Posts Tagged ‘Computer Security’

Putting Meltdown and Spectre in Perspective

Posted on: January 30th, 2018 by billp | No Comments

There’s recently been a lot of media attention around two vulnerabilities in computer chips. The vulnerabilities, given the ominous titles “Meltdown” and “Spectre,” exist in nearly all microprocessors made since 1995 — meaning they are found in nearly every popular business computer, home computer, and other devices such as smartphones and tablets.

One of the biggest challenges with cybersecurity is putting perspective to the severity of issues. Bugs and vulnerabilities that receive logos, names, and headlines usually result in a big – and often out-of-proportion – reaction. There’s no arguing the fact that these vulnerabilities are significant and should not be taken lightly. But, before you start to panic, the situation sounds a lot worse than it is. There is always a balance of “probability and exploitability” that businesses should consider in determining how likely they are to fall victim any cybersecurity vulnerability.

What are Meltdown and Spectre?

Both Meltdown and Spectre are hardware vulnerabilities in computer chips (microprocessors) that allow a non-privileged user to access information on the computer that they shouldn’t be able to access. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to access secrets stored in the memory of other running programs, which might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages, and even business-critical documents. This is a particularly big problem for cloud services like Microsoft Azure and Amazon Web Services, where multiple “tenants” use the same physical hardware.

Meltdown and Spectre require a high degree of sophistication, time, and luck for hackers to be able to exploit. These vulnerabilities have been around for 20 years and are something that both researchers and government agencies have been aware of for at least six months, yet we haven’t heard of any active exploits in the wild.

How Do I Protect Myself?

This is where things get complicated…

All major hardware and software vendors have released patches that address Meltdown and Spectre in the weeks since the disclosure of the vulnerabilities. In the case of Microsoft, its patches for Windows require that your antivirus software to updated to ensure Meltdown/Spectre updates won’t crash your computer (users of Colden Company’s Managed Antivirus are compatible with Microsoft’s updates). Intel released – and then retracted – updates to its microcode (software that runs the processor), and Microsoft then released an emergency update to fix the problems that Intel’s buggy updates caused.

The updates can be more impactful on computers (particularly servers) running older Intel processors and/or certain workloads, where updating to mitigate Meltdown/Spectre has the potential to reduce performance between 5% and 30%. The performance impact is very dependant on what software is running on the computer. Microsoft attempted to add some clarity to the potential performance impacts in a recent blog post.

To get back to the question of how you protect yourself and your business, Colden Company recommends patching – and not panicking – as reliable patches are made available from hardware and software vendors.  Ask yourself how quickly you can reliably apply known-good and tested patches from reliable vendors, especially on critical systems.

Use the following steps to guide you down a good path to mitigating Meltdown and Spectre.

  1. Update antivirus software to ensure Meltdown/Spectre patches from Microsoft aren’t blocked.
  2. Update operating systems with relevant patches.
  3. Update hypervisor hosts, guest OSes, and cloud instances.
  4. Update system BIOS / firmware.
  5. Update web browsers where applicable.
  6. Check for updates to other applications and peripherals.

If even the above steps seem daunting, our best recommendation is to partner with experts at Colden Company to help ensure your business is protected.

Conclusion

The scope of this issue is huge. According to a survey of 500 IT professionals by IT organization Spiceworks, 70% of businesses report they continue patching despite the guidance from Intel to stop. 46% of companies have reported performance degradation, 26% are dealing with system “hangs” and freezes, and 22% are experiencing issues with computers not rebooting properly after the patches are installed. Costs from the mitigation effort also mounting for some companies. 29% of companies with more than 1,000 employees said they expect to spend more than 80 hours addressing the flaws, and 18% said they expected to spend more than $50,000.

While exploiting either Meltdown or Spectre requires a high level of sophistication, it’s still early days, and incidents that take advantage of Meltdown and Spectre will be inevitable. Laptop and desktop workstations are at the greatest risk, so make sure that you’re current with Microsoft patches as they’re released. You should be diligent about patching all systems and mobile devices. Work with your cloud providers and business partners to ensure they have a mitigation plan. Don’t worry, don’t panic, but be diligent and be sure to install patches as soon as they become available for your specific operating systems and devices.

This is a complicated topic and can quickly become overwhelming. Give the experts at Colden Company a call and let us help you protect your business against these and other cybersecurity risks. Call us at 888-600-4560, email us, or visit us on Facebook or Twitter.







What Do Businesses Want From Their IT Company?

Posted on: July 29th, 2016 by jiml | No Comments

The question “What do businesses want from their IT company?” is a question we have been asking both formally and informally for many years here at Colden Company in an effort to make sure we are providing our customers with the best possible service. At a recent conference we attended, the same question was posed to businesses around the country by CompTIA for their annual study of the MSP market. As much as I would like to believe we have been selected by our clients for our technical expertise and the numerous technical certifications we hold as a result in our investment in continuing education, it is not the top factor in choosing an IT company. (It is a factor in retaining customers and customer satisfaction) Being able to resolve the technical problems is expected and while this is an underlying reason why many business choose to switch IT companies, it is not on the top item businesses look for when asked. What is the top quality businesses are looking for when choosing an IT vendor? Responsiveness.

Colden Company is very proud of our responsiveness and this is most often listed on our satisfaction surveys as a reason our customers have given us a 98% rating. According to a study done by SAManage, the average helpdesk response time to a high priority issue is eighteen (18) hours. Low priority issues take even longer on average to get a response. Here at Colden Company, we conducted a six month study of our response times in 2015 and found that we handled over 90% of customer calls immediately by answering the phone with a qualified technician and our response to emailed support requests was an astonishing 10 minutes.

If responsiveness is the top quality when searching for an IT vendor, what is the top concern that businesses want their IT company to address? According to the 2015 CompTIA MSP survey, a new item is at the top of the list: security. It is understandable, in these times, why security would have moved to the top of the list. Did you know that Colden Company has a Security Service offering? We perform a basic audit of your systems, looking at password requirements, conduct an active directory review, vulnerability scanning and much more. The protections that kept your business safe five years ago, or even a year ago, may not be enough in today’s environment. Security threats are on the rise both in terms of the number and severity. That is why we, at Colden Company, have pursued additional expertise in this area and are Security + certified as well as Disaster Recovery certified. We understand the threats that are out there that can harm your business. Let us help you protect your business and your critical data. As recent news stories show us, most companies are not aware of their security vulnerabilities. Call us to discuss a review of your network and data security. Better to spend time preventing a breach than recovering from one.

To get the process started, contact Colden Company at 888-600-4560, email us, or see us on Facebook or Twitter.







Balancing Security and Usability

Posted on: November 30th, 2013 by jiml | No Comments

With all of the security threats out there in our digital world, it is a never ending challenge to provide adequate security to your data and internal network. The question we are often asked by our customers is “Are we doing enough?”  There is always more you can do.  There is no silver bullet to secure your data and network.  Security is best accomplished through a layered approach.  The number of layers and comprehensiveness of each layer are a matter of degrees and should be discussed on a recurring basis.

There are certain basic security protocols that every business should have, such as a business-class firewall device, spam filtering, and – of course – business-class anti-virus. Most importantly would be a policy of having strong passwords on the network and devices.  Even the most secure device is easily hacked with weak passwords. What should your password policy be? Where that line is drawn is a decision your business needs to make for itself. For example, a twenty (20) character password is more secure than a six (6) character password. Which is appropriate?  The answer may depend on what kind of data you are trying to protect.  Are we protecting a customer list, or are we protecting customer social security numbers? Not all data are equal. A twenty character password would obviously detract from usability of the system, so if it is a password that needs to be typed regularly, chances are your users will not be pleased with your choice and productivity can even suffer in extreme cases.

There is an adage that the only truly secure computer is one that is turned off. While the adage is certainly true, that policy would not leave you with a very functional system to say the least.  There is a balance between usability and security.   The goal should be to bring the highest level of security you can along with the maximum amount of usability possible.  Those two goals are not in alignment in most cases, so the options must be weighed against BOTH criteria before a decision is made.

In most instances, there are many things that businesses should be doing beyond the basics we described above.  Education on security is important. Regardless of the topic, good decision making comes from an educated mind. Security is no different.  Employees that understand the importance of data security will make better decisions than those that do not.

Restricting opportunities for threats to enter the business should be looked at both physically and digitally.  Door locks and physical security for your office and computer room are obvious needs, and digitally limiting where you users can go on the Internet is appropriate for most businesses. Many businesses will choose to allow their employees to go anywhere on the Internet they please as a matter of employee satisfaction.  That is a choice a business can make, but there are consequences to decisions.  There is no need for employees to see a majority of what resides on the Internet.  There are endless sites that can bring malware into your network and the risk needs to be balanced against the reward of employee satisfaction. Management needs to be educated on the risks associated with those types of policies and the possible effects of those decisions so that informed decisions can be made.

The topic regarding data and network security are nearly endless. Unfortunately, the answer to the question “Are we doing enough?” is often “no.”  There is always more to do.   Security threats are not shrinking in number and becoming less impactful.  The facts are quite the contrary.  Data and network security will be an increasingly important factor for businesses to plan for in the future, as unfortunate as that is. In preparation, educate yourself to the risks and remember that there is a balance between security and usability.

We understand the task ahead can be daunting.  Let our experts guide you through the process of finding that balance that fits your business. Call us at (888) 600-4560 or at info@coldencompany.com. Don’t forget to “like” us on Facebook as well or send us a tweet @coldenco.