With organisations suffering somewhere in the region of two to three focused security breaches every month, the "Meltdown" and "Spectre" vulnerabilities are a major cause for concern. These vulnerabilities stem from flaws in microprocessor design and leave the world’s laptops, desktops, servers, smartphones, other mobile devices and cloud services open to potential attack and abuse. Significantly, given the nature of the vulnerabilities, it’s highly likely that attacks will go unnoticed by the enterprises affected.
How the vulnerabilities work
Meltdown concerns microprocessors from major manufacturers with Advanced Micro Devices (AMD) currently being reported as unaffected. The vulnerability enables attackers to build software that can access and read data such as logins, passwords and encryption keys that are stored in a device’s memory. Meltdown is relatively easy to exploit, but patches are becoming available to remediate its effects.
The Spectre vulnerability, meanwhile, is an architectural design flaw that affects most, if not all, microprocessors. Spectre appears to be the more serious of the two vulnerabilities. Although it is more difficult to exploit, fixing it might require a new generation of redesigned microprocessors.
Of immediate concern for business is the security threat posed by the vulnerabilities. If malicious actors can read processor memory, it could lead to the leaking of information, such as keys, passwords, and other sensitive information which could be used to conduct further attacks and expose vulnerabilities on a range of devices.
Businesses should also be aware that cloud-based services are also potentially threatened by these vulnerabilities. An attacker with a presence on a virtual machine in the cloud, for example, could potentially design a programme to access the memory contents of other customers’ virtual machines on the same physical system.
Finally, there are considerations around cost and performance. One of the effects of patching these vulnerabilities is that we will see a potential drop in processor performance; some commentators suggest the drop may be as much as 30 percent for certain workloads. This has a direct effect on the cost of a project.
Steps to protect your business
So, what can organisations do to build some resilience against Meltdown and Spectre? We have identified six steps that all businesses should take immediately:
Prioritize patching, especially of virtual machine (VM) software. Both the hypervisor and guest virtual machines.
Test patches for performance before deploying them to production.
Increase scrutiny of phishing e-mails that may contain attached executable files.
Regularly review performance metrics on cloud-based servers looking for unexplained performance degradation.
Perform adequate performance testing, and add more resources as required to arrive at the desired performance level—applying operating system (OS) patches to mitigate the Meltdown attack may degrade performance.
Take a risk-based review of the un-patchable systems in your estate—given the ubiquity of microprocessors, older systems running critical functions may be most at risk.
Use advanced adversary simulation to test these exploits in a real-life environment.
Find out more
To read more about Meltdown and Spectre, what it means for your business, and what steps you can take to protect your organisation, visit our site dedicated to helping organisations stay on top of the latest threats. There, you can download our cyber advisory on the vulnerabilities.