A lot of information has circulated in the last few days about Spectre and Meltdown vulnerabilities. With all that can be found on the subject, the task of protecting oneself may seem overwhelming.
If you have not had the chance to read about these IT security flaws, our previous article discusses these two security breaches in detail.
First of all, it's important to understand that these are processor level flaws, and this applies to most processors, mainly Intel, but also ARM, AMD, and a few others, including PowerPC. To mitigate these flaws, there are microcode, hypervisor, operating system, and even browser level fixes.
From an IT security point of view, the ideal situation would be that everything should be kept up to date, including the microcode of the workstations. Of course, updating everything is a huge job. In addition, some mitigations have impacts on performance, and some even pose stability risks. In fact, some patches were released hastily, notably from Intel, and the manufacturer then had to back track and ask not to apply them because they pose a stability problem.
It is worth noting that to date, there does not appear to be malware exploiting these vulnerabilities. There is no need to panic, but we cannot leave the door open indefinitely.
We therefore propose a pragmatic action plan to address the essentials. Your action plan should contain at least these elements:
1. Hypervisor Level
1.1 Infrastructure virtualized on VMware
If your server farm is based on VMware ESXi 5.5 or later, the easiest way to protect yourself is to install the VMware patches. These ESXi patches also contain some of the Intel updates that block access between VMs, and also expose virtual processors to the servers that contain the hardware updates required to address these vulnerabilities. Operating systems only see these virtualized CPUs that do not have these flaws.
For more information on the VMware updates:
1.2 Infrastructure virtualized on Hyper-V
For server farms using Hyper-V, host updates are required to counter communication between VMs. In addition, there are registry keys to be modified at the Hyper-V host level to enable protection. See the link below.
1.3 Infrastructure on Azure
If your servers are on Azure, this is probably the simplest case. According to Microsoft, there is no need to do anything else on your servers.
To view the latest update from Microsoft:
Here is an exerpt :
« This Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to your Windows or Linux VM images »
1.4 Infrastructure on AWS
If your servers are on Amazon Web services (AWS), hypervisor level fixes are already applied, which isolates instances from their neighbors.
If you are still using PV (Para Virtual) virtualization, it is recommended to migrate to HVM (Hardware Virtual Machine) virtualization for added security.
To view the latest update from Amazon:
2. Operating System Level
For most recent operating systems, there are already fixes available. If your infrastructure is virtualized or in the cloud, there are different opinions about the need to update the operating systems.
Fixes are required if you find it necessary to isolate the memory from each process. For example, if you are using a terminal server, we recommend applying the patches so that user sessions are isolated from each other.
In addition, if you are running untrusted applications along with other applications processing confidential data on the same VM, you probably want to install the patches as well.
However, it should be noted that these patches can cause a decrease in performance, and this varies depending on the processor generation.
2.1 Windows servers
The latest Windows security patches from January has the required fixes. However, several other factors must be considered to allow Microsoft patches to apply correctly:
- The antivirus must be up-to-date and supported. If the antivirus is not up-to-date, it may block the installation of the fixes or generate a "Blue Screen".
- Hardware microcode upgrades may be required if the server is not virtualized.
In addition, some additional measures may be required, especially if the server is running untrusted applications or serves users (eg a terminal server). See the link below.
In the case of a terminal server, it is also necessary to ensure that the browsers are up to date because they constitute a gateway for the execution of unsecured code.
2.2 Linux servers
In the case of a Linux server, most editors have patches available. It should be noted that other patches will follow.
To view the latest update of the most popular Linux editors:
3. What about workstations?
Just like Windows servers, it is necessary that first the antivirus be updated, and then that the security patches of January from Microsoft be applied.
What is particularly important, however, is to make sure that the browsers are up to date. We believe that security breaches will be exploited quickly by malicious websites.
If you are using Internet Explorer or Edge, Microsoft security patches should protect you.
In the case of Chrome, it is recommended to update it and optionally to enable site isolation.
References: https://support.google.com/faqs/answer/7622138#chrome In the case of Firefox, it is recommended to update it to 57.0.4 and optionally activate the "first party isolation". If you want to activate it and leave the control to the user, there is an experimental plugin.
The activation of the first party isolation in Firefox, as well as the site isolation in Chrome have a significant impact on performance.
3.2 MacMacs that use macOS High Sierra 10.13.2 or newer are protected. This version also fixes Safari by updating it to 11.0.2.
Planning and maintaining a secure IT infrastructure can become particularly complex given the continuing emergence of new IT security vulnerabilities. If you are concerned about the security of your data, call in experts to take care of managing your IT.
Did you like this article? Know someone who would benefit from it? Do not hesitate to share it.