Arraya Insights | January 26, 2018
A few weeks ago, the world was first introduced to Meltdown and Spectre and these hardware security vulnerabilities have been a constant source of IT headaches ever since. If you haven’t read it yet, Tom Clerici, Arraya’s Cyber Security Practice Director, has put together a plain English explanation of how Meltdown and Spectre operate and, more importantly, what businesses can do to protect themselves. However, the news hasn’t stopped coming and so we thought we would take this opportunity to rundown some of the more recent Meltdown and Spectre developments and go over what they could mean for you.
Keeping Meltdown and Spectre out of cloud collaboration
The cloud may not be immune to Meltdown and Spectre, but that doesn’t necessarily mean you need to be worried about your cloud collaboration environment. That’s the takeaway from a blog by Cisco that sought to ease the fears of those who rely on its solutions to work shoulder-to-shoulder with their peers – wherever those peers may physically be located. In particular, this post, entitled Meltdown, Spectre, and Cisco Cloud Collaboration Security, focused on setting the record straight regarding a number of tools, including WebEx and Cisco Spark.
In terms of WebEx, Cisco broke down how its infrastructure – a mix of Cisco-owned hardware in Cisco data centers and isolated servers in non-Cisco-owned colocation sites – makes external attacks via Meltdown or Spectre impossible. Before such an attack could be launched, an attacker would first have to gain access to the dedicated hardware that forms WebEx’s foundation. Cisco’s team stands ready to patch that foundation against these types of attacks as the necessary updates are released.
Meanwhile, looking at Spark, work has already begun to upgrade its Care, Message and Meet, and Call services against assault. Additionally, the data contained as part of those services is protected by end-to-end encryption, meaning customer data is secured wherever it may be leveraged within Spark. This way, even if an attacker was able to access this data, it would prove useless without the decryption key, which is stored separately, necessitating a more coordinated, complex attack.
This is just one instance where moving systems to the cloud clearly shifts a burden off onsite IT teams. In this case, that burden involves patching collaboration solutions.
Why some businesses are being asked not to patch
Timely installation of patches and upgrades is a core philosophy of Cyber Security 101. However, manufacturers and others who operate industrial systems were urged recently to stand pat with Meltdown and Spectre fixes. Why? Well, because doing so could have rendered their factory equipment unstable.
Industrial system manufacturers from Rockwell to Siemens reported seeing errors with their technology following the application of Microsoft’s Meltdown and Spectre patches. In the case of Rockwell, roughly a dozen errors have been identified, including security server access complications. These organizations are working closely to sort out the issues so users may resume patching with confidence.
For the businesses who kept to best practices and implemented Meltdown and Spectre fixes early only to see problems arise in their systems, this is a perfect example of the value of working with a security partner. Organizations such as Arraya can validate patches and updates prior to deployment, ensuring that when they are rolled out, they perform as expected.
Do you know where that patch has been?
Anytime cyber security threats start making headlines, inspiring widespread fear and anxiety among those inside IT and out, you can bet other malicious actors will step up and try to capitalize off that notoriety. This is already taking place with Meltdown and Spectre as at least one promised fix for the vulnerabilities has proven to be anything but helpful.
Germany’s Federal Office for Information Security (BSI) recently issued an alert regarding a phishing campaign that purported to offer Meltdown and Spectre patches but actually connected unsuspecting users with a treasure trove of malware. Complicating matters is the fact that the messages sent as part of this campaign presented themselves as coming directly from the BSI itself. Even worse, the website they linked to appeared equally legitimate, even sporting an “https:” address.
This is yet another reason why working with a security partner can keep businesses on the right path. Instead of going out and looking for critical patches or updates, businesses with a trusted security advisor can rest easy knowing their partner has the situation covered and the answers they need are on their way.
Next Steps: Follow up with a partner who can help
Ready to continue the conversation around protecting yourself against not only the Meltdowns and Spectres of the world, but against whatever the next headline-grabbing security threat happens to be? Our team of security experts can be reached by visiting https://www.arrayasolutions.com/contact-us/. We can also be found on social media, on LinkedIn, Twitter, and Facebook. Feel free to use those accounts to leave us a comment on this or any of our blogs and remember to follow us so you can stay up to date on all of our latest industry insights, unique learning opportunities, and more.