Microsoft announced at the recent Ignite conference that the days of monthly patch updates would be scrapped in favour of 24/7 updates, for Windows 10 at least. Since announcing the news, there’s been many arguing the potential pros and cons of moving to a continuous update cycle and for end users. I think this is a great thing but, for IT managers, it’s the worst thing.
Traditionally, you pool a collection of patches into a baseline and roll that baseline out once a month following Patch Tuesday, based on ranking patches by CVSS and severity ratings. These baselines can take weeks to compile due to testing before roll out, so if Microsoft begins releasing patches on an ad-hoc basis, IT teams will have to continually re-run baselines throughout the month.
Some businesses won’t be in a position to run multiple baselines per month to remain up to date and have to wait until the next patching cycle is scheduled – patching multiple times per month means downtime. The problem here is that once Microsoft issues a patch, it lets the whole world know that a vulnerability exists within a particular product. We already know that exploits targeting vulnerabilities go up after each Patch Tuesday, as hackers look to exploit weaknesses in Microsoft’s products. This will be exacerbated by a continuous update cycle.
However, with fewer patches to roll out at any one time, there’s less chance of compatibility issues being encountered with a patch. Patch baselines will be smaller, so testing and roll out will be more controlled and faster, so it will improve change management success. In addition, the impact on the network is reduced, as baseline file sizes will be much smaller.
It remains to be seen how successful continuous patch updates will be, but it will mean IT departments will need to change the way they approach patching.
You may have heard the inspirational phrase, “If you don’t ask, the answer is always no.” But what if you do ask, and the answer is still no? Particularly when it comes to asking for a raise, that is not the desired outcome, especially because it will likely be a while before you work up the courage to ask again.
Thankfully you can get it right the first time by knowing how to ask. To help you get that “yes” you’re looking for, we’ve compiled several “don’ts” to remember.
[vc_single_image image=”5386″]
“Do you volunteer for projects? Have you taken responsibility beyond your current level of pay? Describe these objectively to speak appropriately on your own behalf.” – Ashley Leonard, President and CEO of Verismic
1. Don’t come to the table empty-handed
Gathering the courage to ask for a raise is difficult – but as momentous as it seems, the simple act of asking will not get the job done for you. You need to come armed with information, facts and proof points that you deserve the extra pay, says Jennifer Doran, consultant program manager at IT staffing and services firm TEKsystems in Hanover, MD.
Relevant information can include accomplishments you’ve achieved for your team or the company, or responsibilities you’ve taken on outside your normal role. “That might give your manager pause to think maybe an increase is warranted based on that new information,” Doran says.
Don’t assume your boss has this information at the top of his mind, says Ashley Leonard, president and CEO of Verismic Software. “Make sure you have strong points that justify the raise,” he says. “Do you volunteer for projects? Have you taken responsibility beyond your current level of pay? Describe these objectively to speak appropriately on your own behalf.”
2. Don’t aim too high
You should also know the dollar amount you’re asking for, Doran says, to validate a compensation range. This means researching your market value by talking to recruiters and people in the industry. “Make sure your expectations are realistic, that your request meets the role you’re providing to the organization,” Doran says.
In other words, know your worth, says Tyler Mikkelson, team lead at technology talent recruiter Mondo in Chicago. “Be prepared to discuss how much money you saved the company, how much revenue you generated, new leadership tasks you’ve taken on,” Mikkelson says. “Facts and figures will go a long way.
Researching the compensation of your industry peers can also keep you from asking for an exorbitant amount, Mikkelson says. Merit increases are usually 2% on the low end and 7% on the high end, he says. “Asking for 10% or 20% will make you look foolish,” he says. “That’s a promotion, not a raise in your current role.”
This summer’s launch of Windows 10 promises to be a shot in the arm for the channel
Ashley Leonard, president and CEO, Verismic
Windows 8/8.1 was not popular with users, which could prompt XP and 7 users to jump to Windows 10 when it launches. Microsoft has also said 10 will be a free upgrade for a fixed period, which makes this upgrade jump even more likely.
In any scenario, a flow of OS upgrades stretches IT resources, not just through OS roll-out, but through testing, fixing, repackaging and preparing existing applications for the new environment. It really is no small feat to deploy applications.
Channel businesses – specifically managed service providers (MSPs) – are in a great position to provide this support. They can commit resources to creating, testing, preparing and delivering OS roll-outs and applications packaged with a high first pass success rate.
MSPs need to arm themselves with a simple systems management tool. Pick the right tool and they should be able to benefit from ‘dissolving agent- less’ technology, which means they don’t need to deploy any software at the customer site on any PC to con- trol them – it’s easier and less expen- sive for them. These will be the channel firms really making a profit from the Windows 10 bonanza.
Rob Brown, Director of Services at Verismic and Patch Management expert, discusses the potential impact Microsoft’s announcement will have on IT Managers and System Administrators.
At the Ignite conference a few weeks ago, Microsoft announced that it would be doing away with Patch Tuesday for Windows 10. Of course, they’re not getting rid of patch updates altogether, but they will be moving to continuous 24/7 updates over the monthly update cycle it currently has. Since announcing the news there’s been a lot of comments from IT professionals discussing the potential pros and cons of moving to a continuous update cycle, and I personally think it’s absolutely a great thing for end users and consumers but, for IT managers, it’s the worst thing.
Traditionally, you pool a collection of patches into a baseline and roll that baseline out once a month following Patch Tuesday, prioritizing patches by CVSS and severity ratings. These baselines can take weeks to compile due to testing before roll out, so if Microsoft begins releasing patches on an ad-hoc basis, IT teams will have to continually re-run baselines throughout the month.
Some business won’t be in a position to run multiple baselines per month to remain up to date and will have to wait until the next patching cycle is scheduled – patching multiple times per month means downtime. However, Microsoft isn’t forcing businesses to use this model, and update cycles can remain as a monthly update process.
The problem here is that once Microsoft issues a patch, it lets the whole world know that a vulnerability exists within a particular product. We already know that exploits targeting vulnerabilities go up after each Patch Tuesday, as hackers look to exploit weaknesses in Microsoft’s products. This will only be exacerbated by a continuous update cycle.
However, on the plus side, with fewer patches to roll out at any one time, there’s a smaller chance of compatibility issues being encountered with a patch. Patch baselines will be smaller, so testing and roll out will be more controlled and faster, so it will improve change management success. On top of this, the impact on the network will be reduced, as baseline file sizes will be much smaller
Of course, there’s no need to worry just yet – Windows 10 is yet to be released, so it remains to be seen how successful continuous patch updates will be.
Look out for further updates and handy tips on Patch Management from Rob Brown or Patch Management Services information at http://verismicblog.com/
This month sees three patches rated Critical by Microsoft affecting Internet Explorer, Windows, the .NET Framework, Office, Lync, and Silverlight. The CVSS scores from US-CERT rate all three at 9.3, so they certainly pose a risk if left unpatched.
The first Critical patch MS15-043, resolves 22 separate vulnerabilities across InternetExplorer; only Internet Explorer 7 installed on Windows Server 2003 is not affected by this vulnerability. To address the vulnerability, the update modifies how IE handles objects in memory, ensures affected versions of Jscript, VBScript and IE to properly implement the ASLR security feature, as well as adding additional permission validations. The most severe of the vulnerabilities could allow for remote code execution if a user view a specially crafted web page.
The second Critical update from Microsoft MS15-044, address vulnerabilities in Windows, .NET Framework, Office, Lync, and Silverlight by correcting how the Windows DirectWrite library handles OpenType and TrueType fonts. Both vulnerabilities in this update could allow for remote code execution, allowing a hacker to gain the same admin rights as the current user. Those with fewer user rights could be less impacted than those who operate with admin rights.
The final Critical update MS15-045, addresses six vulnerabilities in Microsoft Windows that could allow remote code execution if a user opens a specially crafted Microsoft Journal file. Two of the vulnerabilities were publicly disclosed but, luckily, are not being actively exploited.
10 further updates
All 10 are rated as Important, addressing 18 separate vulnerabilities. There is some disparity however, as US-CERT has given a CVSS of 9.3 for three of the Important updates, meaning they should probably be Critical updates.
MS15-046, MS15-048, and MS-049 should be the next three after your Critical patches to update. The first update address vulnerabilities in Microsoft Office, and could allow for remote code execution. The other two updates here could allow for elevation of privilege and affect Microsoft Windows, .NET Framework, and Silverlight.
Interestingly, US-CERT has given MS15-051 a CVSS of 2.1, whilst Microsoft gives it an Important rating. What’s interesting is one vulnerability within this patch, allowing elevation of privilege, has been publicly disclosed, meaning hackers know about this vulnerability. At the time of writing, Microsoft has confirmed it’s aware of some limited, targeted attacks that are attempting to exploit this vulnerability.
Based on Microsoft’s rating along with US-CERT’s CVSS scores I would recommend prioritising the top six patches in the table below, and then working down the list.
As always, I’d recommend testing patches before rolling them out across your IT estate to avoid any issues or conflicts, and this month you should pay special attention to MS15-044, which may require more testing because of the variety of different products that are impacted.
Author: Rob Brown Director of Services at Verismic and Patch Management Expert
Update no.
CVSS Score
Microsoft rating
Affected software
Details
MS15-043
9.3
Critical
Microsoft Windows, Internet Explorer
Cumulative security update for Internet Explorer
MS15-044
9.3
Critical
Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, Microsoft Silverlight
Vulnerabilities in Microsoft Font Driver could allow remote code execution
MS15-045
9.3
Critical
Microsoft Windows
Vulnerability in Windows journal could allow remote code execution
MS15-046
9.3
Important
Microsoft Office
Vulnerabilities in Microsoft Office could allow remote code execution
MS15-048
9.3
Important
Microsoft Windows, Microsoft .NET Framework
Vulnerabilities in .NET Framework could allow elevation of privilege
MS15-049
9.3
Important
Microsoft Silverlight
Vulnerability in Silverlight could allow elevation of privilege
MS15-047
8.5
Important
Microsoft Server Software
Vulnerabilities in Microsoft SharePoint Server could allow remote code execution
MS15-050
7.2
Important
Microsoft Windows
Vulnerability in Service Control Manager could allow elevation of privilege
MS15-055
5.0
Important
Microsoft Windows
Vulnerability in Schannel could allow information disclosure
MS15-054
4.3
Important
Microsoft Windows
Vulnerability in Microsoft Management Console File Format could allow denial of service
MS15-053
3.5
Important
Microsoft Windows
Vulnerabilities in Jscript and VBScript Scripting Engines could allow security feature bypass
MS15-051
2.1
Important
Microsoft Windows
Vulnerabilities in Window Kernel-Mode Drivers could allow elevation of privilege
MS15-052
2.1
Important
Microsoft Windows
Vulnerability in Windows Kernel could allow security feature bypass
Global Software Company Selected as Innovation Leader for its Syxsense at 2015 Orange County ACG Awards Gala
ALISO VIEJO, Calif. (May 18, 2015) – Verismic —a global provider of IT management solutions delivered from the cloud—was bestowed the coveted Innovation Award at the 2015 Association for Corporate Growth® Annual Awards Gala, which recognizes the achievements and exceptional talent of Orange County and Inland Empire-based companies. Presented Thursday, May 14 at the Island Hotel in Newport Beach, Calif., the award—judged by an independent review panel of academic and business professionals—underscores the tremendous success of Verismic’s Syxsense —an agentless, cloud-based IT management software solution that is revolutionizing the way IT professionals engage in endpoint device management.
“It is a great honor to be recognized by our peers, our industry and by the growing numbers of clients across the county who are realizing the tremendous benefits of our products,” says Verismic President and CEO Ashley Leonard, the technology entrepreneur behind Verismic’s groundbreaking solutions that have garnered numerous awards and accolades since the company’s founding in 2013. “The response to our energy- and cost-saving products and services that reduce the complexities of IT has been overwhelming and a continual source of inspiration for our team of dedicated technology experts.”
Under Leonard’s leadership, Verismic has grown tremendously in a few short years, earning a stellar reputation for products like Verismic’s CMS—named one of the most innovative products at the 2014 Best in Biz Awards—which requires only a web browser to deploy and can easily and quickly scale up to as many as 10,000 endpoints within an enterprise. From law enforcement agencies to school districts, organizations throughout the U.S. are praising Verismic’s cutting-edge solutions and outstanding customer service.
“It has always been of paramount importance to provide our customers with award-winning solutions that not only advance mission-critical goals and objectives but also bring forth alternatives to address important environmental concerns,” says Leonard, who also led his organization in the development and launch of its revolutionary remote Power Manager software. “The ACG Innovation Award is a testament to our organization and amplifies our intentional and tireless efforts to conscientiously innovate, while forging meaningful relationships with like-minded partners who support our commitment to excellence.”
For more information about Verismic’s innovative and award-winning Syxsense, visit www.syxsense.com.
ABOUT VERISMIC: Verismic Software, Inc. is a global industry leader providing cloud-based IT management technology and green solutions focused on enabling greater efficiency, cost-savings and security control for users, all while engaging in endpoint management. Headquartered in Aliso Viejo, Calif., Verismic is a growing and dynamic organization with offices in four countries and 12 partners in nine countries. Over the past two years, Verismic has worked with more than 150 companies ranging from 30 to 35,000 endpoints delivering a variety of solutions for organizations of all sizes as well as managed service providers (MSPs). Verismic’s software portfolio includes the first-of-its-kind agentless, Syxsense ; Power Manager;Software Packaging and Password Reset. For more information, visit www.verismic.com.
CONTACT INFORMATION
MEDIA CONTACT:
Leslie Licano
Beyond Fifteen Communications, Inc.
949.733.8679 [email protected]
April was all about security on IT Channel Expert. From data leaks and human errors to cyber attacks and security in schools, we covered the sector extensively with white papers, reports and opinions from the tech industry.
While it was no surprise to find out that security is an integral part of running a business in this day and age, over the past month a number of our contributors have discussed topics that may be brand new security issues to think about for some business owners.
As the Internet of Things (IoT) continues to increase in popularity, and starts to seriously be considered for use in business, it was interesting to discover what security risks it will bring to the corporate world. As GfK’s James Simoniti points out in his opinion piece: “While in the home, an IoT error may simply lead to too many groceries being ordered by the smart fridge, there is much more at stake for businesses – from corporate data to human lives.”
Robert Brown’s Patch Tuesday article made IT Channel Expert’s top 10 most popular pieces of the month. Read the full article at itchannelexpert.com
Ashley Leonard, President and CEO, Verismic says: “CMS is perfect for MSPs enabling them to get more value from customers and deliver better service levels. There are still lots and lots of MSPs who are providing services using old premise client/server management tools or even physically sending out engineers to help customers with problems.
He explained that the company’s endpoint management tool enables MSPs to monitor endpoints and intervene as soon as they need to, rather than having a reactive approach whenever a system goes down.
“Being cloud based, we allow MSPs to support their customers from anywhere and anytime,” he said. “CMS has been developed with MSPs in mind, enabling them to more effectively manage their customers’ IT environments with minimal admin burden.”
Interestingly, US-CERT has given MS15-051 a CVSS of 2.1, whilst Microsoft gives it an Important rating. What’s interesting is one vulnerability within this patch, allowing elevation of privilege, has been publicly disclosed, meaning hackers know about this vulnerability. At the time of writing, Microsoft has confirmed it’s aware of some limited, targeted attacks that are attempting to exploit this vulnerability.
