For managed service providers and vendors that deal with cyberthreats daily, the vulnerabilities recently reported in Intel and other processors are just the latest security concern to fall under a national microscope. And, unfortunately, they've seen broad exposures like these becoming an increasingly common part of life in the IT world.
"It's becoming much more of a reality than not in the overall landscape," said Brian Downey, senior director of software product management at Boston-based Continuum. "I've been telling [partners] this isn't something to overly panic about. There are a lot of vulnerabilities out there in every environment. It starts with the fundamental security practices you want to employ to avoid not just this attack, but future ones like this. They're going to keep coming."
Dubbed Spectre and Meltdown, the flaws discovered by Google Project Zero potentially allow bad actors to change how an application works based on the contents of memory or leak Linux kernel memory (Spectre) and read kernel memory via an application (Meltdown). Patches have either already been released or are being rushed out by Intel as well as OS and cloud providers like Microsoft, Google, Amazon and Apple.
No known instances of malware exploitation have yet affected processors in PCs or servers in the field, according to Intel. MSPs are still pushing to issue the patches sooner than later, but many – like Lone Tree, Colo.-based Anchor Network Solutions – want to remain cautious with their deployment.
"Anytime there's an emergency patch, you've got to be careful, because sometimes Microsoft writes them in haste and in the end it brings other things," CEO Vince Tinnirello told CRN. "You have to be careful, test it first, and then deploy it to the masses."
Paul Breitenbach CTO of Jacksonville, Fla.-based CompassMSP echoed that disciplined outlook, saying that MSPs will want to ensure clients are using certified anti-virus vendors that meet OS patch requirements in order to prevent blue-screening on servers and PCs.
He also emphasized the need to set customer expectations when it comes to any performance loss that may occur during the vulnerability patching process. Some industry experts, he said, have estimated the CPU performance degradation could be as little as an "imperceptible" 5 percent or as high as 30 percent on systems, depending upon which applications and tasks are being run at the time.
"None of our clients we're particularly worried about," Breitenbach said. "We monitor the metrics of their servers to make sure they're not on the edge of any kind of performance [loss] on an ongoing basis. Having that overhead and keeping that overhead on the systems they do use and at peak usage times, it's not going to be detrimental to them. For MSPs and shops that don't make recommendations with regard to systems overhead, it could be something of concern for them."
Patch-related performance loss would be caused by the separation of user application and kernel memory into two locations, but Datto CISO Ryan Weeks said in a statement to CRN that it's difficult to tell how serious the effects may be. He advised MSPs to weigh data security risks against system performance risks with regard to patch deployment, and noted that MSPs have an important role to play with regard to threat education.
Intel has emphasized that Spectre and Meltdown apply to all major chip manufacturers, including AMD and ARM. The difference comes down to the performance effects – Breitenbach said Intel is alleged to see the most because of its mitigation techniques, but to what degree is unclear.