ProSysCtrl

Patching Spectre and Meltdown Vulnerabilities

Discovered in 2017, and publicized in 2018, Spectre and Meltdown are two new vulnerabilities in how certain microchips were designed.1, 2

These vulnerabilities place information stored in memory (e.g. passwords, email, web browsing information, documents, etc.) at risk of theft.3

For Spectre to be exploited, a device must have a vulnerable processor. Security researchers have verified Spectre can be exploited “on Intel, AMD, and ARM processors.”4

For Meltdown to be exploited, a device (laptop, desktop, server, smartphone, etc.) must have a vulnerable processor and the Operating System (OS) running on that device must be unpatched. While not all of the details are currently known, security researchers have verified that many Intel processors are vulnerable.5

Because the vulnerabilities lie in the processors, a complete fix which does not incur a degradation in system performance may rely on the processors being redesigned.6, 7, 8 IT administrators should not wait to do something about this. Many companies including Microsoft and Apple are releasing software updates to help patch these vulnerabilities.9, 10

A number of hardware vendors are releasing firmware updates (including but not limited to BIOS updates). Updating firmware (i.e. micro code) is a step necessary to mitigate the risk of Spectre or Meltdown being exploited and a systems best practice in that systems should be updated with the most recent release (production) security updates.11 It is important to note, that using the wrong BIOS or firmware update for your hardware may result in the hardware becoming unusable.12 Additionally, if the device loses power during a BIOS of firmware update your hardware may become unusable.13, 14

Each hardware, OS, and software vendor is responsible for providing their own patch. It has been reported that some updates may slow down device performance.15 Intel has published benchmarks showing the difference in device performance for a “Fully Mitigated System” vs a “Non Mitigated System at 100%” which can be read at https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf.16

Microsoft has released patches, but in order for your computer to see those patches it must have a supported anti-virus product installed and that supported anti-virus must create a special marker for Microsoft to confirm that your anti-virus will support the new Microsoft patches. If the special marker does not exist, “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities.”17

According to one security researcher, here is a list of anti-virus products that have updates to protect against one or both of these vulnerabilities but do not as of 8 January 2018, automatically create the special marker.18

If you use one of the above listed anti-virus programs and you are unsure or uncomfortable with manually creating the special marker yourself, please Contact Us.

If you are a current Micro Systems Management client with one of the above listed anti-virus programs and you subscribe to our ProSysCtrl managed services solution, we have already created the special marker for you.

FacebooktwitterlinkedinmailFacebooktwitterlinkedinmail
Wednesday, January 10th, 2018 Cybersecurity, ProSysCtrl No Comments

Disaster Recovery?

DISASTER PLANNING and BUSINESS CONTINUITY

It sounds alarmist – complicated – and you don’t need it for you and your company, right?

WRONG!!!!

The real value to your company is not the hardware – it is you, your hard work and your data.  Think about that.  How long (hours, days, weeks) can your company be out of business while you recover from an unwanted technological “event”.

Let’s talk about what Business Continuity/Disaster Planning and Recovery really means for your company’s technology.  Consider these real-life client scenarios
(names and companies have been omitted):

  • Your server’s hard drive melts (not kidding) – no one in your entire company can work with network files and no Business Continuity plan has been implemented.  Hard drive is unrecoverable – all company data is lost
  • Your Anti-Virus/Anti-Malware misses a new piece of Ransomware – your data is entirely encrypted unless you pay the ransom – or can restore from a valid backup created before infection.
  • You/ your dog/your cat/your child – spews an undefined substance on your laptop and fries internal components.  Guess what?  The warranty expired yesterday.

I think I’ve made the case for a sound Business Continuity and Disaster Recovery plan.  Want to hear even better news?  It’s not as expensive as you might think – and it is easily implemented.

We understand that most people want to stick their head in the sand, say someday I’ll look into it, someday do a test restore of their backups, someday automate their routine or, the most dangerous:

 It can’t happen to me

These things can and do occur – and we charge a lot more to recover the data than the prevention would have cost.

Have you ever been asked for your disaster recovery plan?  The foreboding name almost asks for a catastrophe. That is why we counsel our clients to not make one unless they absolutely have to.

WHAT?  That is crazy talk!

Bear with me.

The idea of operating a business is one that depends on many factors.  For most of us, the technology that we use is the lifeline of operations.  How much business could business do without the internet and their computers?  In today’s world, not too much.  When a disaster strikes, things often grind to a halt.  But when we concentrate on containment and rebuilding, we admit to ourselves that we are willing to accept the disaster.  On the other hand, what if we planned for something else?  What if our plan was business continuity?

Disaster Recovery vs Business Continuity.

EVENT Disaster Recovery (DR) Business Continuity (BC)
The server bursts into flames 1) Extinguish Flames2) Get new server

3) Locate backups

4) Restore Operating System

5) Update to latest patches

6) Restore from backup

7) Expected downtime? Weeks

1) Extinguish Flames2) Spin up image of burned computer on BC computer

3) Continue Working

4) The IT department rebuilds while the company continues to operate

5) Expected downtime? 2 hours

The office bursts into flames 1) Let the firemen do their jobs2) Find a new building

3) Buy new equipment

4) Locate your OFF_SITE backups (you have those, right?)

5) Start to restore your world

6) Expected downtime? Weeks, Months, NEVER ?

1) Let the firemen do their jobs2) Spin up the server images from the remote BC server

3) Go to a local store and buy a laptop

4) Attach to remote BC server and continue working

5) Expected downtime? 1 day.

Backups have been the bane of existence of IT people since devices started failing.

Tape drives are slow and notoriously unreliable.
Backup hard drives are fine for archiving – but recovery is not ideal
Backups to the cloud are ok, as long as you have a server and an operating system that will receive them
People do not have the time to look after their own backups
Since very few people ever do a test restore, the restoration process is foreign.  The time to learn is not while the flames are being extinguished.

I was talking to the Executive Vice President of a national retail chain and he asked me if I would pay $ 1,000.00 for the pencil he had in his hand.  When I told him that it was too expensive, he asked me if I would pay $ 1,000.00 for his Rolls Royce.  When I told him that I would, he answered “it wasn’t too expensive … it is the same $ 1000.00.  The difference is the value”.

Designing Business Continuity systems will not be done from the parking meter money you keep in your car.  There is an investment to be made.  However, according to the Institute for Business and Home Safety, an estimated 25 percent of businesses do not reopen following a major disaster.  That is an alarming statistic.

The remaining question is simply math.  What is the value of your business to you? What if you could prepare to continue on even in the face of natural disaster?

We can help you do just that. We have been helping our clients with systems that don’t require them to do anything.  They never have to change a tape. They don’t have to do a test restore. They don’t have to take something home. And as far as their technology goes, they don’t have to be concerned about disaster anymore.

It is fair to say that backup strategies are as individual as companies are – call us and let us fashion a continuity solution for you today.

 

FacebooktwitterlinkedinmailFacebooktwitterlinkedinmail
Friday, February 14th, 2014 General, ProSysCtrl No Comments

This article may be about backups, but you know you want to read it anyway.

(this article originally published 7/6/12)

Do you know how difficult it is to make an article about backing up computer data sexy? Try it sometime. We’re about to, so hang on to your hats….

Okay, so everyone hates it. No arguments there. (We’re some of the only people you’ll ever meet who will confess they like it.) It’s like going to the dentist – everyone knows you’re supposed to, everyone hates the hassle of it, and we’ve all managed to convince ourselves that the chances of disaster are relatively slim (who doesn’t know that one guy who’s never done it and his life is still perfect?). However, we all know that it’s one of those things that will only bring your world crashing down at the worst possible moment, leaving you with that nagging self-loathing that only comes from the knowledge that your catastrophe was completely preventable. We’ve been there and we get it, don’t worry.

A good portion of our business happens to come from cleaning up after those catastrophes, when innocent professionals wake up one morning to find that their office has flooded, or that their systems were hacked (more frequent than you might think) and their data security compromised, or sometimes that the hardware has just failed. Unlike cavities, which can usually be prevented by avoiding certain foods and flossing whenever you remember to, there’s no way to prevent hardware from giving out or wearing out. Entropy really isn’t very nice sometimes.

If you’ve been reading any of our past articles, you know that we tend to harp on the importance of your data’s security. It’s kind of the thing that allows your business to run, and you have to be able to rely on it for the well-being of you and your company. We know you don’t want to hear it, but it really is worth a little effort to protect it.

So! How can we make “digital dentist trips” more bearable?

1. Schedule backups so that they happen automatically. You won’t even have to think about them, and you get all the nice warm fuzzy feelings of knowing your data will still be there in the morning. Schedule them for the middle of the night, and you won’t even have to be left without computer access during the day.

2. Use a cloud-based service as your secondary backup. (Yes, you really do need at least two different modes of backup).

3. If you have a vast amount of data to protect, or you’re just especially paranoid (we totally understand), use multiple secondary backups and rotate them in and out of use in case of failure.

4. Also, for those who need to back up more data, invest in an appliance like a Barracuda Backup Service device or Message Archiver. The second one is especially important if the entirety of your company’s business is handled through email.

5. Finally, get one of our Backup Checkups. We evaluate your current backup hardware and protocols, validate your media, check your devices for defects, and perform a test restoration. What good is having a backup plan if you find out that it doesn’t work when it really counts? They’re quality for the price, and best of all, signing up for one before Wednesday, July 18 enters you into a drawing for a FREE Touro Desk Pro 1TB USB 3.0 External Hard Drive! There’s no downside to having one of those, but it has a lot of upsides, including 3 free GB of cloud storage in addition to the terabyte (that’s 1,000 GB) of hardware storage you’re getting. All you have to do is email pattyz@msmctech.com (put “Backup Checkup” in the subject line) and sign up for a Backup Checkup for you or for your company (which you really should be getting anyway). Doesn’t get much easier than that, folks.

Most external drives and backup devices come with software which allows you to schedule backups, but if not, you can still schedule them yourself. (With Windows, you can do this at Control Panel → Backup and Restore; with a Mac, all you need is Time Capsule.) For a casual user, backing up data once a week is probably sufficient, but backups will need to be more frequent (and with multiple devices) when professional data is concerned.

Cloud-based applications: most people are acquainted with “cloud computing” at this point – using a trusted Internet-based service to host your data on an offsite, third-party-owned server which makes the data accessible to the user from any location. You can go anywhere and use any computer to access your data. As a technology company that deals largely in Internet security, we’re wary of any solutions which encourage you to trust all your data to the cloud, but it’s suitable for a secondary backup device in most situations. Upside: no hardware to lug around, no cables to forget, no setting reminders on your phone to make sure you back up your data frequently enough. Downside: once again, as security technicians, we’re always aware of the risks you take when making information accessible on a global network. But if you are at all skittish, ask us and we’ll help you determine what’s best for your company.

The rest of the above points are fairly self-explanatory. The more backup devices you have in a rotation, the lesser chance you have of losing anything important. The questions are simply, how sensitive is the information? How much does your business rely on it? Does the nature of the information make it more likely to be targeted? Also, when it comes to devices like the Barracuda storage appliances – the larger your network, the bigger and badder your backup devices need to be. It’s also worth asking yourself how much of your information needs to be backed up – some storage solutions can be programmed to only back up programs or data that have been used or modified since the last backup, saving you time and storage space.

External hard drives and USB drives are portable, usually reliable, and, depending on what type, can store a lot of information. Tape storage devices (like DAT, DLT, and – dare I say – 9-track) are unreliable, expensive, slow, and small in terms of storage space. The media which actually stores the information is fragile and easily rendered useless. We do not recommend them. For cloud-based solutions, we can recommend Intronis and our own ProSysCtrl managed platform service – which, as a bonus, will monitor the health of your hardware, software, and devices, while alerting you to any possible appliance failures before they happen, giving you time to safeguard your data. (You know, an ounce of prevention and all that jazz.)

If you’re still left with questions about how much of your information needs backing up, how frequently, and with what devices, we’re always happy to help. Give us a call at 440.892.9997 or email info@msmctech.com and let us help you protect your business.

Oh, and did we mention there’s a shiny and super-fast new FREE Touro 1TB External Hard Drive involved?

As always, feel free to contact us with questions or for further information.

Copyright ©2012, Micro Systems Management. All rights reserved.

FacebooktwitterlinkedinmailFacebooktwitterlinkedinmail
Thursday, July 19th, 2012 Cybersecurity, General, ProSysCtrl No Comments
 

Categories of Posts

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow Us

FacebooktwitterlinkedinrssFacebooktwitterlinkedinrss