The discovery of flaws in Intel’s chip design, affecting more than 20 years of hardware and appearing in just about every computing device on the market, has the education sector scrambling.
Kim Milford, executive director of REN-ISAC — a network of higher education information security professionals, representing 570 colleges and universities — told EdScoop that the organization’s member community “is blowing up over this.”
The vulnerabilities — dubbed Meltdown and Spectre — make it possible for a bad actor to find passwords and sensitive documents stored in memory, whether on desktops, laptops, tablets, cellphones or servers — including in the cloud. Even worse, such an exploit would leave no trace, and therefore no way to determine if there has been a breach.
Meltdown allows an attacker to access a device’s memory by removing the barrier between the operating system’s protected mode and the user applications, said Ryan Cloutier, principal security architect and Certified Information Systems Security Professional (CISSP) with Technology and Information Educational Services (TIES), a Minnesota-based educational technology solutions collaborative owned by its 48 member districts.
“This exploit is very difficult to execute, requiring a significant amount of knowledge of the interior workings of affected processors, but it also is very difficult to fix, as it would require a retooling of all processor architectures,” Cloutier told EdScoop. “So, [Spectre] will be with us for some time to come.”
One reason these bugs are of particular concern to K-12 and higher ed technology leaders is because of the huge number of devices being used in school districts and at colleges and universities. Students, teachers and administrators all have their own computing platforms — often multiple platforms — some issued by the institution, and many more owned by the individuals.
“I believe the variety of devices that you find in an average school district brings bigger concerns to the education space,” said Nathan Mielke, director of technology services for the Hartford Union High School District in Hartford, Wisconsin. “Where there may be more formalization in a private sector situation, you have a cornucopia of technology [in K-12] based on the needs the teachers are trying to meet. You’ll see quite a variety of devices, and each one of those various devices needs something different to make a fix.”
Milford, REN-ISAC’s executive director, said the complex computing environment at colleges and universities adds to the difficulty of dealing with the two vulnerabilities.
“We have virtual servers, cloud servers, servers where users have code access,” Milford said. “In each of the categories, [you have to] determine which are priorities because you can’t patch them all at the same time. One of the highest for us is virtual servers, because we don’t know where one system ends and the other begins.”
TIES’ Cloutier said the first round of patches “is not going well. It will probably take three or four iterations before they get this right.”
The initial patch is having unwelcome side effects. “It affects performance so drastically,” Cloutier said, with early indications showing about a 30 percent decrease in server performance. “Database servers are going to be impacted [and] mission-critical systems that run at higher utilizations are going to feel a greater impact.”
He estimated it will take his team about 300 hours to address TIES’ servers and devices. “This takes time and money away from other activities,” Cloutier said. “Also, we are having to do extensive testing to see if the potential performance impact of this patch will negatively affect our systems.”
Milford said that, in response to the security flaw, her organization is compiling a resource kit for its members, to be shared in a community setting where they can add what they’re doing.
“Our primary focus is assisting REN-ISAC members,” she said. “Once we develop the resource kit, we’re happy to share open-source resources more publicly.”