By now, you’ve probably seen two names swirling around every industry news headline. These, of course, are Meltdown and Spectre; two critical vulnerabilities found in current CPUs from Intel, AMD and ARM.
On Wednesday January 3, several researchers disclosed the security flaw in modern processors that could affect practically every Intel computer released in the last two decades—as well as the AMD and ARM chips in your laptops, tablets and phones. As people are (rightly) concerned, we’ve decided to assemble and organize all the information MSPs and IT service providers should understand about these vulnerabilities, how they could be exploited and how to communicate these vulnerabilities to your clients.
What Are Meltdown and Spectre?
In brief, Meltdown and Spectre are the names of the flaws found in a number of processors from Intel, ARM and AMD that could allow hackers to access passwords, encryption keys and other private information from open applications.
While these vulnerabilities are generally talked about in conjunction, they are not one and the same. The basic difference between the two is that Meltdown compromises the isolation between the operating system and programs executed by users. On the other hand, Spectre compromises the isolation between different running programs.
How Could Meltdown and Spectre Be Exploited?
The Meltdown and Spectre vulnerabilities are rooted within the processor’s architecture, where a design defect allows applications to cross memory boundaries into the protected memory of other applications. Variants to the flaw exist where malware could potentially gain access to the memory of other applications (in the case of Spectre) or where malware could gain access to a device's memory (in the case of Meltdown). If these vulnerabilities get exploited in a successful attack, it could lead to a broad range of malware attacks that could compromise the user’s data stored on their device.
How to Address Meltdown and Spectre with Clients
It’s important to emphasize that at this point in time, there is no evidence these vulnerabilities are being maliciously exploited in the wild. However, Meltdown and Spectre should serve as the latest wake up call for organizations to continuously question, enhance, test and secure their IT environments.
So, how can you approach these conversations with clients? I recently sat down with the MSP Radio crew to chat through the Meltdown and Spectre vulnerabilities and how MSPs can effectively leverage these news events to inform their clients and create sales opportunities. Here are some of my key takeaways:
Don’t Rush into Things
Because news on the vulnerabilities has mentioned that “every machine could be at risk,” people tend to think that the solution needs to be rushed. To avoid confusion, it’s important that you’re careful and thoughtful about how you respond and react to these events. Rather than scrambling to put the fire out (like we saw with WannaCry), MSPs should take the time to gather their thoughts and build a communication strategy.
At the same time, don’t rush into making fixes just because of the news. As I mentioned before, these vulnerabilities have no confirmed problems; but, if you rush into applying an update, you could run into problems.
Get Used to It, but In-Front of It
Unfortunately, these types of vulnerabilities are becoming the new normal, so MSPs will see more of these on a regular basis. My best advice would be to get comfortable with these conversation—you can even include them in your monthly updates.
Ideally, as an MSP you will know what to be looking for so that you can communicate with end-clients before they read the news headlines. It’s key to quickly communicate with clients so that, rather than thinking the worst, they know their actual risk is low because there is no known exploitation. This shows that you’re on top of it and cements you as the security partner they’ll turn to first.
To hear more on this, click here to listen to the rest of the podcast episode!
Handpicked for you:
By Lily Teplow
By Brian Downey
By Dave LeClair