Archive for the Security Updates Category

Cloud and End Points and Security

Posted in Cloud, Security, Security Updates on 19 Oct 2011 by Stuart Aston

So…a question that often throws me for a loop is this:

Internet cloud web “If ‘I’ move to the cloud I don’t have to worry about security at my client end point, right?”…

err… no that’s not right.

But, “why”, I hear you ask?

Well of course if you go to a reputable cloud service provider they will apply security updates to the servers that provide you services as commercial providers of services they will keep those servers up to date, and hardened to deal with attack utilise defence in depth, etc…

But the end-point; the thing that accesses the actual data, mail or services; still needs to be kept up to date; as much as it does in a non-cloud scenario, that’s still ‘your’ responsibility as an IT professional  for your environment, you still need to manage it.  Malware will still be able to take data from these devices using un-patched vulnerabilities; using the privileges of the user.

Do we have to do less work keeping things up to date?  Well yes it does, for those servers that you no longer manage and have moved to the cloud they will be updated by the service supplier in a SaaS and PaaS models.  In the IaaS model, the user is still responsible for managing the patching of the guest operating system, whatever it is.

Of course you could always move the management of the endpoint to the cloud using a service like Windows InTune.

In summary; moving to the cloud doesn’t mean you can just “stop” updating your end points, depending on the model of cloud service you adopt you may be able to stop patching some of your servers.

Advertisements

Home Office does u-turn on Internet Explorer 6 – Will this become a domino effect? | TechEye

Posted in Government, Home Office, Internet Exlplorer, Security Updates, UK on 1 Nov 2010 by Stuart Aston

 

 

Internet Explorer 8 IE logo v The Home Office has made an important step forward here, and should be applauded for committing to move from IE6 to IE8, and I hope that other departments follow suit.

The challenge of course is that any software component needs to be maintained and updated, as well as on the latest version, to maximise the assurance that one can place in software.

The advantages of  having the capability to keep software updates in current, also produces other business benefits beyond the assurance and reliability of the software in question. It also enables the IT organisation to rapidly make changes to support business needs. New applications can be deployed more rapidly and updated using the same kinds of infrastructure investment, changing a “defensive” investment into one that promotes genuine agility in an organisation.

Staying “current” and staying updated is probably one of the most important tools that a security professional can use in mitigating the potential threats that are present in the internet today.

Home Office does u-turn on Internet Explorer 6 – Will this become a domino effect? | TechEye

Security Essentials Goes “Enterprise”

Posted in Malware, Security Updates on 7 Oct 2010 by Stuart Aston

Well not quite, but, from  from October small businesses of up to 10 PC’s will be able to use Microsoft Security Essentials for FREE, and allow them to focus on their business, without forcing them to compromise on protection.

Microsoft Security Essentials provides free protection against viruses, spyware and other malicious software to our individual customers using the same proven core Anti-Malware engine that our enterprise customers use. We recognise that small businesses face some tough challenges in the current economic climate, and yet they all want to protect their computers from unwanted software.

Of course individual consumers have been able to benefit from the use of Microsoft Security Essentials for some time and we have also made this freely available to OEM’s and System Builders to enable them to protect machines ‘right out of the factory’ through the Microsoft Security Essentials partner  program

What some of you may not of been aware of  is the ability for any company with a web “presence” and Academic intuitions to make Security Essentials freely available to their customers via the Security Essentials Link Logo Program, allowing these organisations to offer Free protection to their own customers.

About 15 Minutes

Posted in Security Updates on 30 Jul 2010 by Stuart Aston

So… (you can tell I work for Microsoft I start sentences with “so”) when you design software, you typically try and design out the “known vulnerabilities”, however that is by its nature a process that can never be perfect, and what is “’safe’ today might be shown to be ‘unsafe’ tomorrow’”.  In not being perfect it will always have flaws some of those flaws can be exploited, making you the user vulnerable that means after its shipped, you require a security update from the software manufacturer.  Some vulnerabilities are not patchable per-say they require a fundamental change in the underlying structure of the software in order to make it safe, this in turn causes many changes  to ‘cascade’ through out the software in question that you would have to “rebuild the software from scratch”.

As a result any particular release of software will have some vulnerabilities against which it is built to defend against, some which it can be patched against and some which will require the “next release” (or additional measures of defence in depth)  to defend against, because, it lacks the underlying infrastructure to make an internal defence feasible.

Why am I talking about this, because, we recently announced that we would be keeping XP SP3 in extended support until 2014, and I am being asked by people if “it’s ok not to upgrade from XP?”, well the answer is not a simple one and depends on a balance of issues, cost of implementing an upgrade being one of them, but my view would be upgrade to the latest version of software you can, because intrinsically you will have less vulnerabilities to worry about.

While on the topic of security updates, I would like to relate a story, on holiday recently my friends niece asked me to look at their laptop, because they could not connect to the wireless network, so I did a brief check on Windows Update as I always do and found dozens of unapplied updates, so I asked them why they hadn’t applied them… the answer “I didn’t know I was supposed to” shocked me… I suppose that it shouldn’t have, but, because I work in the security space I  just assume that everyone gets the fact that they should apply updates and do so as quickly as they can… oh and the wireless card was unfixable, also not actually present…

I know that many organisations want to test an update before they apply it, but, a lot of people (over 500 million) world wide apply updates, most of those are trouble free… so testing against “word” for compatibility issues isn’t likely to buy you very much in a real sense except a delay, I’m not saying don’t test, but focus that testing against your actual mission critical or custom built apps… and get the update out there ASAP, get protected…

 

%d bloggers like this: