http://www.bbc.co.uk/news/technology-42788169

and the main question is what does this teach us about patching.

The best way of thinking about patches is a bit like a house. The closer the repair is to the foundations the greater the risk to the rest of the building. The closer to the roof – or in computer terms the interface the lower the risk.

Intel’s patches are effectively trying to dig up and relay the foundations of a house – without damaging the remaining structure. This is to say the least high risk – most would say this is unlikely to be complete without causing collateral damage.

This means two of the main paradigms of information security need to be balanced –

• The ongoing availability of systems
• Protection of data and assets from attack

Based on current reporting it would appear the threat to availability posed by the patches exceeds somewhat the threat to data and assets. Though this is potentially a fine balance – there is little news of an active exploit – and much news of issues resulting from the patches.

Though each company should and hopefully will have it’s own risk management strategy – this is maybe one where a deeper look is required.

The post Patching – digging up the foundations appeared first on pfp Solutions Ltd.

http://www.bbc.co.uk/news/technology-42733032

Why are these issues happening

The main issue is that a release cycle which would normally take a couple of years is being crammed into just a few weeks. This would normally involve vendors testing their software with the new CPU and microcode – and then fixing any issues.

We are now seeing not just one new CPU model being introduced with the associated microcode. We are seeing a re-release of all recent models of CPU.

The Impact

The real question now for IT and security specialists is where the balance lies between the risk of patching and not patching. Processor exceptions (blue screen of death) may be annoying on desktops. If the same issues were to occur on servers then this would be extremely disruptive. Imagine for example a database server randomly re-booting, losing data – and taking 10-15 minutes to come back online.

The Need for Risk Assessment

This is one scenario where a serious risk assessment needs to be performed before patching systems. The following need to be balanced –

• The risk of the exploit being used to compromise security
• The risk of applying the patch compromising availability and reliability of services

In looking at this once again IT and Information Security professionals need to look at possible modes of attack.  The main risk is with

• Browsers – and other interfaces on endpoints that interact with the internet
• Hypervisors in multi-tenancy environments
• Hypervisors where machines on different firewall segments are on the same physical host

In any case the realistic risk of an attack needs to be balanced against a fairly high probability service disruption.

The best advice at the moment is probably to start patching the less mission critical services. The allows patch stability to be assessed – and starts to lower the attack surface area. The other priority is to lower the attach service area by removing unnecessary software and services.

The post Meltdown – Issues with CPU microcode fixes and the need for risk assessments appeared first on pfp Solutions Ltd.

https://ico.org.uk/about-the-ico/consultations/children-and-the-gdpr-guidance/

The post Children and the GDPR appeared first on pfp Solutions Ltd.

The post Complete List Of CPUs Vulnerable To Meltdown / Spectre appeared first on pfp Solutions Ltd.

The post Guide to Meltdown Added appeared first on pfp Solutions Ltd.