AMD Ryzen and EPYC Processors a Threat?

So, I wanted to at least touch base with everyone on the “scandal” of the week. Is it fake news? New ways for stock gouging? New ransom type embankments? Corporate espionage?

I waited until at least some of the dust had settled to write this post. I wanted to be able to make accurate judgment calls and present a level-headed offering of thoughts and ideas. Here they are:

1. Yes, there are security flaws (over a dozen) within these processors.
2. No, at this time they are not mission critical because they have to have physical access AND the administrator\root information.
3. The lab that sent out these security flaws had stock associated with their finds.
4. They only gave AMD 24 hours to resolve the issue before they sent the processors out.

People are still discussing the processor story, so consider this an up-to-date discussion. Let it also be a friendly reminder that we have to check the general “sky is falling” mentality, especially in security. Key takeaway? Focus on best practices.

We should strive to have due diligence on the risk, determine appropriate measures to respond, and showcase the balance between risk and business as usual.

Since I believe you can benefit from them, here are my top three security practices:

Infrastructure monitoring

Determining baselines winds up bringing incredible value to any organization, department, and technology as a whole. The importance and power of baselines sometimes gets overlooked, and that saddens me. It is all too common for folks to wait until after they experience an incident to set up monitoring. That is simply a reaction, not a proactive approach.

Once you begin monitoring, you can start comparing solutions to risk. This is how you can test solutions to risks and vulnerabilities before you go full on “PLAID” mode (Spaceballs reference. #sorrynotsorry), only to find that you have created a larger issue than the risk itself. Comparative reporting is an excellent way to prove that you have done your due diligence in understanding the impact of the threat and the solution as a whole.

Threat management policies

You should determine a policy that addresses ways to deal with threats, vulnerabilities, and concerns immediately and openly.  It should live where everyone can access it, and be clearly outlined so everyone knows what is happening even before you have the solution. This helps to stop or at least slow down management fire alarms, universally expressed as, “What are we going to do NOW?”

The policy should include a timeline of events that everyone can understand. For example, let everyone know that there will be an email update outlining next steps with 48 hours of the incident.  In other words, you are telling everyone, “ Hey, I’m working on the issue and I’ll make sure I update you. In the meantime, I’m doing my due diligence to make sure the outcome is beneficial for our company.”

Asset Management

You can't quickly assess your infrastructure if you are not aware of everything you manage, period.

There is power in knowing what you are managing many realms, but my first go-to are asset reports. I need to know quickly what could—and, more importantly—what could not be associated with any new threats, concerns, or vulnerabilities.

The types of tools that allow me to monitor and update my assets give me much needed insight into where my focus should be, which is why I go there first. Doing so ensures that I won’t be distracted or overwhelmed by data points that aren’t relevant.

Finally, the responsibility of tracking and understanding any types of threat should be proactive and fully vetted. We should want to understand the issues before we blindly implement Band-Aids that can, potentially, hinder our business goals.

Using information to better the security within our organizations also brings us into the fabric of the business, assisting efforts to keep business costs low.

I hope you join this conversation because there are several touch points here. I’m very curious to hear your thoughts, comments, and opinions. For example, did you believe, when the processors were released, that they were a form of ransom? Do you see other opportunities to manhandle a company’s earnings by highlighting exploits for others’ gain?  Or, maybe you just sit back, watch the news with a scotch in your hand, and laugh.

Let's talk this over, shall we?

~Dez~

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.