If you’ve been keeping watch on the news of late, you’ll have no doubt noticed the panic that’s spreading around the Meltdown and Spectre bugs. While consumers are fairly unaffected by the recently disclosed security vulnerabilities in most modern processors, the same cannot be said for businesses. This threat must be taken seriously, and organisations must act fast to find a way to tackle the problem.
A study based on anonymised and aggregated data from devices across the public, private and third sectors, managed by the IronWorks mobile management system, found that only 4% of mobile devices have security updates for the Meltdown and Spectre exploits installed. And research has shown that chips going as far back as 2011 were tested and found to be vulnerable, and that in theory, these flaws could affect processors as far back as those released in 1995; while we would hope that there aren’t too many of those in use, we may still be surprised on that count!
While the awareness and understanding of this major security flaw seems to have simply popped up since the beginning of 2018, this particular exploit has been under investigation for some time by researchers, and word of it trickled out in the form of small updates to various operating systems addressing a hitherto-undocumented security flaw.
For business IT, and the world of industrial systems also affected by Meltdown and Spectre, the security patches being released from companies such as Microsoft, Intel, AMD and ARM are interim measures, and some are causing incompatibility issues. This has the potential to make the patching of IT and industrial systems even more complex and time-consuming.
In the long term, the fixes will be rolled out in new chipsets by the hardware manufacturers. This, however, could potentially take years, meaning capacity management and IT performance could become a much larger issue.
Which software platforms are most vulnerable?
Because Meltdown and Spectre are flaws at the architecture level, it doesn’t matter whether a computer or device is running Windows, OS X, Android, or something else — all software platforms are equally vulnerable. As a result, a huge variety of devices, from laptops to smartphones to servers, are therefore theoretically affected. The assumption going forward should be that any untested device should be considered vulnerable.
Not only that, but Meltdown in particular could conceivably be applied across cloud platforms, where huge numbers of networked computers routinely share and transfer data among thousands or millions of users.
What does this mean for my business?
Due to the fact that Meltdown and Spectre are microprocessor vulnerabilities, their effect isn’t just limited to smartphones, tablets, personal computers and servers; network appliance and storage manufacturers that use the flawed chips are in the process of rolling out patches. Embedded systems will also need patching.
Essentially, the challenge for many businesses will be in identifying which control systems might be affected, and implementing patches.
The nature of the patches mean that they could impact the performance and capacity of the systems as they cause additional CPU load. We have been involved with a recent roll out of the patches where a CPU increase of around 20% was measured meaning that the patches have had to be pulled from that release as there was not the available CPU capacity to support it.
We can offer Performance and Capacity Healthchecks to establish how much headroom is available on your systems which should help to ensure that the implementation of this fix either eradicates or minimises performance issues, in addition to identifying any infrastructure changes which might need to take place prior to deployment.