, some deemed only Moderate or Important by Microsoft, were rated higher than 6.8 by US-CERT. In other words, some of those Moderate and Important patches should be tackled before the last remaining Critical patch.

This isn’t a one-off slip from Microsoft either. In October’s Patch Tuesday, three Critical and two Important updates were all rated 9.3 equally by US-CERT. Those two Important updates might have been delayed by IT managers if relying on Microsoft’s rating only.

Microsoft is providing a great security service that everyone is thankful for, but it does need policing by a second source. The critical is not always critical and sometimes the Moderate needs urgent attention too.

Verismic Software Named Best SaaS Product Finalist in Cloud Awards Program for Syxsense

By Awards, NewsNo Comments
Verismic Software

ALISO VIEJO, CA–(Marketwired – Dec 17, 2014) – Verismic — a global provider of IT management solutions delivered from the cloud — has been named a Best U.S. SaaS Product finalist in the 2014-15 Cloud Awards Program, an international program which has been recognizing and honoring industry leaders, innovators and organizational transformation in cloud computing since 2011.

Verismic’s Syxsense — an agentless, cloud-based IT management software solution — is revolutionizing the way IT professionals manage endpoints. While most IT endpoint management products require agents that can take months to deploy, constant maintenance and risk conflicting with existing software, CMS is agentless. This capability enables the system to be operational in minutes, providing a first-of-its-kind agentless solution in the cloud. The innovative technology reduces the complexity of IT management, requires only a web browser to deploy and can easily scale up to as many as 10,000 endpoints.

“It has been an exciting year for us with the launch of Syxsense,” says Verismic President and CEO, Ashley Leonard. “Being named a Best U.S. SaaS Product finalist from the 2014-15 Cloud Awards is a significant achievement.”

More than 300 organizations entered this year’s Cloud Awards, with entries coming from across the globe, covering the Americas, Australia, Europe and the Middle East. Final category winners will be announced on Tuesday, Jan. 27.

For more information on Verismic’s innovative and award-winning Syxsense, visit www.syxsense.com.

ABOUT VERISMIC: Verismic Software, Inc. is a global industry leader providing cloud-based IT management technology and green solutions focused on enabling greater efficiency, cost-savings and security control for users, all while engaging in endpoint management. Headquartered in Aliso Viejo, Calif., Verismic is a growing and dynamic organization with offices in four countries and 12 partners in nine countries. Over the past two years, Verismic has worked with more than 150 companies ranging from 30 to 35,000 endpoints delivering a variety of solutions for organizations of all sizes as well as managed service providers (MSPs). Verismic’s software portfolio includes the first-of-its-kind agentless, Syxsense ; Power Manager; Software Packaging and Password Reset. For more information, visit www.verismic.com.

CONTACT INFORMATION

CONTACT:
Leslie Licano
Beyond Fifteen Communications
949-733-8679
[email protected]

December Patch Tuesday updates from Microsoft

By Patch Management, Patch TuesdayNo Comments

The final Patch Tuesday of 2014 is upon us so with that in mind we thought we’d take a quick look at how the year stacks up. There were a total of 85 bulletins fixing 349 separate vulnerabilities in Microsoft’s products; 29 were rated as Critical, 53 as Important, and 3 rated Moderate. Internet Explorer featured heavily this year, with over 200 separate vulnerabilities being patched – January being the only month where Internet Explorer didn’t feature in any update.

Compared to last year there were 21 fewer patch updates yet there were more individual vulnerabilities patched in 2014 compared to 2013 (349 vs. 332).

This month there are three Critical and four Important updates fixing a total of 25 vulnerabilities, including the delayed MS14-075 update from November, which we’ll cover first.

MS14-075

Rated as Important, this is the delayed update that was originally due to be released in November’s Patch Tuesday that addresses four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of the four could allow elevation of privilege if a user views a specially crafted web page using…Internet Explorer unsurprisingly! Should an attacker successfully exploit the vulnerability they would be able to gain the same rights as the current user.

Critical Updates

MS14-080

The most severe of the 14 privately reported vulnerabilities in this bulletin could allow remote code execution, again, if the user visits a specially crafted web page using Internet Explorer. Successful exploitation would give the same rights to the attacker as the current user.

MS14-081

The second of three Critical updates resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow for remote code execution if an attacker is able to convince a user to open, or even just preview, a specially crafted Microsoft Word file within an affected version of Microsoft Office software. The affected versions include: all supported editions of Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, Microsoft Office for Mac 2011, Microsoft Word Viewer, Microsoft Office Compatibility Pack.

MS14-084

The final Critical update of 2014 is a security update that resolves a privately reported vulnerability in VBScript – the scripting engine in Microsoft Windows. If a user visits a specially crafted website the vulnerability could allow for remote code execution, which, if successfully exploited, will give the attacker the same rights as the current user. If the user is an administrator then the attacker could potentially take complete control of an affected system so it would be wise to prioritise this patch over the others.

Important Updates

The final three updates (unless an out-of-band patch is released) address three privately reported vulnerabilities across Microsoft Office and Microsoft Excel, as well as one publicly disclosed vulnerability in Microsoft Windows. All three of the privately reported vulnerabilities could allow for remote code execution if successfully exploited. Again, this could allow an attacker to gain the same rights as the current user.

The publicly disclosed vulnerability (MS14-085) could allow Information Disclosure should a user visit a website containing specially crafted JPEG content. Whilst this particular vulnerability doesn’t allow code execution, the information disclosed could reveal details about the system that could be used in conjunction with another vulnerability to bypass security features.

Next steps

As usual, we have included a breakdown of this month’s bulletin in the table below and have prioritised the patch updates by the independently rated CVSS score. We’d advise that you prioritise patches MS14-080, MS14-081, MS14-082, MS14-083 & MS14-084. For our customers, we will be analysing the binary code for each update and will be rolling out the patch updates using Verismic Syxsense, as per the agreed deployment process.

Update No.
CVSS Score
Microsoft Score
Affected Software
Details
MS14-080 9.3 Critical Microsoft Windows, Internet Explorer Cumulative Security Update for Internet Explorer (3008923)
MS14-081 9.3 Critical Microsoft Office Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
MS14-084 9.3 Critical Microsoft Windows Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
MS14-082 9.3 Important Microsoft Office Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
MS14-083 9.3 Important Microsoft Office Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
MS14-075 5.0 Important Microsoft Exchange Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
MS14-085 4.3 Important Microsoft Windows Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
||

Lessons From ESOS Energy Legislation In The UK

By NewsNo Comments
[vc_single_image image=”1992″ img_size=”full”][vc_single_image image=”1993″ img_size=”full”]

Originally Published on TechCrunch.com

The U.K. recently announced compliance guidelines for the government’s new Energy Savings Opportunity Scheme (ESOS), a mandatory energy assessment and energy-saving identification scheme in response to the requirement “for all Member States of the European Union to implement Article 8 of the Energy Efficiency Directive.”

The objective of ESOS is to reduce energy consumption, help address climate change, increase energy security and improve the competitiveness of U.K. businesses. The scheme, which came into force in July 2014, applies throughout the U.K. to enterprises of 250 or more employees and to enterprises under 250 employees, which have an annual turnover exceeding €50/$63.71 million and a balance sheet exceeding €43/$54.78 million.

The scheme calls for mandatory audits — required every four years and administered by the Environment Agency — intended to trim excessive energy use as a means to cut carbon and pave the way for increased business profitability, competitiveness and security, while mitigating organizational energy waste.

In short but not-so-simple terms, qualifying businesses are required to a) measure total energy consumption, accounting for 90 percent of usage across all buildings, transport and industrial activities; b) conduct energy audits to identify cost-effective, energy-efficient recommendations; c) ensure that the ESOS assessment has been conducted or reviewed by a board-level director and approved by a lead assessor; and d) report compliance to the Environment Agency by December 5, 2015.

While the ESOS audits are mandatory, certain caveats exist—as there is no obligation to implement these energy-saving measures internally identified in the audit, which is expected to cost somewhere in the neighborhood of £17,000/$27,200 on average in the first instance and £10,000/$16,000 for each subsequent audit.

Though the legislation’s notable feature appears spineless by failing to require businesses make any of these recommended changes to save energy, participants must demonstrate an authentic and rigorous attempt to examine opportunities for reducing energy use and have these findings reviewed at the board level. With this considerable investment of time and money, companies will likely be motivated to implement measures recommended in the audit which, according to the Department of Energy and Climate Change, could lead to on average a savings of £56,400/$90,240 per year, per business.

In order to encourage compliance as soon as possible, the government will impose penalties for various infractions, which could include fines of up to £50,000/$80,000 and/or an additional £500/$800 for each day an organization is out of compliance. Furthermore, the governing bodies also have the authority to publish (i.e. publicly shame) the names of non-compliant businesses.

The Challenge to Measure and the Burden of Proof

While companies may find motivation for implementing the recommended energy-saving measures of the audit solely for financial benefit, the ESOS directive is as much about enforcement as it is about the need for companies to understand power consumption. Uncovering pockets of energy waste requires appointing personnel familiar with the scheme; the only other option is to outsource, adding to the challenges for some companies to comply by deadline.

To comply with the new ESOS regulations, businesses will have to track their power usage to its source – the device actually employing the power.

When it comes to IT, the vast majority of businesses lack the technology to accurately track such energy consumption. Measuring the energy consumption of a Macbook Air compared to that of a Dell Desktop PC, for example, will prove to be difficult. While some organizations already have the Microsoft System Center Configuration Manager (SCCM) in place, allowing IT administrators to manage large groups of Windows-based computer systems, SCCM lacks the capability to provide the accuracy the ESOS audits will require.

Utilizing power-management solutions, with consistently updated content databases of makes and models currently in use, allows companies to reference the power consumption of each device, along with the actual power usage when on and off.

Though the U.K. has been relatively slow to implement PC power-management technology, mostly due to tax incentives, perhaps by example, U.S. rebates — which often cover the cost of implementation for this type of technology — will encourage something similar in the U.K. Of course, taking into consideration that the U.S. wastes an approximate $2.8 billion in PC energy every year, the U.K. may need to take a more effective approach to energy security.

Is Legislation the Answer and Will the U.S. Take Note?

There is little doubt that the ESOS regulations will be effective, considering the measures the government set in place to assuage potential resistance or roadblocks. Recognizing the additional administrative pressure placed on energy managers with ESOS — which will have many similarities to existing U.K. policies — the government is proposing that enterprises be allowed to utilize data from other schemes, such as the Carbon Reduction Commitment (CRC) Energy Efficiency Scheme.

Of the 7,000-plus businesses required to participate, as many as 6,000 are already in the CRC scheme and have reported substantial savings from implementing measures as simple as installing motion-sensor lights in hallways and stairwells. The government estimates that the net benefit of the new ESOS policy will be around £1.9/$3.04 billion between 2015 and 2030, based on a conservative prediction that only 6 percent of potential energy-saving opportunities identified will be implemented. However, real benefits for businesses are likely to be two or three times greater than those estimates suggest.

Although energy efficiency in the U.S. has been a buzzword for years, when it comes down to it, the U.S. continues to rank lower than the U.K., Germany, Italy, Japan, France and Australia. According to the American Council for an Energy-Efficient Economy, even China and India have fared better on the list than the U.S. — as American energy regulations for power conservation have been particularly scarce in recent years.

In fact, Congress hasn’t passed a major measure since the 2007 legislation targeting ethanol; and in May 2014, Congress blocked yet another energy-efficiency bill that could positively impact the environment, create hundreds of thousands of jobs and save citizens billions of dollars a year by 2030.

Although the Obama administration and the now Republican-dominant Congress continue to be at odds over legislation that not only addresses energy efficiency but also regulates it, the U.S. has seen substantial progress at a state level toward more energy-efficient practices, particularly in the top-ranking states of Massachusetts and California.

Ideally, a partnership between U.S. government and industry is essential for an energy policy to have a significant impact on the future of businesses and the environment. However, this achievement won’t be cheap or easy. The state-by-state approach indicates great strides in U.S. energy efficiency and environmental stewardship, but at what cost to businesses?

As the U.S. continues to rank among the top three energy consumers in the world, mandatory legislation may be the only real solution — with the U.K.’s ESOS as the litmus test.

patch management

Prioritising patches properly – don’t always listen to Microsoft

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1935″ img_size=”medium”]

It seems that it was only yesterday that patch/update Tuesday came and went, yet the next one is looming already.

As an IT guy I actually look forward to seeing the types of vulnerabilities that have been discovered in Microsoft’s products. Some are obviously more interesting than others, such as the vulnerability in Schannel, but what they all have in common is that they actually do pose a threat to your business.

We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.

Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.

Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!

Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.

If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?

When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.

If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.

At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.

To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.

My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.

Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.

Robert Brown is Director of Services at Verismic

Originally published on IT Security Guru

CMS innovative product|

Verismic Awarded Most Innovative Product of the Year 2014

By Awards, NewsNo Comments
[vc_single_image image=”1886″ img_size=”full”]

Verismic is pleased to announce we have been awarded Most Innovative Product 2014 for Syxsense. 

Ashely Leonard, CEO said “It has been an exciting year for us with the launch of Syxsense, being recognized as one of the Top Innovative Products of 2014 is a great way to end the year.”

The Best in Biz awards honours companies teams, executives and products for their business success and is the only independent business awards program judged by members of the press and industry analysts.

One of this year’s judges Mark Huffman, Consumer Affairs said “In the Internet age, it has never been more important to ensure your customers have a positive experience and, should there be a problem, to address it. These companies “get it,” and that’s not only good for them, but good for customers too.”