Cleanup your Java versions
How to get down to one version of java on all systems.
Patch content BKM
Summary
This article talks about the vulnerability content you should be scanning for with LANDesk Patch Manager. The recommendations are based on research conducted by several leading security firms. I provide a synopsis of the conclusions here, but the short version is that over the course of 2009 client-side applications were the most exploited aspects of your endpoints. The purpose of this document is to help you manage your patch content so that you can focus on what’s most important.
Patch more, patch faster
If you haven’t read the report from Qualys The Laws of Vulnerabilities 2.0 (delivered at the Black Hat conference in 2009), you should.
Qualys uses data collected from over 100 million vulnerability scans performed on corporate networks, taking into account both servers and desktops. A couple of key points from the report:
- The half-life of vulnerabilities in corporate networks (half-life is defined as the amount of time it takes an organization to patch half of their vulnerable machines) remains basically unchanged from 2004.
- While IT organizations have improved at the deployment of Microsoft Windows patches, patches for vulnerabilities in apps like Microsoft Office, Adobe products and Java take twice as long on average.
There are other great data points administrators can learn from in this report, including a breakdown by industry that allows you to compare yourself to your peers. The most important takeaway, however, is that the very applications it takes organizations so long to patch are the most exploited on your endpoints.
This article from SANS provides a nice overview, combining data from Qualys, Tippingpoint and the ISC. Their conclusion is very succinct: unpatched client-side applications should be your number one endpoint security priority. Specifically, Microsoft Office, Adobe products and Quicktime.
The good news is that LANDesk customers can scan for and remediate all of these applications. Pushing out an Adobe Flashplayer patch is just as easy as MS09-055, a Java update or anything else in content. The bad news is that a number of organizations I go into aren’t taking advantage of this capability.
If you are a LANDesk customer and still using WSUS to patch your systems: WSUS is not enough. You are not doing a whole lot to secure your endpoints from current attacks if you only patch through WSUS. If you are not a LANDesk customer, whatever patch system you use must address 3rd party applications. This should no longer be considered a nice-to-have feature. It’s a critical part of a successful patch strategy.
I understand that in the real world it is not just about the functionality of your patch management solution. There are barriers raised in many organizations that make it difficult to aggressively patch endpoints. Here are some of the common issues I see and some thoughts on improving your patch management practices:
Training. Time and again I see desktop administrators who have been thrown into their current roles and are simply not comfortable suddenly deploying a bunch of patches. I don’t blame you. I don’t want to be responsible for rebooting the CEO’s machine in the middle of a presentation either. So get trained !! Most vendors have a variety of training options. I know you have no budget or time so in the case of LANDesk use the e-learning courses (accessible via the web for a few hundred dollars a year and may even be free depending on your support program) and the forums to build up your comfort level.
Use the workflow tools you have. Many organizations have very mature practices for patching their servers but leave desktop administrators to fend for themselves. LANDesk patch management includes a workflow component that automates e-mail notifications, approvals and targeting. I know !! Its not perfect. But keep your process/workflow simple and get the ball moving in the right direction within your organization. LANDesk has made many improvements to the default workflow in version 9 and can work as a good baseline. This kind of automation is critical !!
Make compliance requirements/auditors work for you. Most industries now fall under some kind of regulatory compliance. Use this to get the political will necessary to patch aggressively within your organization. It can be very difficult to overcome complaints by end users about lost productivity so use third party sources (like the studies linked above or an impending audit) to convince management of the need to aggressively patch. Then, be smart about how you deploy, use reboot deferrals, caching and other common patch features to show you can be effective and minimize impact. It’s up to you to make the business case to your management.
Narrow your target. So many times I see people overwhelmed by how many vulnerabilities they have to patch. Only scan for things you care about (remote execution, needed for audit compliance, etc.). Don’t enable every vulnerability thrown at you !! Go after items rated critical and high first and then back your way into less critical vulnerabilities. You’ll build some early success and confidence in how your patch management solution works.
Go forth and patch !!!
Quick walkthrough: deploying Adobe Reader 9.3
Overview
Searching out in Internetland you find a lot of different ways to deploy the latest Adobe Reader versions. With PDF exploits becoming increasingly popular, keeping up with these versions has become increasingly important. Prior to Reader 9.3 I would simply deploy the downloaded executable with a set of command line switches. Since then I’ve taken to using the Adobe Customization Wizard to create a transform file for the MSI. You can download my MST file or build your own. If you use mine, the result will be as follows.
Deployment Behavior
Silent install
No EULA acceptance required
No reboot
No add-ons like links to adobe.com or AIR
Autoupdates are turned off
Steps to Follow
- Download Adobe Reader 9.3 from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.3/enu/AdbeRdr930_en_US.msi
- Download this transform file or create your own
- Move the MSI and MST to the web or UNC share you typically use to deploy software
- Add it to your LANDesk Software Distribution Packages
- For Install/Uninstall Options paste: /i TRANSFORMS=AdbeRdr930_en_US.mst /quiet /norestart
- Under Additional files add the MST file
LANDesk 8.8 database tables you actually care about
FileInfo
Antivirus
Query (shows the SQL behind GUI-based queries)
Tying management tools to a platform
Windows Mobile now sits in 4th place (behind Nokia, RIM and Apple) after a mere 2 years of the iPhone being on the market.
Microsoft Live Search continues to lag with single digit market share in Internet search.
—————————————
No, this is not a prediction of Microsoft’s demise. Microsoft will be around for some time and anyway there are millions of Apple users, Firefox users and Bob Cringely to make those predictions.
What I am thinking about is the systems management marketspace and a question I would ask of Novell customers several years ago regarding Zenworks.
Why tie your systems management tools to your platform? Or put another way: if you decide to leave the Novell platform (as many companies were doing at the time) do you really want to be forced into ripping out your management platform at the same time? (Zenworks was– and continues to be– tied to the hip with eDirectory and removing the latter seriously debilitated the former).
Technology naturally lends itself to self-contained ecosystems. But your systems management tools belong on the outside.
Google Earth, monetization and dreamy platitudes
(This was originally posted in February 2009, reposted here for archive)
——————————————————————
CNBC ran a short segment today on the newest version of Google Earth (non-CNBC-related link here). Their background on the tech was relatively light and the post-segment chatter focused on one word: monetization.
It was CNBC, so this makes sense, but after several disparaging remarks about how researchers might use it (but who else really?) and how no revenue stream for it seemed likely, I was left thinking:
Can’t there be good tech that is good on the face of it and doesn’t require monetization? Also, isn’t investment in the Google brand more tangible than in your average company?
Bagging on Google for being a one-trick ad pony has long been popular, right up there with Google as the next Evil Empire (the latter of these is likely to be true eventually, if history is any guide). This comes with the territory of being top dog. Someone will eventually be right and get to say I told you so. So what?
My initial reaction was fostered by a desire to believe that a company can do something for the greater good without collecting more eyeballs, more personal information, more me. That good will with your customers, your community can (and does) come back around in some karmatic way.
But back to the brand investment bit. Google’s ad revenue and ~107bn market cap are the result of a mythos that their witchdoctor programmer’s know the secrets of turning chicken bones into 1′s and 0′s in a way no one else can (or will) figure out.
(For all I know they’re using some AI locked deep in a California fault line. After all, it would be very American to take future alien technology and apply it to a search engine only to sell advertising.)
The point is that the mythology surrounding their search is a huge part of their brand. Doesn’t cool tech like Google Earth build on that in spades?
