The past couple of weeks has sparked a lot of talk about the recently disclosed “Meltdown” and “Spectre” vulnerabilities in CPU architecture. This has the potential to affect so many different types of devices (PC’s, Servers, Smartphones, Tablets, etc) that obviously it’s a very big deal. That being said, let’s not make it worse than it has to be. An organization’s overall approach to security, if layered enough, should help mitigate and dramatically cut down the surface area upon which to exploit these vulnerabilities.
This is good because proper complete protection from these weaknesses may yet be a long time coming and current options are yielding mixed results. The best way to mitigate these will really be in the form of hardware upgrade or replacement, but those newly designed CPU’s are still quite a ways away from reaching the market, and even when they do get here you probably won’t be able to just pop them in and call it a day.
BIOS and firmware updates are starting to appear, but these have come with their own bevy of issues in the form of unexpected reboots. Deploying these may prove to be time consuming and cumbersome for many organizations as well, but may prove to be a necessary step once the updates have proven reliable.
Software and OS Patches are on the way, although rushing to deploy them has the potential for problems. Already Mirosoft has released, recalled, and re-released patches to fix the problem. Even as the vulnerability is mitigated, the question of how hard it will impact performance can’t be answered that easily. In some cases the cure could be worse than the disease.
So am I saying you shouldn’t patch? Of course not. However, this would be a good time to evaluate whether you have a patching process in place. Having a steady, reliable process in place to ensure that patches get deployed to the systems in your organization regularly can help to protect you not only against these issues, but the future unknowns as well. If you don’t have this, it might time to think about it. With a process in place, it will be much easier to evaluate what patches are needed, which have proven reliable or problematic and then process the updates accordingly as the dust settles.
In order to make use of these exploits, the attacker will need get into your environment to begin with, so having the rest of your security ship-shape is just as important. That also means that cloud and multi-tenant providers should be far more concerned about this than the average stand-alone environment. While we can’t know for sure, it seems many experts believe these vulnerabilities will be more likely to be used in specialized, highly targeted attacks rather than in widescale mass deployments affecting many users. The nature of the exploits means that attackers need to both read into this memory, and then figure out something useful to do with what they find. Historically, that hasn’t been that easy to use at scale, and instead is useful in isolated, focused attacks.
The key thing to remember is: Don’t Panic. As critical as these flaws are, they are still but one of many possible attack vectors that impact technology every day. Take the time to evaluate how you are handling security as a whole, and don’t just rush to lock the front door while the screen door out back is swinging open.
Originally posted at https://www.linkedin.com/pulse/meltdown-spectre-dont-panic-craig-anderson/