What's the story?
On January 3, 2018, various media reports announced that researchers had discovered two major flaws in microprocessor design which leave the world’s laptops, desktops, servers, smartphones, other mobile devices and cloud services vulnerable to attack. Considering the nature of the vulnerabilities, it is highly unlikely that organizations will be able to detect whether a system has been successfully attacked.
Meltdown is a vulnerability affecting main microprocessor manufacturers with Advanced Micro Devices (AMD) currently being reported as unaffected. Part of the reason that this vulnerability exists is the race for microprocessor performance. To perform as fast as possible, a chip predicts which code it may need to run next. If this predictive assumption is wrong, the chip discards the operations it did not need. Remnants of the “speculative” code—which can include logins, passwords, personally identifiable information (PII) and encryption keys—remain in the memory cache at risk of exploitation. Meltdown enables attackers to execute software that can read this memory and capture the data. Meltdown is relatively easy to exploit, but patches are becoming available to remediate its effects. These patches can degrade processor speed by five to 30 percent according to reports—which will affect cost and performance.
Spectre is a flaw in the architecture of microprocessor design making processors from most, if not all, manufacturers vulnerable to attack. Fixing it is difficult and may rely on a new generation of redesigned microprocessors.
Of the two vulnerabilities, Spectre appears more serious, although it is harder to exploit. The repair for Spectre is challenging, will take the industry a long time to address completely, and the impact could be felt throughout a complete generation of CPU hardware.
What does it mean?
The information obtained from system memory can be used to conduct further attacks and expose vulnerabilities on a range of devices. Cloud services are also affected, as multiple virtual machines are often provided on a single physical machine. An attacker with a presence on a virtual machine in the cloud could theoretically use a specially crafted program to access the memory contents of other customers’ virtual machines on the same physical system. Although the performance impact is uncertain, older devices are likely to suffer most and the resultant poor performance costs may have to be absorbed by organizations. With the potential for services to be disrupted, and the difficulties of enforcing patch updates, the overall cost to businesses could be punitive.
What can you do?
Take practical steps today to protect your organization from future malware attacks that may exploit the Meltdown and Spectre vulnerabilities.
- Prioritize patching, especially of virtual machine software.
- Test patches for performance before deploying them to production.
- Increase scrutiny of phishing e-mails that may contain attached executable files.
- Regularly review performance metrics on cloud-based servers looking for unexplained performance degradation.
- Conduct adequate performance testing, and add more resources as required to arrive at the desired performance level—applying operating system (OS) patches to mitigate the Meltdown attack may degrade performance.
- Take a risk-based review of the unpatchable systems in your estate—given the ubiquity of microprocessors, older systems running critical functions may be most at risk.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks