Intel CPU Security Center Bulletins

https://www.intel.com/content/www/us/en/security-center/default.html

With another raft of announcements about Intel processors, reviewing this Intel bulletin page is time well spent. But what else can be done?

If you’re planning future procurement strategies, it would make sense to consider hardware options that minimise exposure to these issues. To what extent that can be remedied is not straightforward from what I’ve seen so far. Some issues can be patched at OS level, with potential performance impact, but others are more tricky.

One concrete step you can take is to buy in systems that have a good support horizon from the manufacturer. Vendors offering support throughout your intended operating lifespan is crucial, as all hardware level patches for CPUs (as opposed to OS level patches) are being distributed by Intel through OEM updates. It’s good practice in any case to ensure your hardware has a good support coverage.

On top of that put in place a patch management policy and plan to ensure hardware level patches are regularly applied. Hardware level OEM patches will typically require manual intervention.

And, let’s not forget, support in vulnerability scanners for the relevant CVEs, such as the Nessus Spectre/Meltdown plugin. Put in place a good scanning process using external consultants if needed, to ensure vulnerabilities are managed.