Category

Carbonite action items: Spectre and Meltdown protection

January 29, 2018

Carbonite is actively working to mitigate vulnerabilities across all systems affected by the "Spectre" and "Meltdown" bugs recently discovered in almost all modern Intel Corp. central processing units (CPUs).

Carbonite is committed to ensuring the security of our infrastructure and to protecting the partner and customer data entrusted to us.

What are Spectre and Meltdown?
Spectre and Meltdown first grabbed headlines at the start of January. The chip vulnerabilities were discovered independently by several security teams, but the Google Project Zero security research team was the first to report them.

The Spectre and Meltdown flaws exist in most Intel processors manufactured since 1995. The flaws could potentially give cybercriminals a way to launch what are commonly known as side-channel attacks. During a side-channel attack, malicious hackers use information gleaned from the physical implementation of a computer system—for example, timing, power or consumption—to identify a weakness and break into the system.

Patches for Meltdown were issued in a recent update to macOS, Microsoft Windows, and Linux-based operating systems, although those fixes sometimes come with a significant performance impact. Experts say Spectre is more difficult to defend against and may eventually require Intel and other manufacturers to come up with new chip designs.

Industry analysts and security specialists agree that today there is no known method for a remote attacker to trigger these vulnerabilities. But that could change. And that's why Carbonite is taking action—and encouraging our customers and partners to take action.

How Carbonite is addressing the problem
The steps that customers and partners need to take to mitigate Meltdown and Spectre vary depending on Carbonite solutions you are running and how those solutions are deployed. Here's a quick list of the types of deployments we offer and the related action items:

Cloud-only deployments
Solutions: Carbonite Safe, Carbonite Cloud Backup Powered by EVault, Carbonite Recover and Carbonite Endpoint Backup

Mitigation steps: Carbonite is actively working to identify and address any vulnerabilities caused by Spectre and Meltdown on services hosted in our data centers. We are working diligently to mitigate these risks with the highest priority. We are committed to the security of our infrastructure and to the protection of our partner and end customer data.

Hybrid (cloud and onsite) deployments
Solutions: Carbonite E2, Carbonite Hybrid Backup Powered by EVault, Carbonite Hybrid Backup/Carbonite Availability Powered by DoubleTakeintegrated bundle

Mitigation steps: For partners and customers who have an appliance as part of their cloud-hosted solution, Carbonite is actively working to identify and address any vulnerability caused by Spectre and Meltdown. Third party software should not be installed on the appliance to reduce risk of exposure. We also recommend not using the appliance to browse the public internet. We will be proactively reaching out to impacted partners and customers to provide specific mitigation steps and follow-up actions.

Onsite-only deployments
Solutions: Carbonite Onsite Backup Powered by EVault, Carbonite Availability, Carbonite Move Powered by DoubleTake and all Carbonite appliances purchased prior to July 2016, which may or may not be backing up to the Carbonite cloud.

Mitigation steps: The recently discovered Spectre and Meltdown vulnerabilities may directly impact end user appliances and IT systems. For Carbonite appliances you have purchased outright, you are responsible for the patching of the Windows OS as well as for ensuring the latest version of Director SW is installed and running on the appliance. As part of the mitigation for this issue in particular, Carbonite suggests that third party software not be installed on the appliance to reduce risk of exposure. We also recommend not using the appliance to browse the public internet.

For more information on how to protect IT systems, visit these pages on the Microsoft website:

·  Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

· Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Managed Service Providers (MSPs)
Solutions: This category includes Carbonite Partners who have deployed Carbonite Onsite Backup Powered by EVault, Carbonite Availability Powered by DoubleTake, Carbonite Move Powered by DoubleTake or Carbonite appliances within their own infrastructure and offer them to clients as managed solutions.

Mitigation steps: We encourage all partners to take the security measures necessary to patch appliances and systems at their discretion. Carbonite data protection solutions are best used with the latest updates from software and hardware vendors.

For more information on how to protect IT systems, visit these pages on the Microsoft website:

· Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

· Windows Server guidance to protect against speculative execution side-channel vulnerabilities

For additional information on Meltdown and Spectre, visit this page today.

Tags:

  • Carbonite