BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
The technology industry is still coming to grips with the potential damage of Meltdown and Spectre, two potentially disastrous processor vulnerabilities that can compromise even the most sensitive of data.
Meltdown and Spectre share many of the same traits and affect almost every processor created since 1995. Both vulnerabilities take advantage of something called speculative execution, which is a mechanism built into processors to predict potential outcomes before they happen in order to speed up processes.
Speculative execution was introduced more than 20 years ago, and the data pulled through the process was thought to be secure until the vulnerability was discovered in secret in summer 2017.
Meltdown and Spectre have different methodologies, but both allow an unauthorized user or program to pull sensitive information from your operating systems, processors and even applications. This includes passwords, personal employee information and client data.
Companies big and small can be affected by the newly discovered exploits, and many don’t know what to do to mitigate the problem and limit their risk. Here are a few of the frequently asked questions we hear from clients.
What does this affect?
Almost everything, from servers and cloud services to personal items like laptops, smartphones and smart TVs.
Meltdown, an immediate threat with exploits already available, affects every Intel processor since 1995, except for its Itanium and Atom models before 2013. It also affects some ARM-based microprocessors. The good news with Meltdown is patches are already available that largely mitigate the issue.
The Spectre vulnerability is even more widespread and has a bigger long-term impact, touching many desktops, laptops, cloud servers and smartphones. It has been verified on Intel, AMD and ARM processors. It’s harder to exploit but also harder to mitigate.
How will this affect my computing?
The constant patching by processor manufactures has given rise to questions about how they affect computing performance.
Because of how the vulnerabilities work — taking advantage of speculative execution, which is used to speed processes up — the patches have to prevent the operating system from executing those predictions. But a side product of that is slower processing.
Early reports feared the patches would slow down operating systems up to 30 percent, but in reality, it has been closer to 5 to 10 percent. Cloud services haven’t seen too much of a hit, especially if the memory is provisioned correctly.
If a business is running database applications on its servers, that’s where it could get a bit tricky, since databases make a lot of calls to the memory. If your servers don’t have adequate memory, performance could be affected.
But most of the issues reported have been with small dips in performance.
What does my business need to do?
Making sure you update your software and hardware with the latest patch is the most crucial thing you need to do. Almost all of the software and hardware vendors out there have patches or settings changes that need to be applied.
If your business has servers housed in a data center or you use a cloud provider, make sure to contact your tech service provider to get details on what is being patched on their end and what you need to do on your end. Cloud services have a lot of different layers that need to be updated on both the provider side and the client side, so communication is key.
LightEdge offers a secure portal for its clients to identify, line by line, what systems they need to update and what we’ve already taken care of.
This isn’t going away.
There will still be more patches and more reboots to help mitigate the problem in the near future and beyond. Remember, these are big exploits, so they need constant management and fixing. So far, there are no known exploits in the wild for these two vulnerabilities, but it’s hard to detect them if they are out there.
Make sure to keep an eye out to see if any exploits come to the forefront. Also, continuing to update your software and hardware with the latest patches is the best way to mitigate the risk for you and your business.