Archive for the ‘Security and Compliance’ category

Cybercrime – more than 50% of companies were phished in 2019

January 25th, 2020

According to a new report by Proofpoint, ore than half of organisations were successfully phished for valuable intel at least once last year, they state that almost nine in ten organisations worldwide (88 per cent) reported a spear-phishing attempt, while 86 per cent reported BEC attacks (Business Email Compromise).

The same percentage reported being attacked through social media, and 84 per cent were targeted through text and SMS messages.

There were also notable Voice phishing and USB attacks.

More than nine million suspicious emails were reported in 2019 – 67 per cent more compared to 2018.

Ask us about a full protection suite that has never been breached.

Operating system: Windows
Stand out features: Cloud-based scanning, secure shopping, game mode, 24/7 tech support, Firewall included, Realtime protection, expansive feature set.

A solution suited for an expert user, once this program is installed, it is very effective at virus detection, and then keeps them totally isolated with a feature called Auto Sandbox Technology.

The cloud based antivirus scanning detects the latest viruses from across the internet, and does not only rely on local virus signatures being up to date.

End of support deadlines -Microsoft

January 15th, 2020

Businesses running Microsoft’s business software are facing all sorts of end-of-support deadlines at the start of 2020.

Major premises-installed business products are falling out of “extended support” this year, which means they’ll no longer get patches, including security updates, from Microsoft. It’s considered potentially risky to continue to use such “unsupported software” after their end-of-support milestones.

IT pros may have already reacted to address many of these milestones, but some workloads remain as problems to address.
Crashing deadlines are very near this month for organizations using Windows 7 and Windows Server 2008, but other important milestones loom, as well.
Windows 7 Client and Server Deadlines – Jan. 14, 2020 end-of-support date for Windows 7. That support deadline also applies to Windows Server 2008/R2, Dynamics CRM 2015, Dynamics GP 2015 R2, Dynamics NAV 2015,Dynamics SL 2015.
Later this year Office 2016 , and Outlook 2016 versions will also go out of support.

SnapLogic iPaaS in the news

January 14th, 2020

Snaplogic is a low code integration platform that is particularly suited to hybrid integrations between cloud and on-premise software e.g. for BI, CPM or ecommerce or EDI . several interesting recent news posts:

• Information Age – Should you consider adopting a cloud data warehouse? Craig discusses data lake and data warehouse considerations with Information Age – https://www.information-age.com/should-you-consider-adopting-cloud-data-warehouse-123486561/ In the modern world of data lakes, CDOs and CIOs will face three major challenges: how to migrate their users, how to live with a hybrid infrastructure for a while and how to future-proof their data platform

• IT Brief Australia – How AI bias is holding back adoption – https://itbrief.com.au/story/snaplogic-how-ai-bias-is-holding-back-adoption Brad writes about combating AI bias to retain public trust and ensure AI initiatives advance responsibly.

• Digitalisation World – The Cost of Legacy Technology – https://digitalisationworld.com/blogs/55941/the-cost-of-legacy-technology Neerav explains the risks, and growing costs, of sticking with outdated legacy technologies. In recent times, lack of innovation and adoption of new technology has proven to be the downfall of some well-known high street names – for example, Thomas Cook has littered the headlines following its collapse. In an era when anyone can book their travel, accommodation and holiday entertainment from the comfort of their own home, travel companies can seriously damage themselves by ignoring this reality, failing to innovate and relying on legacy systems.

Businesses need to know the full extent to which using antiquated tech can cost them money and cause them damage. ………

Teams is coming to Office 365 ProPlus and 365 Business……..

January 11th, 2020

Microsoft will turn on Microsoft Teams for Office 365 ProPlus or Office 365 Business tenancies that follow the semiannual channel update model starting on Jan. 14, 2020. unless it’s blocked beforehand by IT pros. The “semiannual channel” refers to Microsoft biannual update model, where feature updates typically arrive in the spring and fall. Teams will get delivered to organizations using version 1908 or later of Office 365 ProPlus, Microsoft explained, so the version of the product matters.The Teams update process is different from the update process of other Office apps such as Excel or Word.

Organizations using Office 365 ProPlus or Office 365 Business also have an option to follow a monthly feature update model. Those subscribers already may have received Teams months ago, as Microsoft had kicked off Teams for subscribers using version 1906 of those productivity-suite products back on July 9.
Microsoft’s original plans to deliver Teams to Office 365 ProPlus and Office 365 Business subscribers were described back in June. At that time, Microsoft had explained that it was delivering Teams to Office 365 Business users even though they don’t have the use rights for Teams. The version of Teams that Office 365 Business users get is a free one-year trial version, which is called the “Microsoft Teams Commercial Cloud Trial.” Teams gets delivered to Office 365 Business users even if they did not request getting the trial.To block the arrival of Teams for these Office 365 products requires Group Policy settings or the Office Deployment Tool.

After Teams arrives, it’ll start getting feature and quality updates, which will arrive “approximately every two weeks,”

Be prepared for Potential Iranian Cyberattacks

January 10th, 2020

The drone attack as Suleimani was visiting Baghdad last week is widely expected to prompt counterattacks of some sort from Iran, with Iranian leaders vowing as much in recent days. One of the most rapid ways that Iran can respond is through attacks on computer systems of U.S. businesses and government agencies

The U.S. agency in charge of cybersecurity urges organizations in the United States to prepare for potential attacks from Iran in response to the American drone killing of General Qassim Suleimani.

The Cybersecurity and Infrastructure Security Agency (CISA) issued its warning, “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad,” on Monday afternoon. CISA is a federal agency created in 2018 to coordinate with other government entities and the private sector on cybersecurity and critical infrastructure protection.

The drone attack as Suleimani was visiting Baghdad last week is widely expected to prompt counterattacks of some sort from Iran, with Iranian leaders vowing as much in recent days. One of the most rapid ways that Iran can respond is through attacks on computer systems of U.S. businesses and government agencies. However, proxy attack on perceived USA allies, or major USA technology firms also have to be considered.

A key feature in your defence is the way your anti malware software handles unknown files. All Ransomware/Malware starts as an unknown file. Older protection software uses a detect and remediate approach to stop it. Basically, a default ‘allow’ policy, because they let unknown files come into their system and then try to stop the effect. This is a problem because hackers make new malicious codes every single day, and rely on signature based detection methods.

We offer a solution with a default ‘Deny’ approach. Our auto-containment features is a patented and the one-and-only technology that renders malware useless and to date the Platform and Auto Containment.
has 0 breaches.

With growing and ever more sophisticated and expensive attacks, and increasingly stringent legislation such as GDPR with swinging data breach penalties, the risks of international war by cybercrime have gone up another notch.

If you need to boost your defences then contact us on 0097143365589

Facebook can track you when you opt out.

December 19th, 2019

In a letter US senatorsdated December 12 that was released Tuesday, Facebook explained how it is able to estimate users’ locations used to target ads even when they’ve chosen to reject location tracking through their smartphone’s operating system The letter was widely shared on social media Tuesday
The Facebook social network, which was responding to a request for information by two senators, contended that knowing a user’s whereabouts has benefits ranging from showing ads for nearby shops to fighting hackers and battling misinformation.Facebook said that clues for figuring out a user’s location include being tagged in a photo at a specific place or a check-in at a location such as at a restaurant during a dinner with friends.People may share an address for purchases at a shopping section at Facebook, or simply include it in their profile information.

Along with location information shared in posts by users, devices connecting to the internet are given IP addresses and a user’s whereabouts can then be noted.Those addresses include locations, albeit a bit imprecise when it comes to mobile devices linking through telecom services that might only note a town or city.Facebook said knowing a user’s general location helps it and other internet firms to protect accounts by detecting when suspicious login behavior occurs, such as by someone in South America when a user lives in Europe. IP addresses also help companies such as Facebook battle misinformation by showing the general origin of potentially nefarious activity, such as a stream of politically oriented posts which might be aimed at a particular country.

The California Consumer Privacy Act (CCPA) will give internet users the right to see what data big tech companies collect and with whom it is shared.

At the end of October Australia’s consumer watchdog sued Google on Tuesday alleging the technology giant broke consumer law by misleading Android users about how their location data was collected and used. The Australian Competition and Consumer Commission accused Google of collecting information on users’ whereabouts even after they had switched off the location setting.

An Associated Press investigation last year revealed that several Google apps and websites stored user location even if the user had turned off the Location History setting. To stop Google from saving these location markers, users had to turn off another setting, Web and App Activity. That setting, enabled by default, does not specifically reference location information.Google later clarified in a help page how the Location History works, but it didn’t change the location-tracking practice.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules in Europe. Critics say Google’s insistence on tracking its users’ locations stems from its drive to boost advertising revenue. It can charge advertisers more if they want to narrow ad delivery to people who’ve visited certain locations. The Australian commission began proceedings in the Federal Court of Australia alleging Google breached the law through a series of on-screen representations made as users set up Google accounts on their Android phones and tablets.

The AP investigation found that even with Location History turned off, Google stores user location when, for instance, the Google Maps app is opened, or when users conduct Google searches that aren’t related to location. Automated searches of the local weather on some Android phones also store the phone’s whereabouts.

Earlier, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

RYUK nasty and expensive ransomware

December 17th, 2019

The Ryuk Ransomware is a data encryption Trojan that was first identified on August 13th, 2018. The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK, Threat actors were reported of infecting organizations in the USA and Germany. Initial analysis suggests the threat was injected in systems through compromised RDP accounts, but it is possible that there is a parallel spam campaign that carries the threat payload as macro-enabled DOCX and PDF files.

Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom. The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. A recent flash update from the FBI revealed that over 100 organizations around the world have been beset by Ryuk

The origins of Ryuk ransomware can be attributed to two criminal entities: Wizard Spider and CryptoTech. The former is the well-known Russian cybercriminal group and operator of TrickBot; the latter is a Russian-speaking organization found selling Hermes 2.1 two months before the $58.5 million cyber heist that victimized the Far Eastern International Bank (FEIB) in Taiwan.

Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans.
Analysis. Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks whether it is being executed in a 32-bit or 64-bit OS by using the “IsWow64Process” API a. It also checks the version of the operating system. Next, it executes the payload using the ShellExecuteW API.

Persistence mechanism
Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key:
“”C:\Windows\System32\cmd.exe” /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d “C:\Users\Public\{random-5 char}.exe” /f”

Process injection
Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY.
Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions.

Encryption and similarity with Hermes ransomware
Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it’s easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the “.RYK” extension and some don’t append any extensions after encrypting the files.
Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”.
Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted.

Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.

Malwarebytes Labs director Adam Kujawa said that, while instances of consumer ransomware infections are down 25 per cent over the last year, attacks on businesses are skyrocketing, up a whopping 235 per cent over the same period.Overall, the numbers would show that ransomware numbers have fallen. After peaking at more than 5.7 million total detections in August of 2018, just over 3 million attacks by lockup malware were detected in June 2019.This is not, because criminals are losing interest in using ransomware. Rather, they are getting a much better return from fewer attempts on higher-value targets: namely, enterprises.

Prior to running any ransomware decryptor – whether it was supplied by a bad actor or by a security company – be sure to back up the encrypted data first. Should the tool not work as expected, you’ll be able to try again Ryuk is a particularly horrible software nasty. It works by finding and encrypting network drives as well as wiping Windows volume snapshots to prevent the use of Windows System Restore points as an easy recovery method.

Whatever the size of your company and whatever industry you’re in, we recommend you follow these best practices to minimize your risk of falling victim to a ransomware attack:
• Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can.
• Protect access rights. Give user accounts and administrators only the access rights they need and nothing more.
• Make regular backups – and keep them offsite where attackers can’t find them. They could be your last line of defense against a six-figure ransom demand.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down your RDP. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Ensure tamper protection is enabled. Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.
• Educate your team on phishing. Phishing is one of the main delivery mechanisms for ransomware.
• Use anti-ransomware protection
• Ensure tamper protection is enabled. Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.”

.

Forrester sees SnapLogic as a strategic for Enterprise integration – hybrid- cloud and on premise

December 14th, 2019

SnapLogic iPaaS provides integration in continuously evolving data environments,

According to Forrester, “The strategic iPaaS/HIP market is growing because more EA professionals see strategic iPaaS/HIP as a key element of their digital transformation agility.” Forrester adds that “vendors that can make integration easier as well as provide a broad set of integration scenarios position themselves to successfully deliver in any public, private, hybrid, and/or multicloud environment.”

In the report, SnapLogic has received the highest score possible in the “market approach” criterion.

SnapLogic’s intelligent integration platform uses AI-powered workflows to automate all stages of IT integration projects – design, development, deployment, and maintenance – whether on-premises, in the cloud, or in hybrid environments.

The platform’s easy-to-use, self-service interface enables both expert and citizen integrators to manage all application integration, data integration, and data engineering projects on a single, scalable platform.

With SnapLogic, you can connect all of your enterprise systems quickly and easily to automate business processes, accelerate analytics, and drive transformation.

For more details of why ask SnapLogic Partner Synergy Software Systems 009714 3365589

Malware, Deepfakes, Snatch ……the threats keep coming

December 12th, 2019

Over the last decade when malware exploded from a casual semi-amateur landscape into highly organised criminal operations, capable of generating hundreds of millions of US dollars per year.Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they’ve infected millions of devices across the globe.

The next couple of years will bring a new range of threats that will take tech security far beyond its traditional boundaries and will require a whole new set of skills and alliances. One example: tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m.

There’s the risk to your share price if someone creates a deepfake of your CEO apparently resigning from the company. Alternatively, a convincing deepfake of a celebrity well known for using your products seemingly being rude about your brand could easily hurt sales if it spreads widely. But there’s also the risk that deepfakes could be added to the toolkits used by phishing gangs. There have already been a few cases of crooks using AI tools to fake the voices of CEOs to trick workers into transferring money to their accounts. The next step would be to create a convincing video of an executive asking for an emergency funds transfer.

If employees are regularly tricked into handing money over to fraudsters on the strength of a bogus email (and they still are), imagine how easy it would be to be fooled by a deepfaked video chat with the CEO instead?

The Internet of Things will greatly increase the number of devices and applications that security teams will have to protect. That’s hard for teams that have used to protecting just PCs and servers to have to worry about everything from smart air-conditioning units or vending machines in the canteen, right through to power plants and industrial machinery.

A new threat has arisen with Snatch ransomware which uses a new trick to bypass antivirus software and encrypt victims’ files without being detected – it relies on rebooting an infected computer into Safe Mode, and to run the ransomware’s file encryption process within Safe mode.The reason is that most antivirus software does not start in Windows Safe Mode, a Windows state that is meant for debugging and recovering a corrupt operating system. Snatch uses a Windows registry key to schedule a Windows service to start in Safe Mode. This service ill run the ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped. Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of most endpoint security tools. Devious! and evil.

The Safe Mode trick was discovered by the incident response team at Sophos Labs, who were called in to investigate a ransomware infection in the past few weeks. Its research team says this is a big deal, and a trick that could be rapidly adopted by other ransomware..

Snatch never targeted home users and was not spread by use of mass-distribution methods like email spam campaigns or browser-based exploit kits — that get a lot of attention from cyber-security firms. Snatch targets a small list of carefully selected companies and public or government organizations.This type of targeting and methodology is known in the cyber-security field as “big-game hunting” and is a strategy that’s been widely adopted by multiple ransomware.
The idea behind big-game hunting is that instead of going after the small ransom fees malware authors can extract from home users, crooks go after large corporations and government organizations, from where they can ask for ransom fees that are hundreds of thousands of times bigger.
Ransomware like Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga are big-game hunters.

The group buys their way into a company’s network. Researchers tracked down ads the Snatch team has posted on hacking forums, to recruit partners for their scheme. According to a translation of the ad, the Snatch team was “looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies.” the Snatch team will buy access to a hacked network, or work with another hacker to breach a desired company. Once in, they rarely install the ransomware and encrypt files right away. Instead, the Snatch team bide their time and slowly escalate access to internal domain controllers, from where the spread to as many computers on an internal network as possible. To do this, the Snatch crew use legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products failed to raise any alarms.

Once the Snatch gang has all the access they need, they add the registry key and Windows service that starts Snatch in Safe Mode on all infected hosts, and force a reboot of all workstations — reboot that begins the file encryption process.Unlike most ransomware gangs who are primarily focused on encrypting files and asking for ransoms, the Snatch crew also engaged in data theft. This makes Snatch cunique and highly dangerous, and companies also stand to lose from their data being sold or leaked online at a later date, even should they pay the ransom fee and decrypted their files. This type of behavior makes Snatch one of today’s most dangerous ransomware strains.

Combing a company’s internal network for files to steal takes time, and a reason why Snatch has not made the same amount of victims as other “big game hunting” strains/gangs. The number of Snatch victims is very small. The only known public case of a Snatch ransomware infection was SmarterASP.NET, a web hosting company that boasted to have around 440,000 customers.

Secure ports and services that are exposed on the internet with either strong passwords or with multi-factor authentication. Snatch may experiment with e.g. VNC, TeamViewer, or SQL injections, so securing a company’s network for these attack points is also a must.

Ask us about our security solutions.

0097143365589

Encrypt or not encrypt that is the question?

December 12th, 2019

U.S. senators grilled Apple Inc and Facebook Inc executives over their encryption practices on Tuesday and threatened to regulate the technology unless the companies make encrypted user data accessible to law enforcement.

Democrats and Republicans presented united front against encryption that can bloc access to key evidence and stymie investigations.

You’re going to find a way to do this or we’re going to go do it for you,” said Senator Lindsey Graham. “We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.”

Facebook has been at odds with multiple governments since announcing its plan to extend end-to-end encryption across its messaging services earlier this year. The WhatsApp messaging app is already encrypted. In October, U.S. Attorney General William Barr, and law enforcement chiefs of the United Kingdom, and Australia all called on the world’s biggest social network not to proceed with its plan unless law enforcement officials are given backdoor access.

Facebook rejected that call in a letter signed by WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky which it released along with the company’s written testimony. “The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes,” they wrote. “That is not something we are prepared to do.”

What will happen to your Windows 7 PCs on 15 January 2020?

December 12th, 2019

Microsoft pushed a full-screen warning to Windows 7 users who are still running the OS after January 14. . After14 January 2020, they’ll get no more security updates to the operating system for free. Even though users will be able to continue to run Windows 7 after that date, they’ll be more susceptible to potential security problems. Microsoft delivered this new, nag notification, to Windows 7 users by making it part of a patch rollup. The coming notification was embedded in monthly rollup KB4530734, which Microsoft made available to Windows 7 SP1 users on December 10 as part of its Patch Tuesday set of updates.

Those who see the full-screen warning will have three options: Remind me later; Learn more; or Don’t remind me again. If users don’t click on the “Don’t remind me again” button and just dismiss the screen, they will continue to get nag warnings.

Windows Server 2008 and 2008 R2 support will end January 14, 2020- ask Synergy Software Systems about options.

November 16th, 2019

On January 14, 2020, support for Windows Server 2008 and 2008 R2 will end. Only 2 months away
That means the end of regular security updates.

Don’t let your infrastructure and applications go unprotected.

We’re here to help you migrate to current versions for greater security, performance and innovation.
009714 3365589

Azure Arc in preview manage hybrid data across cloud platforms……

November 16th, 2019

Now in preview, Azure Arc helps simplify enterprise distributed environments by managing everything via Azure services (like Azure Resource Manager). Connecting hybrid infrastructure via Azure Arc improves security for users via automated patching, and provides improved governance, with everything ‘under one roof’. Azure Arc, a tool that lets organizations manage their data on: the Microsoft Azure cloud, Amazon Web Services (AWS), Google Cloud Platform or any combination.

Microsoft says that deployments can be set up “in seconds” via Azure data services anywhere, a feature of Azure Arc.

Azure Arc also supports Kubernetes clusters and edge infrastructures, as well as on-premises Windows and Linux servers.
No final release date yet but there is a free preview of Azure Arc .


Microcode BIOS Updates coming from a Microsoft Update

November 13th, 2019

Intel Microcode Updates coming from a Microsoft Update or the Windows Catalog.
The security implications of why you should update the microcode on your processors are covered in these links

https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://www.amd.com/en/corporate/product-security

Microsoft is collaborating with Intel and AMD on these microcode updates.

When processors are manufactured, they have a baseline microcode baked into their ROM. This microcode is immutable and cannot be changed after the processor is built. Modern processors have the ability at initialization to apply volatile updates to move the processor to a newer microcode level. However, as soon as the processor is rebooted, it reverts back to the microcode baked into their ROM. These volatile updates can be applied to the processor one of two ways – System Firmware/BIOS via OEM and by the Operating System (OS). However, neither updates the microcode in the processors ROM. If you were to remove the processor from one computer and to install in a computer with an older System Firmware/BIOS and an un-updated OS, then you will again be vulnerable.

Windows offers the broadest coverage and quickest turnaround time to address these vulnerabilities. Microcode updates delivered via the Windows OS are not new; as far back as 2007 some updates were made available to address performance and reliability concerns.

You could jus take the OEM System Firmware/BIOS Updates, but often Microsoft Update hasthe microcode updates to address issues much sooner.

When the processor boots, it has versioning to make sure it is utilizing the latest microcode updates regardless of from where it came. Install of System Firmware/BIOS updates and microcode updates from Microsoft Update is therefore O.K. It is possible that the OEM updates the microcode to one level and the OS updates the microcode to an even higher level during the same boot.

Microcode updates install like any other update. They can be installed from Microsoft Update, WSUS, SCCM or manually installed if downloaded from the Catalog. The key difference is that the payload of the hotfix is primarily one of two files:

mcupdate_GenuineIntel.dll – Intel
mcupdate_AuthenticAMD.dll – AMD

These files contain the updated microcode and Windows automatically loads these via OS Loader to patch the microcode on the boot strap processor. This payload is then passed to additional processors as they startup as well the Hyper-V hypervisor if enabled.

Enhanced HA and DR benefits for SQL Server Sofware Assurance from 1 November.

November 5th, 2019

The enhanced benefits to SQL licensing for high availability and disaster recovery that are listed below are now applicable to all releases of SQL Server for a customer with SQL Server licenses with Software Assurance. The updated benefits will be available in the next refresh of the Microsoft Licensing Terms.

Business continuity is a key requirement for planning, designing, and implementing any business-critical system. When you bring data into the mix, business continuity becomes mandatory. It’s an insurance policy that one hopes they never have to make a claim against in the foreseeable future. SQL Server brings intelligent performance, availability, and security to Windows, Linux, and containers and can tackle any data workload from BI to AI from online transaction processing (OLTP) to data warehousing. You get mission-critical high availability and disaster recovery features that allow you to implement various topologies to meet your business SLAs.

A customer with SQL Server licenses with Software Assurance has historically benefited from a free passive instance of SQL Server for their high availability configurations. That helps to lower the total cost of ownership (TCO) of an application using SQL Server. Today, this is enhanced for the existing Software Assurance benefits for SQL Server which further helps customers implement a holistic business continuity plan with SQL Server.

Starting Nov 1st, every Software Assurance customer of SQL Server will be able to use three enhanced benefits for any SQL Server release that is still supported by Microsoft:
• Failover servers for high availability – Allows customers to install and run passive SQL Server instances in a separate operating system environment (OSE) or server for high availability on-premises in anticipation of a failover event. Today, Software Assurance customers have one free passive instance for either high availability or DR
• Failover servers for disaster recovery NEW – Allows customers to install and run passive SQL Server instances in a separate OSE or server on-premises for disaster recovery in anticipation of a failover event
• Failover servers for disaster recovery in Azure NEW – Allows customers to install and run passive SQL Server instances in a separate OSE or server for disaster recovery in Azure in anticipation of a failover event

With these new benefits, Software Assurance customers can implement hybrid disaster recovery plans with SQL Server using features like Always On Availability Groups without incurring additional licensing costs for the passive replicas.

A setup can use SQL Server running on an Azure Virtual Machine that utilizes 12 cores as a disaster recovery replica for an on-premises SQL Server deployment using 12 cores. In the past, you would need to license 12 cores of SQL Server for the on-premises and the Azure Virtual Machine deployment. The new benefit offers passive replica benefits running on an Azure Virtual Machine. Now a customer need to only license 12 cores of SQL Server running on-premises as long as the disaster recovery criteria for the passive replica on Azure Virtual Machine is met.

If, the primary. or the active replica. uses 12 cores hosting two virtual machines and the topology has two secondary replicas: one sync replica for high availability supporting automatic failovers and one asynchronous replica for disaster recovery without automatic failover then . the number of SQL Server core licenses required to operate this topology will be only 12 cores as opposed to 24 cores in the past.

These high availability and disaster recovery benefits will be applicable to all releases of SQL Server. In addition to the high availability and disaster recovery benefits, the following operations are allowed on the passive replicas:
• Database consistency checks
• Log backups
• Full backups
• Monitoring resource usage data

SQL Server 2019 also provides a number of improvements for availability, performance, and security along with new capabilities like the integration of HDFS and Apache Spark™ with the SQL Server database engine.