agsandrew - stock.adobe.com
Prepare for Y2K style Meltdown strategy
The days of fixing the date bug in legacy systems may be long gone, but IT now has as much of an effort mitigating the Spectre/Meltdown processor flaw
The Spectre and Meltdown chip flaw represents the 21st century’s Y2K moment, analyst Gartner has warned.
In Gartner’s Security leaders need to do seven things to deal with Spectre/Meltdown report, distinguished analyst Neil MacDonald discussed seven steps IT departments should take to mitigate the risk.
“Not since Y2K has a vulnerability affected so many systems and required a deliberate, phased plan of action for remediation efforts,” said McDonald.
Given that every modern IT system will be affected to some extent by Spectre/Meltdown, he urged IT departments to produce an inventory of affected systems.
This inventory should include PCs/laptops, including those running Windows, Linux and Mac OS; physical servers; workloads in virtual machines, including those running in public clouds and hosting environments, and hypervisors and virtualisation layers used for the virtual machines.
“For each layer of the stack, you need to track whether patches are available from suppliers and whether there are dependencies,” said McDonald.
In the report. Gartner recommended IT departments develop a risk-prioritised plan for remediation.
Tip to protect servers from Spectre/Meltdown
Gartner has recommended seven steps to secure servers from Spectre/Meltdown
- Restricted physical and logical network access, and USB ports disabled.
- Application control/whitelisting installed, which should be primary runtime protection.
- Advanced kernel and address space protection creating a “moving target defence” polymorphic OS.
- Privileged Access Management for administrative access with strong change management controls.
- No external internet connectivity (if the server is externally facing, then patch or replace it).
- No local browser or email client.
- Apply the patches to other layers of the OS and supporting software.
Source: Security leaders need to do seven things to deal with Spectre/Meltdown, Gartner
As Computer Weekly has previously reported, patching for Spectre/Meltdown requires firmware updates, which can adversely impact the performance and stability of some machines. Towards the end of January 2018, Intel was forced to admit its patch for the Spectre and Meltdown processor bug was flawed and could cause PCs and servers to lock up.
Microsoft needed antivirus providers to update their software before the Windows patch could be installed and some embedded systems also locked up when the patch for Spectre/Meltdown was applied.
In the report, McDonald suggested there is an advantage in delaying patching systems vulnerable to Spectre/Meldown. “Early patches created conflicts with some antivirus offerings and locked up Windows desktops. Some patches conflicted with the use of AMD microprocessors, such that the systems would not boot. Other early patches had significant performance impacts addressed by subsequent patches.
“Intel recently had to recommend that organisations halt their deployments of firmware, due to sporadic processor reboots, and Microsoft provided a new switch to disable the unstable microcode updates.”
Risk mitigation involves not only identifying vulnerable systems, but also assessing the risk of not patching these systems, especially in tightly controlled server environments. In these environments –where direct internet access is restricted – the potential risk is from a malicious insider.
“On servers, an administrative insider or compromised account with rights to execute code on the system may launch an attack to steal secrets,” said McDonald. “Strong separation of duties and privileged account management reduce this risk.”
Read more about Spectre and Meltdown
- As IT recoils from the Spectre and Meltdown chip exploits, companies face patches that are incompatible, leading to crashes, reduced performance and lock-ups.
- Security experts have warned that cyber attackers will be quick to use the Meltdown and Spectre exploits, but the first attempt to capitalise on them has come in the form of fake updates.
Unfortunately, mitigating against the Spectre/Meltdown chip flaw can be expensive.
The patches offer some level of protection against Spectre/Meltdown, but according to Dynatrace, companies will have to make heavy sacrifices in terms of performance, which can increase central processing unit consumption by up to 50%, depending on their IT environment.
A survey of 514 IT professionals on the Spiceworks community recently estimated that almost one-fifth of large businesses could end up spending up to $50,000 to fix Spectre/Meltdown.
From a best practice perspective, Gartner has suggested IT departments patch one server in a group of similar systems to check incompatibility issues and measure the performance impact.
For cloud systems, where processing on infrastructure as a service is running at near-full capacity, Gartner recommended upgrading capacity by buying a larger instance type (ie a more powerful virtual machine). In a physical datacentre, IT Gartner suggested that IT may need to purchase more servers to cope with the likely performance degradation resulting from applying the Spectre/Meltdown patch.
Gartner warned that server administrators will also need to verify that the version of Linux running in their datacentres supports PCID, a processor flag that can be used to protect the Linux kernel.
Ultimately, the best remedy is to replace hardware, but new processors that are not vulnerable to the chip flaw are unlikely to be shipping for at least another 18 months.