This is the second article of a two-part series on the Meltdown and Spectre vulnerabilities. In the first article, we get a breakdown of the vulnerabilities from a security consultant and entrepreneur's point of view.
Meltdown and Spectre continue to make the rounds in the news. While more information is coming to light and the realities of what in-the-wild exploitation would entail become clear, security practitioners are thinking about next steps and the future of the secure development lifecycle. Because we’re talking about a tectonic shift in hardware development (a process distinctly not controlled by the security team), security pros remain on edge. What’s more, the hype in the mainstream media is sparking fear among consumers, who are less likely to understand the true impacts behind vulnerabilities of this caliber.
It seems like everyone is talking about Meltdown and Spectre, but FUD[i] still drives the conversation. In an effort to remove FUD from the equation, Infosec Insider has asked expert cloud researcher, Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, to separate fact from fiction.
InfoSec Insider: Meltdown and Spectre have hit the news as the latest security catastrophe. To level set (in a nutshell) what are Meltdown and Spectre, and why are they important?
Mark Nunnikhoven: Meltdown and Spectre are the names of three similar vulnerabilities that all tie to CPU design choices. An attack can manipulate the timing of some instructions run by the CPU in order to access privileged memory from an unprivileged process.
Obviously, that’s a bad thing, as it circumnavigates a fundamental feature of CPU security: process isolation.
II: In reality — not worst-case scenario — what are the potential implications? We know about, “if in the hands of an attacker,” but what are we facing, really?
MN: With the initial release of the vulnerabilities, the research teams showed evidence of a proof of concept, but an attack hadn’t been seen in the wild at that time.
Since the release, we’ve seen other research and engineering teams replicate the findings in a variety of situations. There’s no doubt that these are high impact vulnerabilities.
The current scoring for these vulnerabilities has them as high impact (because of the potential information disclosure) and medium complexity.
With vulnerabilities like this, we’re bound to see attackers and cybercriminals start to use them in their exploits in short order. **But** security basics will go a long way to mitigating any risk you or your organization faces.
Educate yourself about the issue (good start, reading here), update all applications and operating systems (OS), and use basic security controls like anti-malware, intrusion prevention, and application control.
Those three steps will go a long way to addressing this and any other cybersecurity issues.
II: It’s still early and Intel along with other companies like Amazon and McAfee, have issued updates and said they are working on patches. Could updates and patches fix the problem?
MN: No. Updates and patches will mitigate the problem, which is very nearly the same thing for most cybersecurity scenarios. The challenge with Spectre and Meltdown is that there are issues are in the chips themselves. Attacks against these vulnerabilities, once widespread, will abuse speculative execution, i.e., the way modern processors perform computing tasks ahead of time as a strategy to improve performance.
We’re going to have to make sure that all systems moving forward have these patches applied immediately. Eventually, a new generation of chip designs will address the issues on a more permanent basis. First, those chip designs have to be developed.
II: What about systems that are more than 5 years old? (Intel has said it is working on a resolution for hardware that has been released in the last 5 years.)
MN: Depending on the chip architecture, some systems older than 5 years will still be affected. Users and organizations should check with the manufacturer and OS organizations to verify if their specific systems are impacted.
In general, most affected systems will have updates available within a reasonable timeframe. Microsoft has made an exception to their normal patch rollout schedule (“Patch Tuesdays”) and is offering an out-of-band patch for unsupported versions of Windows to ensure that everyone affected is no longer at risk.
II: From a practical point of view, what can organizations do (aside from waiting for patches)? What about end users who aren’t aided by enterprise security teams?
MN: Responding to this issue is an interesting situation because word of it leaked earlier than expected. That’s why the messaging is a bit confusing and disorganized. The patches required have been in development for a while and should be available in short order for all affected systems.
Until patched, organizations should increase their sensitivity to alerts within their network, especially on outbound traffic. These attacks are extremely difficult to detect so organizations will have to monitor for other indicators of compromises.
For end users, the answer is a little simpler. Turn on automatic updates for your operating system and application...including your security controls! Double check with your vendors to ensure that they are addressing the situation quickly.
II: In your view, what do mass vulnerabilities like Meltdown and Spectre say about the state of IT architecture and information security today?
MN: Mass vulnerabilities like Meltdown and Spectre highlight the complexity of our digital world. These particular issues are at one of the lowest levels of our systems but the impact is being felt throughout the ecosystem.
With any complex system, resiliency is critical.
For most organizations, this comes down to the ability to rapidly and consistently deploy patches and updates. Long gone are the days where the risk of deploying the patch was higher than the risk of attack.
Today’s organizations need to be able to quickly push out updates to **all** of their endpoints.
Meltdown and Spectre will not be the last vulnerabilities. Given the pace at which technology moves, we will continue to see serious and significant issues at a constant rate. Preparing now to handle these types of security vulnerabilities will go a long way to improving your security posture.
[i] Fear, uncertainty, and doubt—a common scare tactic.
Interested in learning more from subject matter experts like Aaron Turner? Join us at InfoSec World 2018 in Orlando, Florida. You can view the entire agenda here.