How enterprises can safeguard customers’ personal data and information stored on PCs
The discovery of the Spectre and Meltdown threats came as a shock to most individuals and organisations. The underlying vulnerabilities that they exposed continue to affect PCs, smartphones, servers, network and security appliances, and some IoT devices. Anything that requires a central processing unit (CPU) to function is at risk of losing sensitive information. As CPUs are foundational to everything in IT, the programs and operating tasks of everyday devices, as well as the secrets they hold, are susceptible. Not since Y2K has a vulnerability affected so many systems and required a deliberate, phased plan of action for remediation efforts.
Spectre and Meltdown have shown that the risk of a security-based attack is very real for companies of all shapes and sizes. But with a clear and pragmatic risk-based response plan, information security and risk management leaders can provide business heads with confidence that the risk to their organisation is manageable and being mitigated.
Although patches have answered the current Spectre and Meltdown issues, they may not be the best solution. By the end of 2019, we can expect to see more variants of attacks that exploit speculative execution and require additional remediation.
To defend against Spectre and Meltdown threats, security leaders should take the following steps:
- Create a detailed inventory: Nearly every modern IT system will be affected to some extent. The starting point for security leaders must be to inventory all impacted systems.
- Develop and prioritise response efforts: The vulnerabilities cannot be exploited remotely. A successful attack requires the attacker to place code on the system. Whitelisting and application controls on all systems will reduce the risk of unknown code execution.
- Recognise that patches are not always the right answer: Information security leaders must be prepared for scenarios in which a patch is not an appropriate solution. For example, there will be a lack of patches for older systems. Patches might also fail because the impact on performance is not offset by the reduction in risk, such as with network and storage controllers.
- Be diligent about hygiene: For unpatched or partially patched systems, multiple mitigating controls can reduce risk. The single most important issue to address is restricting the ability to place untrusted or unknown code onto the device. By doing this, businesses significantly lower the risk of an attack, as it requires local code execution. This applies to Spectre and Meltdown along with any future attacks.
- Plan for the future, not the past: This is not the last we will see of attackers exposing security vulnerabilities. The underlying exploitable implementation is still present and will remain so for years to come. Further research on this design flaw — involving speculative execution to discover new types of attacks— is expected and will likely require additional patches for hypervisors, OSs, browsers and firmware upgrades.