Serious computer security problems are coming too hard and fast- 7 mins
It's the beginning of the second week of January. Shortly before Christmas last year a major flaw was disclosed in Intel's management engine that affects almost every Intel CPU manufactured in the last 15 or so years. The process for resolving this flaw is disruptive, particularly to servers and the business processes that depend on them. But before the updates could be made available for this issue, a pair of new serious security flaws affecting even more products were disclosed in the press, a little bit ahead of the schedule hope for by the companies whose products are affected.
So before even a single week of 2018 was completed, a small number of serious security problems of unprecedented scope have to be dealt with by IT professionals globally. There is one big thing that makes this collection of issues different and that's that antivirus software doesn't do a lot to protect against these problems. Against the Intel management engine flaw antivirus is completely useless. Against the other issues, it might pick up the delivery mechanism, or the payload, but not always.
I tell you a little secret about IT. Most business IT is no longer funded sufficiently to have the resources to manage these problems properly. Business IT support has come to rely heavily on functioning antivirus software and automated Windows updates to mitigate the majority of the risk facing desktops and laptops. IT support departments know that they have a big problem with travelling laptops and just hope the timing of major outbreaks doesn't coincide with a large amount of executive travel and the return of potentially exposed laptops to behind the firewall.
Antivirus software, in most instances, functions properly and is installed properly on about 99% of laptops and desktops inside any given organisation. Windows updates typically work on about 95% of those same computers. The overlap of these two security precautions provides a level of coverage that allows most cash-strapped IT support divisions to largely ignore the security on workstations and focus on keeping servers, some of which are exposed directly to the Internet, up-to-date. Because these new issues cannot be protected against solely through these two mechanisms, many IT support services will struggle to manage the monitoring and deployment of the updates required. This, combined with the scope of these problems, which, when combined, affect almost every computer on the planet, present a high risk to everyone.
While I won't go into detail about the services my company provides, I can say that I am currently developing improved workstation management policies and procedures and I will need to have a conversation with almost every client about an increased requirement for IT support this month, and moving forward.
As much as this is a technical and procedural challenge for IT, the bigger challenge to IT is convincing management to allow the additional disruption to staff and in some cases the additional cost to the business. While preventative maintenance on servers is something relatively easy to sell because a server outage affects large amounts of the company at once, trying to gain access to a laptop or desktop that does not appear to have problems, and the user is using to get their work done, is significantly harder. While a business may allow an hour or two a month of server maintenance that results in a cost either financially or to productivity, a business will baulk at an hour or two per workstation throughout the organisation. Even if you get sign off for this sort of maintenance the staff, who are typically already under pressure with increased demands for efficiency and increased workloads, will be reluctant at best to be interrupted and will sometimes be downright obstructionist.
Under normal circumstances when a new virus surfaces, even if it uses a zero day exploit, IT can largely ignore the threat on workstations and allow the antivirus and updates to catch it. IT might hope that people avoid dodgy websites or don't open dodgy attachments, but would expect overall the security threat to be manageable and to be patched more or less automatically before the problem gets serious. With the issues in the wild at the moment one user visiting the wrong website or one laptop user returning to the office after joining the wrong Wi-Fi network can result in every device within an organisation being compromised automatically. While these are always abstract risks, they are much more immediate risks with the current issues.
Time I had put aside for business development and networking this month will instead be used to rapidly develop a framework for ongoing management of workstations and security issues affecting them, and a large amount of client liaison explaining to our customers, many of whom are actively trying to reduce their IT expenditure, why there is a large amount billable of IT work in the near future. I will also be trying to sell the idea potentially of multiple server reboots in January, something one client has already rejected despite the significant security risks. Fortunately the first customer that I have a scheduled site visit for this month is a customer on a maintenance plan where they do not pay directly for our time, giving me a little bit of room to work on the practicalities of managing these workstation issues, without having to also get a sign off for what could potentially be quite a large bill. But the vast majority of our customers will need to agree to workstation maintenance in January at an unprecedented level and cost I expect them to be reluctant to accept.
This tale of doom and gloom has so far only really discussed traditional businesses with a company fleet of computers and either an in-house outsourced IT support team. This is far from the only configuration out there and there are businesses exposed to far higher levels of risk due to their relationship with IT equipment. For example there is one industry that I've been involved in on and off through my career that tends to encourage their sales staff to provide their own IT equipment. Businesses in this industry will sometimes push the provision of antivirus software and the costs of IT support of these personal devices onto the staff. We have one such customer and at this point I honestly do not know how to manage the threat to their organisation from the current issues. The security updates and ongoing management of the workstations are essential for the security of the organisation, but rely on their staff as individuals to make sure their own equipment is up-to-date. I am hoping the organisation will make an exception to who pays for this maintenance, or else it will be exposed to an unmanageable level of risk.
Then there's home PCs. I almost don't want to think about home PCs. Even under the arguably ideal circumstances described above involving Windows updates antivirus software, home PCs routinely get infected by threats that should be easy to manage. Since "easy to manage" is certainly not how you would describe the current issues facing computer users, I expect the vast majority of home PCs to be vulnerable until they are either crippled by an exploit or simply retired at the end of their life. Even if we were able to get information to them about the actions people should take to protect the home PCs, the level of computer literacy required to successfully apply the full set of updates is well above that of the average home user.
January will certainly be an interesting month for computer security. I am hopeful that our company will come out of that both with a robust plan for maintaining workstations moving forward, and with no major disaster befalling any of our clients.