All Posts By

Brenda Caseley

CCL scoops Dell Solution Provider Workforce Transformation Award 2018

By | General News

CCL’s delivery of Dell solutions has been recognised at the vendor’s annual A/NZ partner event held last week in Nouméa, New Caledonia.

The Spark-owned provider took home the solution provider workforce transformation award 2018.

CCL was the only New Zealand partner to win among the 13 categories in the regional award.

The awards recognise the ways in which partners are growing their businesses within the Dell Technologies Partner Program, unlocking limitless possibilities for their customers with innovative transformational solutions, the vendor explained.

Read the full story.

CCL-Revera appoints executive leadership team

By | General News

CEO Andrew Allan appoints leadership team to extend company’s cloud and IT services leadership.

Seven executives from the ranks of Revera and CCL pre-merger have been appointed to the executive leadership team of the now merged entity, called CCL.

Joining CEO Andrew Allan at the top table is:

  • COO – Sri Gazula, who held the same position at Revera
  • CFO – Chris Fairfield, previously Revera CFO
  • Troy Myer – Technical Director (formerly Revera General Manager Business Development)
  • Cherie Roache – Director Southern Region (formerly CCL General Manager, Southern Region)
  • Guy Inglis – Director Northern Region (formerly CCL General Manager, Northern Region)
  • Rik Rogers – Director Client Delivery (formerly CCL General Manager Managed Services)
  • Richard Hansen – Director Enterprise Sourcing (formerly CCL General Manager Strategy).

The company is currently recruiting for an executive to fill the role of Director Central Region.

“The formation of this team is a significant milestone in what is a new beginning for two established businesses,” said CEO Andrew Allan. “Now we can leverage our collective strengths to accelerate our success in cloud and IT services.”

Allan oversees more than 700 employees, in offices across Auckland, Wellington, Christchurch and Nelson, in additional to Blenheim, Dunedin, Invercargill and Queenstown.

“The merger was conceived to create a single organisation providing end-to-end IT management and cloud technology services unrivalled in New Zealand,” he said. “Work continues apace as we streamline processes, culture, and customer experience – the results of which will bubble to the surface without too much fanfare.”

Since announcing the merger late February, the company has maintained a head of steam, winning significant transformation project work for New Zealand’s primary workplace health and safety regulator WorkSafe and Children’s charity Barnados, as well was adding muscle in the public cloud arena with new accreditations from Microsoft and Amazon Web Services (AWS).

Allan said the Spark-owned entity had full license to write its own rules for success  but was remodelling aspects of its services portfolio to support Spark Group’s strategy in the cloud.

Jolie Hodson, Customer Director at Spark, said the new CCL was the best form to leverage the company’s investment in the two businesses – a move that effectively created Spark Group’s IT managed services and cloud delivery engine.

“We want to extend our position as arguably the leader of IT management and cloud technology services in the country,” she said at the time of the announcement. “Combining these two businesses delivers the seamless end-to-end services and expertise more clients demand, and ensures we put a panoptic lens to their businesses.”

Intel MDS Vulnerabilities

By | Security News

On 15 May 2019, NZ time, Intel announced a new group of vulnerabilities collectively known as “Microarchitectural Data Sampling”, which are a subset of previously disclosed speculative execution side channel vulnerabilities.

The vulnerabilities have been assigned the following four CVE’s:

•             CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (CVSSv3 = 6.5)

•             CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (CVSSv3 = 6.5)

•             CVE-2018-12127 – Microarchitectural Load Port Data Sampling (CVSSv3 = 6.5)

•             CVE-2019-11091 – Microarchitectural Data Sampling Uncacheable Memory (CVSSv3 = 3.8)

Like the previous Intel chip vulnerabilities, these utilise side channel attacks against speculative performance optimisation techniques to infer data in chip components that are meant to be protected. Attacks against these vulnerabilities could allow attackers to leak private data from internal CPU buffers and Load Ports.

Successful exploitation requires malicious code to be run on a targeted system. Intel is reporting that real-world exploits, outside of controlled conditions is complex, but there are currently demonstration videos and proof of concept code published on the Internet for at least one of the vulnerabilities.

Mitigation will typically involve updates at multiple layers, including microcode, virtualisation and operating system. In some cases, full mitigation may also require additional steps, including disabling Hyper-Threading. Refer to vendor guidance to understand cases where such decisions need to be considered.

Remediation:

CCL Polaris IaaS Platform

CCL is programmatically addressing the identified vulnerabilities at the hardware, hypervisor and management software layers. Clients are responsible for patching non-CCL managed operating systems residing on the platform. Additional information will be provided through our standard change control notifications or directly from your Customer Relationship Manager.

Public Cloud Platforms

All major public cloud providers are indicating that they have taken steps to mitigate the vulnerabilities in their environments:

All major public cloud providers are indicating that they have taken steps to mitigate the vulnerabilities in their environments:

https://support.google.com/faqs/answer/9330250

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure:

For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the Hypervisor. Please refer to applicable vendor guidance for detailed mitigation requirements. Links for some major vendors are included below.

Recommendations:

CCL recommends that all clients assess their risk and appropriately patch systems. Standard update procedures should be appropriate for most systems. Shared environments that run untrusted code may warrant more urgent, out-of-band update procedures.

Please note that some vendors are indicating system reboots will be required for updates to be applied. Always perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected.

Please contact support@concepts.co.nz or 0800 225 737, if you would like more information.

References:

Note – please hover over and validate hyperlinks prior to clicking

https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

https://support.microsoft.com/en-nz/help/4457951/windows-guidance-to-protect-against-speculative-execution-side-channel

https://www.vmware.com/security/advisories/VMSA-2019-0008.html

https://access.redhat.com/security/vulnerabilities/mds

NZ Cert Security Warnings

By | Security News

NZ Cert has released two security advisories this week regarding security vulnerabilities that present a high risk to systems connected to the Internet.

  • The first advisory warns of known active attacks against a previously patched SharePoint vulnerability to compromise corporate websites.
  • The second details a newly patched vulnerability in Microsoft Remote Desktop Services on older operating systems (Windows 7/Server 2008 R2 and earlier). It is expected that exploits will be developed and used against this vulnerability in the near future. Microsoft has also released patches for unsupported software, including Windows XP and Server 2003.

Recommendations

CCL recommends that clients remain diligent about implementing and maintaining strong security controls and practices for all public facing systems. This includes ensuring that the entire software stack, from the OS to third party applications, is kept fully patched against known vulnerabilities.

Specifically, we recommend that security patches for the SharePoint and RDS vulnerabilities are tested and implemented as soon as possible, with priority placed on systems connected to the Internet.

If you have any concerns about potential risks to existing systems or would like to discuss ways CCL can help provide visibility to any exposed systems, please reach out to your Customer Relationship Manager or Service Delivery Manager.

References

https://www.cert.govt.nz/it-specialists/advisories/vulnerability-microsoft-rdp-services/

https://www.cert.govt.nz/it-specialists/advisories/microsoft-sharepoint-vulnerability-being-exploited/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604