FoxGuard Solutions has made improvements to the monthly Patch Availability Reports. We believe there will be a lot of excitement around these NEW ADDED FEATURES. There will be new fields represented on the report for Patch Evidence and CVE Details.
PATCH EVIDENCE – Better meet the requests from your auditors.
We have added a table to the end of the report that will show two types of evidence: Patch Quantity and Patch Quality.
PATCH QUANTITY – A screenshot will be provided that shows the number of patches provided from the source vendor within your report time line. This will also include a screenshot if NO patches were provided by the vendor within the same report time line.
PATCH QUALITY – If a patch was released within the report time line, this evidence is a screenshot of the actual patch data ensuring FoxGuard has provided the correct details, as well as date/time stamp of when the evidence was captured.
Note: Patch Evidence is captured at the Vendor> Product> Version level, so if you have multiple listings of the same item in your Availability table in the report (first in the report), it will only be shown once in the evidence table, making this a more condensed, easier-to-use listing.
CVE DETAILS – More Vulnerability Details!
We are adding the CVSS (version 2) Score and Description – This will provide further vulnerability details to allow you to better assess the full critical nature of your patches.
WANT TO LEARN MORE ABOUT PATCH MANAGEMENT
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.
RESERVE YOUR SPOT
If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.
Talk to an Expert
Earlier this month, Compliance & Risks published its quarterly regulatory growth charts for April 2017. The charts shows regulatory growth by subject and region.
Overall growth by year shows an increase in regulations of over 30% from April 2016 to April 2017 (and pending), covering the areas of batteries, climate change, energy, packaging, product safety, substances, and waste.
By region, the largest growth during this time period was in the Latin America / Caribbean region.
FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.
As always, the world of regulatory compliance for IT equipment evolves and expands, and changes are on our doorstep, with further changes being right around the corner.
EU Declaration of Conformity – EMC standard EN 55032:2012 mandatory as of March 5, 2017
In less than one month, EMC standard EN 55022:2010 expires, and EN 55032:2012 must be reflected on EU Declarations of Conformity.
Two items of note regarding this change:
- EN 55032:2012 v. EN 55032:2015
Although EN 55032:2015 has been published, it has not yet been adopted by the European Commission under EMC Directive 2014/30/EU. Until the 2015 version is adopted under the EMC Directive, EN 55032:2012 is the standard that must be on the CE Declaration. Recommendations have been made to have products tested to both versions, so both versions of the standard can be cited on the product CE Declaration. For a complete list of EMC standards currently adopted under Directive 2014/30/EU, please visit https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/electromagnetic-compatibility_en.
Certain types of equipment are in scope of both EN 55022/55032 (Information Technology Equipment) and EN 55011 (Industrial, scientific and medical equipment), which is still in force. If your equipment falls into this category, please note that EN 55011 cannot be accepted in lieu of EN 55032, since the CE Declaration must include all standards relevant to the product.
REACH – Four Additions to Substances of Very High Concern (SVHC) List
Four new chemicals have been added to the REACH Substances of Very High Concern (SVHC) list, bringing the total number of substances on the list to 173.
Around the corner …
- Taiwan RoHS enters into force in 2017, with mandatory enforcement dates ranging from May to November. Please check with your test lab for product-specific dates.
- Singapore RoHS also enters into force, in June 2017. Please check with your test lab regarding specific requirements for your products.
The cyber security marketplace is hot right now and companies that want to position themselves in this market have a tremendous opportunity. A software company or what is often referred to as an ISV (Independent Software Vendor), with a product that is focused for the cyber security market should not divert its attention to anything else except building an exceptional product for the customer. Distractions for a software company include the selecting, acquiring, and selling of a computer or computer platform to complement the software solution. FoxGuard Solutions suggests that software companies would benefit from a partnership with a reputable computing appliance provider to offer a total turnkey solution for the customer.
why should a software company outsource?
The implementation of the cyber security software will need to be completed by either the software company, the end customer, or the outsourced computer appliance supplier who partners with the software company. FoxGuard Solutions can provide an accountable point of contact to ensure the delivery and implementation of the software.
- Who will design and optimize the computing platform (to the software)?
- Will it be easier for the end customer to buy a turnkey solution or multiple products? Issue one or multiple purchase orders?
- Will a software company or the end customer know how to effectively move from design, to prototyping, to production systems?
- Who will manage the product parts setup and lifecycle?
- Who will manage the logistics, warehousing, inventory, and installation?
- What if the end customer wants the computing platform or appliance integrated with other equipment, such as a computer rack?
- What if the target market and customers need multiple form factors in their selection of computer appliances?
- What about warranty, failure rates, and support?
- How does the software company promote their brand?
- Would it be helpful if the computer was branded for the software company?
As this list implies, there is a lot to worry about from the software company’s perspective when they need to be devoting their time and energy to having the best software and support possible. Sure, the software company could simply tell the end customer that they (the end customer) can provide the computer, but the risk there is that the software may not perform optimally because the customer did not select the recommended and optimal hardware solution. This could cause startup problems and put a bad taste in the end customer’s mouth of the software company.
The cyber security market is estimated to grow to $170 billion (USD) annually by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020, according to a report from Markets and Markets. The aerospace, defense, and intelligence vertical continues to be the largest contributor to cyber security solutions. If you are a software company or ISV and you are trying to take advantage of this great growth opportunity, take a good look at partnering with a computing appliance supplier. The FoxGuard Solutions team would be happy to consult with you and help you assess whether this would be a good direction for your firm. These are very competitive times and also times where markets are moving to a heavy focus on software. The software companies who can put their focus and attention on their software and not on other distractions could be the ones who will win with the customer in the end.
WHAT IS CHANGING?
On August 15th, 2016, Microsoft announced some new changes for how they will offer updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Starting in October 2016, Microsoft will offer a single Monthly Rollup on the second Tuesday of each month that addresses all security and nonsecurity issues released for each operating system. This Monthly Rollup only addresses core operating system components, and does not cover other Microsoft software. This is the same update model that Microsoft currently uses for Windows 10. For customers that normally only install security updates, Microsoft will release a security-only rollup update on the same day.
At first, these Monthly Rollup updates will only contain fixes for the operating system released since October 2016, but over time Microsoft plans to add older updates to this rollup. Eventually, this will become a fully cumulative update, meaning that a completely unpatched system could apply a single rollup update (plus any prerequisites that rollup requires) and be fully up to date with everything the Monthly Rollup covers. In addition to these two rollups, per a comment from Nathan Mercer from Microsoft (in the discussion section of the article referenced above), there are plans to release an update rollup containing only new non-security fixes on the third Tuesday of each month.
In addition to the Monthly Rollup for the operating system itself, Microsoft plans to use the same model for .NET Framework updates. The .NET Framework Monthly Rollup will be offered as a full rollup with both security and non-security fixes, as well as a security-only version. This rollup will only install updates for the version of the .NET Framework installed on a system. It will not upgrade a system to higher versions of the .NET Framework.
Regardless of which type of rollup update is chosen, Microsoft no longer plans to offer individual security or non-security updates for Windows itself or the .NET Framework. This is further confirmed in another blog entry posted on August 30th. In this new blog entry, they address the question: “With the new Windows as a Service: Service Model, can we back out a single patch (KB) if it causes issues since they are all rolled up?” To summarize Microsoft’s answer, you can’t control which KB’s are applied, so you will need to back out the entire rollup. They justify this decision by stating that the rollups are designed to correct the fragmentation caused when users selectively install updates. They also state this new rollup model makes it easier to migrate to new versions of Windows without wiping and reloading an entire system.
Other Microsoft-provided updates, such as Adobe Flash Player updates for newer versions of Windows and Microsoft Office updates will still be delivered as individual updates and will not be included in the rollup. Another critical update type that will not be included in the rollups are Servicing Stack updates. These are updates to the way the operating system detects and installs updates. When a new Servicing Stack update comes out, it will be likely required before any future updates can be installed.
HOW DID UPDATES WORK BEFORE?
For Windows 7 and Windows 8.1, as well as their corresponding Windows Server variants, Microsoft releases multiple security bulletins each month on the second Tuesday of the month (commonly known as “Patch Tuesday”). Each security bulletin would address a single vulnerability (or multiple related vulnerabilities) in a Microsoft product, and would reference one or more patches for each affected product. In order to fully patch a system, users need to install each of the applicable updates released in a given month. If necessary, users can choose not to install one or more updates. According to Microsoft, this ability to pick and choose leads to multiple potential problems. Some examples they give are increased scan times, increased testing complexity, and various combinations of updates causing other errors, lowering update quality.
HOW WILL IT AFFECT CRITICAL INFRASTRUCTURE?
Moving to a rollup model does have some major benefits for those in critical infrastructure. A reduced number of updates each month greatly reduces the patch management burden, especially considering the June 2016 round of updates included 17 different security bulletins. This reduced update count also means less compliance documentation to deal with each month.
However, the loss of granular update selection means that when a critical application breaks due to a Windows rollup update, end users are left with difficult decisions. For example, what is the best way to get back up and running? Ideally, the offending update can be uninstalled. This would leave systems vulnerable, but operations would return back to normal. In some cases, there have been Windows updates that could not be uninstalled. One recent example is MS16-088. Certain updates within this security bulletin cannot be removed. The updates that can’t be removed here mainly deal with online Office products such as SharePoint and Microsoft Office Web Apps. However, MS14-024 was a security update released for Microsoft Office as a whole that cannot be uninstalled. While no recent examples of OS updates that could not be uninstalled could be found, if any future rollup updates behave that way, then it would be necessary to restore from a backup after applying an incompatible update.
In a situation where a rollup update is incompatible with a critical application, there are two options available: wait for Microsoft to release a new update that does not break the application, or wait for the application’s vendor to release an update that is compatible with the Microsoft rollup update. Microsoft has stated in their more recent blog entry on August 30th that “if there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.” Expecting a large entity like Microsoft to re-release an update to address issues that affect a very small number of applications, no matter how critical they are, is unlikely (but not improbable). In an industry where hardware and software is designed to run for decades, waiting for a vendor to update an application is not feasible in many cases. Until either the Microsoft rollup update no longer breaks the application, or the application is changed so that it won’t break, systems in critical infrastructure and other industries may have to remain unpatched for quite some time.
In situations where updates can’t be applied without breaking a critical application, Microsoft does provide documentation on mitigating factors and workarounds for some of their published security vulnerabilities. If this documentation exists for a given update, it can be found in the Microsoft Security Bulletin for that update. For updates with no mitigation documentation, other mitigation technologies would need to be utilized in order to protect systems where the underlying vulnerability can’t be patched without breaking other critical functionality.
While this new update model is great for many large enterprises with huge numbers of endpoints to manage, it fails to address the reason why businesses selectively installed updates in the first place: updates sometimes break critical applications. Unless Microsoft brings back some way of installing individual security updates, many systems may have to remain vulnerable until system owners can convince Microsoft to provide a workaround, or until vendors are forced to update applications across the entire deployed fleet. In some situations, a vendor for a critical application may no longer exist or is unwilling to change. In that case, entities may need to find a new vendor in order to remain secure against all of the latest vulnerabilities in Windows. Changing vendors in critical infrastructure is not to be taken lightly, as it often requires long, expensive upgrades that introduce unwanted downtime. In the meantime, systems in critical infrastructure that were staying up to date may start to fall behind and become vulnerable, with little recourse available.
FoxGuard Solutions will continue to watch for new developments regarding Microsoft’s servicing changes. Additionally, FoxGuard is working with other industry experts to analyze these changes and work with Microsoft on ways to mitigate risks for energy delivery industrial control systems. Expect more communications from us as new information is made available.
FOR A PDF VERSION OF THIS ARTICLE – CLICK HERE
To view this an other white papers, visit our Resources page.
 www.blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying servicing-model-for-windows-7-and-windows-8-1/
 www.blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net framework-monthly-rollup/
 www.blogs.technet.microsoft.com/askpfeplat/2016/08/30/a-bit-about-the windows-servicing-model/
FoxGuard Solutions’ Regulatory Compliance program is designed to ensure that each order shipped meets the regulatory requirements of the order’s destination.
Our services cover the following areas of regulatory compliance for over 36 worldwide locations:
“Behind the scenes” of the regulatory document packages uploaded to customer support sites lies daily research into new and changing legislation surrounding IT equipment design and import, investigative reviews into compliance of potential new inventory components, and a database of over 40,000 regulatory certificates and reports covering thousands of parts, from adapters to industrial computers and peripherals!
Our document database is monitored to ensure expiring documents are renewed and certificates with superseded standards are retired. One change in a national or regional standard, such as CE, can mean replacement of hundreds of component certificates!
FoxGuard’s Regulatory Compliance Team maintains a network with over 250 manufacturers and suppliers. In addition to collaborating with these associates to assess compliance of specific components and produce proper documentation, FoxGuard issues periodic Regulatory Bulletins alerting manufacturers and suppliers of upcoming legislative changes and new documentation requirements.
The custom regulatory document packages provided to customer-specified sites are the result of design and pre-BOM reviews, quote reviews, and an additional line-by-line review before an order is released for planning.
In addition to the support provided on an order-by-order basis, FoxGuard’s Regulatory Compliance Team works with Customer Account Representatives, suppliers, and customer compliance professionals to explore and coordinate special requests, such as additional product certifications.
The result of these extensive “behind the scenes” services is successful import to international destinations and proper documentation to back up every regulatory mark on a system component. On those occasions when a customs office requires additional information to clear a shipment, FoxGuard’s Regulatory Compliance staff works closely with customer and customs associates to provide the information requested in a timely manner.
Last but not least, FoxGuard’s Customer Care Center (CCC) offers pass-fail results on regulatory compliance pre-submittal inquiries. If you need log-in information or instructions on the use of the CCC, please contact your FoxGuard Customer Account Representative or e-mail firstname.lastname@example.org.
As Quickly as the Weather
Every year around the last few weeks of winter, “spring fever” starts to build with a few days of warmth and sun and the summer clothes start to emerge. Just as folks are getting comfortable in their shorts and sandals, a cold spell sets in, including and/or followed by a week or two of rain and wind. The long pants, socks, and jackets are reluctantly pulled out again, and umbrellas are kept close by. Before we know it, the cold dampness turns into glorious sun and … heat!!
2016 brings numerous regulatory changes for IT equipment
This year we are seeing the fruition of multiple regulatory transitions for IT equipment, causing FoxGuard’s regulatory document database to change.
In February, Australia/New Zealand’s C-Tick and A-Tick expired and were superseded by RCM, which is now the single “Regulatory Compliance Mark” for the region. Thankfully, this transition didn’t mandate a large amount of document change. However, details such as supplier code numbers and product marking warrant closer attention.
Most recently, in April, new directives pertaining to IT equipment entered into force in the European Union, including the directives for EMC and Low Voltage. Massive document collection ensued and continues to be collected, as well as preparation for some of the new administrative requirements, such as translation of instructional and safety materials into multiple European languages.
In June, further changes in European directives and standards will be implemented, including the new RED, and the expiration of EMC standard EN 61000-3-3:2008 (EN 61000-3-3:2013 as of June 18).
In July, Amendment 2 (A2:2013) to the IT safety standard 60950-1 becomes mandatory. China RoHS 2 requirements become effective, including scope, possible additional substances to report, and changes to the Environmentally Friendly Use Period (EFUP) Table. Argentina’s Resolution 508/15 comes into effect, superseding Resolution 92/98 pertaining to product safety, and mandating documentation updates as well as labeling requirements for specialized equipment and external power supplies, as well as the GCC “G” mark is introduced to IT equipment (scope as of yet unknown)…and so on.
How do we keep up?
FoxGuard utilizes multiple informational sources to stay current on regulatory requirements around the globe. We also work closely with our suppliers to keep our documentation database current. Regulatory Bulletins alert suppliers and manufacturers of upcoming changes, precipitating dialogues that help us all to be as well-informed and prepared as possible. Timely document requests are sent out, and newly received certificates are reviewed before being uploaded to the database.
Now that summer is upon us, feel free to don the shorts, and flip flops … but keep an eye on the forecast, and don’t leave home without a sweater and umbrella!
Welcome back to Compliance 101! Previous articles of this series dealt with the various regulatory requirements for Information Technology Equipment (ITE) in the United States and the European Union. This article will focus on the regulatory changes that have and will continue to occur in 2015 and those which will come into force in 2016.
What’s happening in 2015?
A number of regulatory changes pertaining to IT equipment have taken place so far in 2015, including (but not necessarily limited to) the following:
Looking Ahead to 2016
Among other changes scheduled for 2016, next year marks the end of transitional periods for a number of regulations, including (but not necessarily limited to):
How is FoxGuard preparing for all of these changes?
To keep up with the ever-changing world of regulatory compliance, FoxGuard Solutions conducts regular reviews of regional requirements and takes action as soon as any changes are noted. Communication with regulatory agencies and other experts in the field are frequent, as we attempt to gather as much information as possible. Planning and preparation are made not only to ensure compliance of our own products but of the components, we purchase from other suppliers and manufacturers, so our customers’ shipments can be made in a timely and fully compliant manner. Despite the many “gray” areas of technical regulations and the limited availability of information, the FoxGuard Solutions Regulatory Compliance Team scrutinizes every obstacle that arises and takes action to prevent recurrence of any delay experienced. Thank you for joining us again for Compliance 101. If you have any questions concerning regulatory compliance as it pertains to your FoxGuard orders, please don’t hesitate to contact us.
Welcome back to Compliance 101! The previous article of this series dealt with the various regulatory requirements for Information Technology Equipment (ITE) in the United Stated. Today, we will look at regulations for ITE in the European Union.
The European Union utilizes Harmonised Standards, which are developed, upon request from the European Commission, by a recognized European Standards Organization. Current ESO’s include CEN, CENELEC, and ETSI. Upon adoption by the European Parliament and the Council of the European Union, Harmonised Standards are published in the Official Journal of the European Union, and, generally, the legislation is entered into force on the twentieth day thereafter. Areas of standardization for ITE include electromagnetic compatibility (EMC), low voltage, radio and telecommunication terminal equipment, equipment for explosive atmospheres (ATEX), and restriction of the use of certain hazardous substances (RoHS). Other areas of standardization that are applicable to ITE are electronic waste and recycling, energy efficiency and the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH). Below are summaries of just a few of these areas.
Electromagnetic Compatibility (EMC), Low Voltage (LV), and Telecom (RED)
On March 29, 2014, new Directives for EMC, Low Voltage, and Radio Equipment came into force. Changes from the previous Directives (in force only for the remainder of transition period) are mainly administrative, dealing with areas such as responsibilities of various parties, details of the CE marking and Declaration of Conformity, and multi-lingual nature of documents. The directive recast was undertaken to align with the European Union New Legislative Framework (NLF). The NLF was designed in 2008 to enhance traceability within the supply chain and credibility of the CE mark, as well as improving market surveillance.* The RTTE Directive will no longer exist when 1999/5/EC expires. RED covers the Radio Equipment portion of RTTE, and Telecom Terminal Equipment regulations are addressed in other Directives.
RoHS (Restriction of Hazardous Substances)
Directive 2011/65/EU prohibits placing on the EU market EEE (electrical and electronic equipment) that contains more than the regulated levels of six substances of very high concern:
The purpose of RoHS is to reduce the amount of toxic waste produced by electronics being discarded post-use. The restrictions are on each component of a finished product, and not on the product as a whole. Compliance with the RoHS Directive must be included on the CE Declaration of Conformity for products being placed on the EU market. If no other CE Directives apply to a product, a CE Declaration of Conformity stating compliance with 2011/65/EU must still be produced, and the CE mark must be displayed on the product. The product manufacturer must also keep a technical file on the product that includes test data, to demonstrate conformity.
WEEE (Waste Electrical and Electronic Equipment)
As the EEE market continues to grow, and innovation cycles become even shorter, EEE has become one of the fastest-growing waste streams, and the potentially hazardous components in that waste stream have become a major concern. Directive 2012/19/EU (WEEE) addresses this concern by implementing measures for the monitoring, collection, re-use and recycling of such waste. Provisions of the WEEE Directive impact producers, distributors, and Approved Treatment Facilities (ATFs), and deal with areas such as:
- Registration, information, and reporting
- Design and production to facilitate re-use, dismantling, and recovery of WEEE materials
- Marking of EEE – All EEE placed on the market after April 1, 2007, must be marked with information to assist with the separate collection when it is discarded as waste.
- Separate collection and transportation to ensure specific treatment and recycling of WEEE
The European Union first introduced its Battery Directive in 1991, to minimize the negative impact of batteries and accumulators to the environment. The Directive prohibits the marketing of batteries containing more than the permitted levels of hazardous substances, such as mercury and cadmium. The latest amendment (Directive 2013/56/EU) deals further with content restrictions, as well as labelling and removal of batteries at the end of life for separate recycling, and registration (similar to WEEE). For complete information on these and other European Union directives pertaining to Electrical and Electronic Equipment, please visit the EU Harmonised Standards website. We thank you for joining us again for Compliance 101. If you have any questions concerning regulatory compliance as it pertains to your FoxGuard orders, please feel free to contact us.
Can It Be Built vs. Should It Be Built
Many established businesses spend several months building and perfecting new products in their pipeline without ever showing the product or its early prototype to prospective customers. When the products are eventually launched they fail to attract interest from the market. Upon post-mortem (pun intended), it is often discovered that the market feedback was never incorporated while developing the product. On the other hand, lean start-ups do not invest a majority of their scarce resources on building the final product. Instead, they develop an early prototype with basic features and attributes. This prototype, popularly referred to as a minimal viable product (MVP) is presented to prospects and early adopters to garner feedback. Based on the market feedback, they refine the prototype, launch an improved version of the MVP and repeat the feedback process until the product closely meets the customer requirements. By using this process of build-measure-learn and leveraging the resultant validated learnings, the lean start-up uncovers the true market need and efficiently utilizes its scarce resources to build products that customers really want.
You Can’t Predict The Future
Most businesses operate in an ever-changing environment. Thus, investing time and effort on formulating detailed business plans with uncontrollable assumptions would not be the most efficient use of company resources. Unless building a spaceship to transport critical payload, established businesses should take a cue from lean start-ups who do not rely on a step-by-step plan. Instead, they formulate a milestone-based plan and adopt hypothesis-driven experimentation and validated learnings for course correction until they reach those business milestones.
Don’t Collect Data For The Sake Of Collecting Data
We have all been guilty of this one. Spending hours gathering data from multiple sources and creating reports to share with our team – simply because that’s what everyone else does. However, if the data does not accurately reflect the key performance indicators (KPIs) of the business then the resulting intelligence may be meaningless and waste, of company resources. For example, analyzing total impressions of company social media profiles may not be as critical as analyzing the number of product demonstrations performed by sales associate against actual sales.
Step Outside The Cube – Talk To Your Customers
Even after investing resources for data collection, analysis, and jaw-dropping dashboards – you still need to meet with customers to understand them and their pain points. Following up on customer complaints can not only reduce attrition rates but can also be a source for product and process improvement. For example, your customers may share insights about new ways of using the product that the engineers may have overlooked. No matter how large or successful your company may be, it exists because of your customers.
Lean Management At FoxGuard Solutions
At FoxGuard, one of our core believes is creating value. In our daily operations, we minimize waste and create value by adapting many of the lean management practices. Our R&D teams take pride in rapid prototyping and iterative development to create products that meet customer requirements. The Marketing team focuses its efforts around meaningful metrics and our Customer Support team proactively interacts with our customers for suggestions and feedback.
Many books and best-practices have been professed about value-creating & waste eliminating lean management techniques that can be deployed at an organization, department and even at the product level. My thoughts in this article were influenced by the production philosophy pioneered by Taiichi Ohno, considered as the father of the Toyota’s lean production system, Eric Ries, consultant and author of The Lean Startup, and James Womack, management expert and co-author of Lean Thinking.