Meltdown and Spectre are two hardware processor flaws taking not only the security world by storm but in fact the entire world. Your LiveVault® team is taking proactive measures to protect our customers along with remediation efforts to temper public uncertainty. These CPU vulnerabilities date back the better part of a decade and leverage an architectural design fault in nearly all modern processors–potentially allowing data to be exposed. Although data protection becomes a discussion point due to these flaws, there’s no real-world evidence of malicious events exploiting Meltdown or Spectre.
With the rise in ransomware, every potential vulnerability is deemed critical and investigated for susceptibility. You may be aware that the Computer Emergency Response Team or CERT has advised applying operating system updates and patches immediately and frequently, when available. This simple remedy is a soothing reversal compared to the original statement to replace your processors. The CERT’s remedy regarding a side-channel attack potential is to perform operating system patches, CPU firmware updates, and application updates in order to mitigate any exposure.
“Note that in many cases, the software fixes for these vulnerabilities will have a negative effect on system performance.” — Vulnerability Note VU#584653, CERT, Jan 3, 2018
Initial concerns from the field suggested that system performance may be noticeably impacted by many of the available vulnerability patches. Depending on the software workflow and the CPU capabilities present, the performance impact of software mitigations may be non-trivial for older and legacy architectures. For up to date cloud infrastructures built on newer silicon (2016-era Skylake, Kabylake or newer CPU), benchmarks tend to show single-digit slowdowns, per various reports including; Intel, Red Hat, Microsoft, VMware, Apple, Amazon, Google, etc.
“Several industry partners that offer cloud computing services to other businesses have disclosed results that showed little to no performance impact.” — Intel Offers Security Issue Update, Intel, Jan. 9, 2018
These performance metric reports, along with CERT’s revised guidance to keep your processor and apply patches from various hypervisor, operating system, and chip manufacturers should help to level set concerns.
Here is an overview of the issue:
- Widespread with nearly all CPU vendors impacted, taking advantage of modern processor design architectures. This affects desktops, laptops, servers, storage, and even smartphones.
- Mitigations include updates to system software (Operating System (OS) patch) and firmware (BIOS, microcode updates). In some environments, this may include hypervisor patches, patches to virtualization software, browsers, and JavaScript engines.
- Security hygiene should continue. This includes ensuring devices are updated with the latest patches, employing anti-virus updates, encrypting data, and adhering to data backup and recovery best practices.
- These vulnerabilities do not have the potential to corrupt, modify or delete data.
- As Intel reported, researchers demonstrated a proof of concept. At this date, industry leaders along with LiveVault are not aware of any successful malware attempts based on these exploits.
- More information for the hardware vulnerabilities can be found here: https://meltdownattack.com/
We understand this can be a confusing time and want to reaffirm that LiveVault has not experienced any security or performance issues and that our network engineers remain in communication with technology vendors regarding latest patches as they become available. As even more remedies become available to treat Meltdown and Spectre, a greater understanding of the complete vulnerability scope will become more evident and allow for greater availability of patches to improve exploit protection and optimize performance. The LiveVault engineering team shall continue to maintain a non-disruptive backup experience, provide further updates when they become available, and deliver premium data protection. Your Backup Is Our Business.
[UPDATED 16-Feb 2018]
Our continued monitoring of the Meltdown/Spectre situation has prompted our team to augment our original post. We’ve seen a few inquiries regarding the status of our LiveVault® Onsite-TurboRestoreAppliances (TRAs), and we would like to reiterate that your personal information is not at any risk due to Spectre/Meltdown with on-site TRAs, and for that matter within the LiveVault backend. For our systems, the risk of these exploits is negligible because the data is encrypted and protected prior to reaching an Onsite-TurboRestoreAppliance.
Onsite-TurboRestoreAppliances (TRAs):
- All TRAs have Windows update configured to ensure the latest Microsoft security patches are installed.
- TRAs only manage data that was encrypted on the protected server before it left the protected server.
- TRAs do not have the logic or information needed to decrypt the data.
- Only originating servers have the decryption information, not the TRA.
- Multiple layers of security must be breached before Spectre/Meltdown can be exploited.
- Someone has to get through the customer’s firewall and onto the customer’s network.
- They then have to break into the OS on the TRA and install software to access the Spectre/Meltdown exploit.
- The Microsoft security hotfixes are another layer the person has to get through.
- Even if software was installed to exploit the Spectre/Meltdown vulnerability, the only data at potential risk on a TRA was already encrypted prior to arrival.
To summarize you can rest assured that your LiveVault team will continue our impeccable reputation for security and vigilance when it comes to the security of our purpose-built backup appliances and our cloud environment. Due to the forethought and design of our backup architecture, the use of our Onsite-TurboRestoreAppliances secures your data with data encryption occurring before LiveVault’s backup processes reaching a TRAs.