Heartbleed. Shellshock. Stagefright. And now, Meltdown and Spectre. These are all recent examples of so-called “zero day” vulnerabilities exposed in computer systems that cause IT, security, and business professionals to scramble. These cyber vulnerabilities are popping up with greater frequency each year and will inevitably continue. Each new threat requires specific tactical responses. These vulnerabilities also mean that some cyber attacks and security breaches are inevitable.
Enterprise business processes and systems need to be designed to be resilient and recover effectively from any attack. Cybis, a Convergint Technologies company, can help clients ensure they are both defended and resilient, and to help navigate what can be a confusing set of conflicting news reports, difficult choices, and trade-offs.
Meltdown affects nearly every Intel CPU produced since 1995, from early Atom processors to the latest server-grade Xeon chips. Meltdown allows an attacker to target the millions of systems running Intel chips by reading arbitrary physical memory down to the kernel level from an unprivileged user process. If the attackers are able to run a malicious program or script on a machine, Meltdown can be exploited. Instead of providing a fix via a firmware update, Meltdown is patched by OS updates issued by the relevant vendor—e.g., Microsoft, Apple, Linux, etc.
Spectre, however, is vendor-agnostic, affecting Intel, AMD, and ARM processors alike. With Spectre, attackers can read memory from the current process, but not kernel memory or other physical memory. Like Meltdown, Spectre harnesses inherent vulnerabilities in the way that CPUs perform “speculative execution” to speed up their ability to process data and execute tasks. Because speculative execution is baked into almost all modern CPUs, patching will take time. Some manufacturers have started releasing patches to turn on safeguards, but a full fix is not in sight and could end up reducing CPU performance.
What does this mean for your organization?
Both Meltdown and Spectre are noteworthy vulnerabilities affecting a vast number of endpoints, but as of today, no known exploit has been observed in the wild. Meltdown and Spectre are not trivially exploitable, so don’t expect script kiddies to run wild anytime soon. This will take some seriously skilled hacking. Second, security researchers shared their knowledge of Meltdown and Spectre with CPU manufacturers and OS vendors well before the public disclosure.
Microsoft has been testing patches since as early as November 2017, leading to a fairly stable patch roll-out over automatic update channels. Cloud vendors such as Amazon and Microsoft have also rapidly pushed out patches to Azure and Amazon Web Services servers more quickly than many organizations can patch their internal systems. This blocks an attacker from breaking out of their cloud virtual machine and into other private instances. So, while organizations should work to patch any affected systems as quickly as possible, Meltdown and Spectre are unlikely to be the source of an organization’s next big breach. Some of these patches have been rushed to market and implemented without sufficient testing, causing operational issues and system downtime, so be sure to test before deploying.
How can you protect your organization?
At the end of the day, what should be done to protect organizations from vulnerabilities that have lain dormant for decades, and in some cases, cannot be fully fixed until they are engineered out during the next hardware refresh?
Start by asking these questions to help prevent a breach and limit its impact
1. Can we detect anomalous activity on the network and anomalous activity on endpoints? Do we have the right tools and monitoring processes in place?
2. Do we have a process to quickly roll out patches to our affected systems over a reasonable time frame? Have we segregated our most important assets from less vital systems? Are we testing quickly but thoroughly?
3. Are user permissions and access to critical information granted based on a policy of least-functionality and a need-to-know?
4. Are our hosted, virtual, and cloud-based systems protected and updated as well as our on-site assets (and vice versa)?
5. Do we understand the value at risk in our business, how it looks to an adversary and what assets must be protected at all costs?
6. Are we prepared to respond to an incident and recover from a breach, so that the continuity and profitability of our business is ensured?
Cybis is here to help answer these questions and provide a critical eye towards an organization’s security. The approach integrates cyber security with physical and human elements to help clients “think like an attacker”. With the security world off to a fast start in 2018, Cybis is ready to help make sense of cyber issues and prioritize security goals for the year ahead.