Spectre and Meltdown: How Channel Companies View the Latest Security Threats
“This is going to take a long time [to fix], cost a lot of money.”
That’s how Ron Culler, chief technology officer at Secure Designs Inc., sums up about the world’s two latest security vulnerabilities that made headlines in early January, Spectre and Meltdown.
The vulnerabilities, you no doubt have heard, stem from design flaws in Intel, AMD and ARM chips used inside billions of PCs, Macintoshes, servers and mobiles phones running both iOS and Android. It’s a big deal in other words. If you want a detailed rundown on the technical aspects of the problem, then be sure to check out Brian Krebs’ write up. Like Culler, Krebs cuts to the chase when describing the magnitude of the problem: “In short, if it has a computer chip in it, it’s likely affected by one or both of the flaws,” Krebs wrote on January 5th.
If you cater end customers for a living, how do you even begin to communicate the magnitude of such a problem without freaking people out? That’s the challenge for channel partners big and small. Here’s a sampling of what some ICT consultants are saying to their customers and beyond. Let’s start with Culler, whose Greensboro, N.C.-based managed security services provider (MSSP) advices customers and channel partners every day.
“As for the unknowns there are many,” Culler said in an interview with Channel Futures. “Until we have OS and application patches, we are all left to guess. We all know that patching has never been completely adopted in the business world, much less the consumer market. Depending on your application and platform, you may be out of luck.”
Then there are cloud implications to consider.
“Imagine having to readjust your server capital costs to customer ratio if you’re a cloud provider? Is Intel going to make you whole? Are you going to be able to replace your older processor with a newly manufactured one sans-flaw?” Culler wonders.
For perspective, he points to the way Cisco handled the Intel Atom C2000 clock flaw. Cisco set aside $125 million to help cover the costs of replacing some equipment, but it expected partners to “eat” some of the costs to swap out faulty units. Culler wonders if distributors and other OEMs will be asked to do the same with the chips they have in their warehouses and distribution hubs.
“Imagine today if you’re the head of Ingram, Synnex, Tech Data, Apple, HP, Dell, or any of the other OEMs that exist. You’re sitting on a stock of faulty processors. You don’t want to sell them or maybe can’t. So, what are you to do? Unless Intel and the others affected by the flaws have magically manufactured replacement processors and have them waiting to be shipped, you are potentially looking at significant losses or slowdowns in product sales and delivery,” says Culler.
What does this mean? Expect a deluge of lawsuits, a rise grey marketing and a disruption in the normal flow of business. Oh, and a lot of questions from customers. How does a cloud provider assure his or her customer that their data, apps or infrastructure is really safe? It’s a thorny question for sure.
To help customers better understand the situation, a number of channel companies have taken to social media to help assuage or address concerns. In a blog penned for Sword & Shield, a Knoxville, Tenn., MSP, Corey McReynolds, an enterprise security consultant, advised customers that to avail themselves of patches and updates from Microsoft, Apple and others. But, he noted, don’t be surprised if performance takes a hit.
“Current research suggest certain processor and application combinations may suffer 5-30 percent degradation to performance,” he wrote. “However, there is no solid means to determine what may be affected given the variety of various applications. Most notably, virtualized and data center/cloud workloads are likely to be affected the most.”
Speaking of updates, Dave Farquhar, a security expert at GuidePoint Security, a Herndon, Va., MSSP, also advises clients to update their operating systems and applications as soon as patches become available. He also advises them to update their browsers, too.
One other thing Farquhar advises: “…Don’t panic. So far there are no reports of reliable exploits circulating in the wild.”
That’s a key point to remember. While the sky may feel as though it is falling, especially after the Equifax dumpster fire of 2017, it rarely does.
Keep calm. Carry on.