Tom Clerici | January 5, 2018
It’s not uncommon for news agencies to sensationalize stories around major cyber security vulnerabilities and potential hacks that could occur. The latest craze is around Meltdown and Spectre. Heck the names even sound cool and dangerous. The complexities and mystique around what hackers are doing can often times worry those that don’t necessarily have a background in technology. In many cases, organizations without a dedicated security team worry when they see these stories since they don’t know what it all means for them. Lots of technical jargon gets thrown around leaving many bewildered about what to do. Sales teams then try to quickly capitalize by selling you a really expensive security solution to make you feel better. In all honesty, that is rarely the best approach. Let’s take a look at these vulnerabilities and the common sense mitigation strategies you can take to be sure you’re minimizing the risk.
Meltdown and Spectre in Common Terms
There is a great deal of technical information out there about page tables, kernel memory, and code execution. I’m going to skip all of that because at that end of the day that’s not very actionable for most administrators. To keep it simple, both of these vulnerabilities exist within the hardware of the machine, and when exploited, permit applications to gain access to data in physical memory that you probably don’t want them accessing. It is also possible that both of these vulnerabilities could be exploited remotely. Since the problem is ultimately at the physical chip level within the device, unless you are going to walk around and manually replace chips, you have to find other workarounds.
Identify Your Risk
You can’t begin mitigation until you understand where the exposure could be. To successfully exploit either Meltdown or Spectre, an attacker has to be able to run crafted code on the device. Therefore, your network infrastructure (routers, switches, firewalls) is probably not at risk. While they may have the vulnerable chip installed, these are really “closed” systems, so with the exception of some extreme cases, an attacker can’t really install code on those devices. As long as you have the basic security hygiene on network devices in place, I wouldn’t worry too much about those systems.
If you’re running applications on the major cloud hosting providers (Microsoft Azure, Amazon Web Services), you can rest easy as well. Most of these organizations were notified and patched the vulnerability before it was publicly released. On the other hand, if you’re using a smaller host provider, that maybe didn’t get the memo before it went public, you should check with them to see what their remediation status is.
That brings us to your on-premise servers, workstations, and mobile devices and this is where it gets a little tricky.
Consider Your Patching Options
Like most publicly disclosed vulnerabilities, many providers have made patches available that remediate this issue at the software layer. Microsoft released patches on Jan 3rd. Patches are also available for Linux, Android, Firefox, and other applications. So patching is an option, however there are some unintended consequences. According to a recent blog by Techspot.com, your systems could take a pretty significant performance hit if you install them. Linux systems appear to be taking the biggest hit.
While you may be protecting yourself by patching, if your system is already running at 85-90%, you may be better off keeping a system unpatched and compensating in other ways rather than make the application unusable because it’s too slow. Additionally, some malware protection solutions aren’t compatible with these patches. You may patch the system thinking you’re in good shape only to find that your antivirus is keeping you vulnerable. ZDNet.com has released an article that shows you exactly which AV solutions are blocking the AV patch and which are not.
Leverage Compensating Controls
As is usually the case with security, there is no silver bullet. A holistic, depth in defense approach with multiple safeguards and continuous monitoring can give you the ability to minimize the risk without going into a panic attack. Attackers have to find a way onto your system before they can exploit the vulnerability. If you’re preventing standard users from installing software, whitelisting approved websites, blocking unauthorized removable media, securing remote access via multifactor authentication, and protecting email, then your risk at the user workstation layer diminishes significantly. If you are segmenting the network, managing privileged access, and otherwise controlling your data center appropriately, the likelihood of anything spreading to application and infrastructure servers decreases substantially as well. Finally, if you have a way of monitoring and responding to events as they occur, even if an attacker does find a way to exploit this vulnerability, you can quickly detect, isolate, eradicate and recover from an incident quickly before it becomes a major problem.
It’s important to understand how these vulnerabilities could impact you, but for those organizations that have already implemented a robust security program most of this should be academic. Unfortunately, too many organizations wait until it’s too late and look for a silver bullet to save the day. If you don’t have any of those compensating controls in place already, I’d say you probably have bigger vulnerabilities to worry about than Meltdown and Spectre. Start investing in the basic building blocks of security rather than making a knee-jerk decision and buying an expensive tool quickly in the hopes it will save the day. Just like Wannacry has long been forgotten by most, soon Meltdown and Spectre will be in our rearview mirrors as we encounter the next big public cyber security story. You want to be in a position where you can respond fluidly as threats evolve, not go into panic mode each time a new story is released.
Find a Partner Who Can Help
Arraya’s Cyber Security Services have solutions and personnel to partner with you to implement effective security strategy and controls. Our advisory services, architecture and tools, and managed services can be leveraged to offload day-to-day security blocking and tackling tasks so you can focus on moving your business forward. To start a conversation, contact us at https://www.arrayasolutions.com/contact-us/.