How to Upgrade An Unsupported OS: An In-depth Checklist

Billions of IoT devices are transforming the capabilities of industrial control systems (ICS): delivering low cost, low power computing to achieve efficiency and automation. But the unique characteristics of these devices can also turn ICS into somewhat of a management and security headache.

As always, tools emerge to relieve these challenges – for example, take Microsoft Azure IoT Hub. It is common for IoT devices to proliferate and it makes tracking and managing IoT devices very challenging. Azure IoT Hub is a tool that helps organizations to catalog, manage and integrate large fleets of IoT devices.

Similarly, managing security patching across large IoT networks can be difficult – devices in ICS environments may be air-gapped and require 100% service availability. KernelCare live patching for IoT can help solve these challenges.

Today, we’re delighted to announce that KernelCare for IoT now fully integrates with Device Update for IoT Hub from Microsoft, which is currently in preview in select Azure regions. Let’s take a look.

OS virtualization was a huge step forward for the delivery of large-scale enterprise computing applications. But virtual machines were just the start. Containers take virtualization a step further, delivering unprecedented flexibility as applications become almost seamlessly transportable.

However, containers come with a hidden security risk that derives from the nature of containerization. In this article, we discuss the role of containerization in the enterprise, explain why contains can be an enterprise security risk – and point to effective solutions.

Sad DNS (Side-channel AttackeD DNS) is a vulnerability that was disclosed by academics from the University of California and Tsinghua University, at the ACM Conference on Computer and Communications Security CCS 2020. The vulnerability was assigned to CVE-2020-25705. It affects distributions starting from the 7th v.o. (i.e. RHEL6 is not affected, as its kernel doesn’t include ICMP responses throttling feature yet). KernelCare patches will be released shortly. The newly academic discovery lets a malicious actor poison the cache of a DNS server and thus potentially redirect user traffic to sites or services hosting undesired or dangerous content. 

A server reboot cycle is a generic name given to the process of rebooting a fleet of servers in an organization. This can be due to several factors, but it is often because patches and updates require a reboot – they either target a critical component of the operating system or some shared library being used by several components or programs. The number of servers that will be rebooted directly impacts the operation’s duration and the associated risk. The more servers that need to be updated, the harder is the planning and execution process.

Ever heard of a pipe-freeze kit? A pipe-freeze kit forms a plug of ice inside a water pipe, allowing a plumber to make repairs without shutting off water. Like water pipes, there are some things that you don't want to shut down to fix.

Rebooting a system to install security updates and patches isn't necessary, but it happens every day in the form of server reboot cycling. Conversely, live patching of an enterprise Linux system flash freezes central processing units (CPUs) to install patches automatically, taking nanoseconds to complete.

No downtime or non-compliant? That is the question for companies that do not use automated patch services. There is no middle ground when it comes to the security of your clients and the well-being of your business. Especially now, when live patching is available not only for Linux kernels but also for Glibc and OpenSSL. KernelCare+ patches shared Glibc and OpenSSL libraries without service restarts or server reboots — and it has already been tested!

If you’re a systems administrator responsible for thousands of servers, even a small slowdown can cause serious technical problems for your enterprise, and cost it a lot of money as well. Does live kernel patching cause them, or help solve them? Read below to find out.

The beta version of KernelCare⁺ is now available for download for Red Hat Enterprise Linux 7, CloudLinux OS 7, and CentOS 7. More distributions will be added in June 2020.

If your organization deploys IoT solutions, you know that development of embedded systems is a bit different from standard desktop development. Linux’s low cost is attractive to IoT developers, so it’s often the choice for embedded development over expensive proprietary kernels. It’s not uncommon for developers to work with an environment similar to the target device using a virtual machine, but development on a VM can be awkward. Instead, developers can work with distributions specifically designed for embedded systems.

Compared to proprietary embedded operating systems, Linux is low cost; it allows for multiple suppliers of software, development and support; it has a stable kernel; and it facilitates the ability to read, modify and redistribute the source code. For these reasons and more, Linux has become the go-to option for embedded systems. 

KernelCare live patching system has achieved the Amazon Linux 2 Ready designation in the Amazon Web Services (AWS) Service Ready Program.