cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

AMD Ryzen and EPYC Processors a Threat?

Product Manager
Product Manager

So, I wanted to at least touch base with everyone on the “scandal” of the week. Is it fake news? New ways for stock gouging? New ransom type embankments? Corporate espionage?

I waited until at least some of the dust had settled to write this post. I wanted to be able to make accurate judgment calls and present a level-headed offering of thoughts and ideas. Here they are:

  1. Yes, there are security flaws (over a dozen) within these processors.
  2. No, at this time they are not mission critical because they have to have physical access AND the administrator\root information.
  3. The lab that sent out these security flaws had stock associated with their finds.
  4. They only gave AMD 24 hours to resolve the issue before they sent the processors out.

People are still discussing the processor story, so consider this an up-to-date discussion. Let it also be a friendly reminder that we have to check the general “sky is falling” mentality, especially in security. Key takeaway? Focus on best practices.

We should strive to have due diligence on the risk, determine appropriate measures to respond, and showcase the balance between risk and business as usual.

Since I believe you can benefit from them, here are my top three security practices:

Infrastructure monitoring

Determining baselines winds up bringing incredible value to any organization, department, and technology as a whole. The importance and power of baselines sometimes gets overlooked, and that saddens me. It is all too common for folks to wait until after they experience an incident to set up monitoring. That is simply a reaction, not a proactive approach.

Once you begin monitoring, you can start comparing solutions to risk. This is how you can test solutions to risks and vulnerabilities before you go full on “PLAID” mode (Spaceballs reference. #sorrynotsorry), only to find that you have created a larger issue than the risk itself. Comparative reporting is an excellent way to prove that you have done your due diligence in understanding the impact of the threat and the solution as a whole.

Threat management policies

You should determine a policy that addresses ways to deal with threats, vulnerabilities, and concerns immediately and openly.  It should live where everyone can access it, and be clearly outlined so everyone knows what is happening even before you have the solution. This helps to stop or at least slow down management fire alarms, universally expressed as, “What are we going to do NOW?”

The policy should include a timeline of events that everyone can understand. For example, let everyone know that there will be an email update outlining next steps with 48 hours of the incident.  In other words, you are telling everyone, “ Hey, I’m working on the issue and I’ll make sure I update you. In the meantime, I’m doing my due diligence to make sure the outcome is beneficial for our company.”

Asset Management

You can't quickly assess your infrastructure if you are not aware of everything you manage, period.

There is power in knowing what you are managing many realms, but my first go-to are asset reports. I need to know quickly what could—and, more importantly—what could not be associated with any new threats, concerns, or vulnerabilities.

The types of tools that allow me to monitor and update my assets give me much needed insight into where my focus should be, which is why I go there first. Doing so ensures that I won’t be distracted or overwhelmed by data points that aren’t relevant.

Finally, the responsibility of tracking and understanding any types of threat should be proactive and fully vetted. We should want to understand the issues before we blindly implement Band-Aids that can, potentially, hinder our business goals.

Using information to better the security within our organizations also brings us into the fabric of the business, assisting efforts to keep business costs low.

    

I hope you join this conversation because there are several touch points here. I’m very curious to hear your thoughts, comments, and opinions. For example, did you believe, when the processors were released, that they were a form of ransom? Do you see other opportunities to manhandle a company’s earnings by highlighting exploits for others’ gain?  Or, maybe you just sit back, watch the news with a scotch in your hand, and laugh.

Let's talk this over, shall we?

~Dez~

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

33 Comments
Level 13

Good Article

Level 13

Have to say I think the scandal of the week is facebook and Cambridge Analytica.

Level 20

I did notice the AMD just dropped the price of both new processors!

Also you're right about the asset management.  That's really the first place everything should start as far as I'm concerned even though I hate doing asset management!

Level 13

Facebook -- scandal of the week

I love your initial assessment and observations.  Item #3 in particular stands out head and shoulder above the rest.  Followed closely by item #4.

"Follow the money" should be the mantra we never forget.

Level 16

I agree with rschroeder and "Follow the money".

MVP
MVP

Nice Article Dez

Product Manager
Product Manager

OMGoodness YES!  I've been saying for years the owners of those quizzes and or FB would have some great analytics on people in general.  Then I started looking at their policies of use and was like OMG they literally take over permissions of everything.  I took 2 quizzes from FB in 2015 and haven't since.  I also go through weekly on allowed applications etc to make sure nothing is going crazy there...

Product Manager
Product Manager

It can be a nightmare...  However, its a necessity regardless.  I've found mostly its the "just getting started" that's the biggest battle.

Product Manager
Product Manager

Isn't FB always scandalous, lol

Product Manager
Product Manager

I've been watching it and thinking about the scenario, a lot.  I can really see where this can become a new type of ransoming.

Product Manager
Product Manager

Thank you!  I at least try to keep it as honest as possible and as much info as I can "legally" have within, lol.

It's true, but sad and ishy at the same time.  Why people have to be so . . .  (fill in the blank) is beyond me.

Level 20

I deleted the FaceBook app on my android phones a couple years ago... it's ridiculous how obnoxious that app is!  If you really have to check it just use the website is my advice.  I don't have any personal information on mine and it's not my real name!

Agreed--FB's app is FAR TOO INTRUSIVE and INVASIVE.  It's "Like" feature enables companies to not only mine your personal history, but also that of all your FB friends.

Mark Z. came up with a very insidious and attractive tool, from which far too much is extracted and used to target and track a person and their friends.

It's why he's so wealthy, and why we're subjected to so much wasted advertising and misinformation.

Product Manager
Product Manager

Ugh, it play's up the self-conscious and self loathing of our minds.  The amount of data AND the way as a business on FB can target users so easily is mind blowing, to me.  Yet, they state how they don't understand HOW people could buy ads and pinpoint or target people...  The lack of users knowledge to the amount of information they place on FB is beyond me, also.  I see friends post their phone numbers and have a public profile. This is another reason why I wish I could reach people on all levels and just talk security with them.  Its a passion of mine to educate users at all levels the importance, but as my husband says "You can lead a horse to water...".

~Dez~

Level 14

And people laughed at me when I said I wouldn't use Facebook.  I guess they aren't laughing now.  I'd be very worried if I had used it.

Level 20

Before FB it was MySpace remember that one too?  I think it kinda started the craze that's made people too too self absorbed for one thing!  The whole "like" thing is like some popularity contest going on all day every day... which I think really isn't that good for people.  Also the fact that people don't hardly even talk face to face anymore.

Product Manager
Product Manager

I have a healthy dose of visiolibriphobia

The endorphins that come with the "likes" in children make me wonder if that is yet another cause for seeking out the next "high"...

Product Manager
Product Manager

Happen in 2013 for the data collection and supposedly FB is going to alert all users.  That will be interesting...

You fear Visio Stencils? 

Perhaps I'm a Visiolibriphile.  I'd love to see them incorporated into SW mapping tools.

Good article, nice approach. One should assume a calm and deliberate mindset when faced with these "sky is falling!" announcements. I had to talk execs off the ledge with Spectre & Meltdown. I am hoping the effort extended there will buy me calmness for this latest, in a long line of, "calamities."

It seems that every article headline is now intended to be clickbait and crave on our worst fears these days. What I want to tell my bosses: "Calm down people! This is the world we live in." 🙂

MVP
MVP

For years we have relied on the vendors and manufacturers to "take care of us.' They were staying on top of patches, firmware, and generally watching out to make sure their products were good, safe and reliable. All good in theory, but more and more we see with the complexities of the industry we in IT have to better watch our own environments and be aware of these numerous threats (and of course understanding which ones truly affect our environments).More work for us - yet another reason to adopt what a friend of mine has called "Zero-Trust."

Why zero trust for the manufacturer? Well take for example the Diesel scandal - VW was the first one caught, so they got the hardest punishment, but even now we are finding that pretty much every manufacturer of Diesel cars and trucks had a similar mechanism. I'm not saying that we should always worry and be afraid - just verify before just assuming.

Level 14

I always assume they are lying to us.  After all, they are only interested in making money.  As for the Diesel 'scandal'.  Everyone knew they were at it.  It's just that no one had bothered to check.  On my bike I replaced the whole exhaust with a race version (wider bore and titanium silencer for higher air flow and lightness).  Combine that with a Power Commander with a customised fuel map and a high flow air filter and I've added about 15bhp.  Doesn't sound like much but my 600cc will now do over 170mph.  I can set the power commander to also allow it to pass the emissions tests and then change it back after.

CBR600F-Sport.jpg

MVP
MVP

Wow, your bike looks almost exactly like mine.2016-lance-pch-50-125-150-11_1024x0w.jpg

Level 14

That's fighting talk.  I think we should race.    

Level 17

Great Info! Thanks

The AMD issues are real but I am not sure if the threats have a direct attack vector. 

I rode to work today.  Here is an older picture of my 2008 Victory Vision.  42,000+ miles on it and still going strong.

pastedImage_0.png

Ride Safe!

RT

I guess you already have answered your question above. It's all about the money. There is a saying here in Germany that translates to "greed eats brain". My english proverb skills are getting a bit rusty so I don't remember if there is something like this in the english language or if it is even the same as in german.

No matter how, as long as there are monetary profits there will be people who just don't care about consequences as long as it fills their pockets.

When thinking about it, this could end in a discussion about universal basic income...

Level 21

Frankly it surprises me that folks are so surprised when it comes to light that Facebook has all of your information and others were able to access it.  If you go out of your way to put all of the information about your life on a website it's only a matter of time before it's mined by others.

Not sure if anybody watched or listened to the Congressional hearing with Mark Zuckerberg but much of it was totally hilarious, I don't think a single person questioning him was qualified to do so.

Level 21

Dez​ I think it's great that you point out to "check the general "the sky is falling" mentality" as it seems like we have at least one of these types of events every few weeks now and we can't all be running around like chicken little if we plan to keep things running.  It's important to have a really solid block & tackle security practice in place to handle these events as they are going to keep coming up.  Often good security practices and design will minimize or negate the impact of many of these weekly issues in the first place.

Level 12

amd by the way rocks.  ryzen and epic are great cpu.  intel processor has a lot of security flaws:

meltdown and spectre

zombieload

foreshadow

Foreshadow-NG

RIDL (Rogue In-Flight Data Load)

Fallout

MDS

Did i forgot some? Dez

Level 12

I finally bought my new ryzen 9 3900 12 core 24 thread at 65w tdp for only 480 euros.

amd rocks!

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!