An Enterprise Action Plan to address Meltdown and Spectre
Undoubtedly, in recent days you’ve heard about the Meltdown and Spectre security vulnerabilities making headlines. If you’re unsure of what Meltdown and Spectre are – spend a few minutes searching the internet, and you’ll find plenty of excellent articles explaining what the vulnerability is. In short, Meltdown is a security flaw that could allow malicious hackers to bypass the hardware barrier between applications run by users and computer’s core processing memory, which is normally highly protected. Spectre is slightly different; it potentially allows hackers to trick otherwise error-free applications into give up secret information.
Meltdown is serious. In fact, according to the founder of meltdown (Daniel Gruss, researcher at Graz University of Technology), “Meltdown is one of the worst CPU bugs ever found.” Spectre is also pretty serious, although it is expected to be more of a long-term problem as the nature of the vulnerability is harder for hackers to exploit.
The intention of this post is outline some actionable steps that organizations should be taking moving forward. We’re laying out a five-step strategy aimed at dealing with Meltdown and Spectre.
Step 1: Step up your monitoring plan
Meltdown specifically enables hackers to elevate privileges on unpatched systems. This means that hackers have the ability to elevate user accounts to elevated privilege accounts once they have gained access to your network. From that point, they could use any number of common backdoor malwares, rootkits or other anti-forensic measure to exfiltrate information from the network. Meltdown is only a means to an end and doesn’t immediately compromise data, delete backups, encrypt information or demand a ransom.
Organizations need to have solid monitoring practices that can catch hackers whether they use a zero-day or misconfiguration to compromise systems. Administrators need to be monitoring networks as if they are already compromised. The primary goal of any monitoring platform in 2018 need to be to minimize hacker dwell time in the network.
Step 2: Review your change management procedures
Each time there is a major security vulnerability like Meltdown or Spectre, IT administrators worry about getting patches out. Microsoft is routinely patching several critical vulnerabilities each week. Many of these vulnerabilities may take priority over the Meltdown or Spectre vulnerability. We advise our customers to keep three goals in mind:
- Apply patches routinely on “patch Tuesday”
- Apply patches for active exploits in the wild
- Apply “out of cycle” patches as needed
Because of the potential for performance impacts, Meltdown should definitely be patched in a test environment first. Some anti-virus applications have reportedly caused issues with the Windows patches for Meltdown and Spectre – so be sure to test those as well. Be sure to thoroughly test workstations with Meltdown and Spectre patches before mass deploying to understand the impact.
Step 3: Examine procurement and refresh intervals
While virtually every processor (Intel, AMD, ARM, etc…) is impacted by the current Meltdown and Spectre vulnerability, it is very likely that the next generation of processors from each manufacturer (yet to be released) will handle some functions more securely than today’s processors. This doesn’t necessarily mean that every organization needs to replace all workstations with new ones containing the next generation processors.
We’re advising that organizations who may have plans of purchasing new workstations in the near future sit tight. Unless of course if you have workstations that have legacy operating systems and need to be replaced – then it’s probably more important to upgrade the workstation to get on a modern, supported operating system.
Step 4: Evaluate the security of your hosted applications
While you may have control of your network and infrastructure, what about hosted applications, cloud servers, and platforms as a service (Paas)? It’s time to ask some hard questions of your infrastructure provider partners. Questions to ask include:
- Are they aware of the Meltdown and Spectre vulnerability?
- If so, what are they doing to address the issue?
- Have they patched their systems now?
- If not, when will they be patched?
- What steps are they taking to look for active exploitation of Meltdown?
Now is a great time to reassess your happiness with how well your PaaS partner is handling security on behalf of your organization. Make sure that they have a robust action plan for dealing with these Meltdown and Spectre exploits.
Step 5: Have an executive communications plan
Any time a vulnerability like Meltdown and Spectre start to make the six o’clock news, you will undoubtedly have to begin fielding questions from executive management about the scope, the impact and the risk for your organization. Take some time to prepare some communication that you can share with them proactively and assure them that your organization is taking effective steps to protect itself. Be careful though, the internet is full of a lot of misinformation. It’s important to focus on what your organization is doing to protect itself, not what the vulnerability is causing.
It can be important to identify some trusted sources that you can turn to when these types of exploits hit. Both the United States Computer Emergency Readiness Team and the SANS institute do a nice job of keeping up with known vulnerabilities and can be a trusted resource for facts.
2018 is here, and already we’ve seen our first major security vulnerability. There’s bound to be many more. Consider taking some time to renew your security strategies. I know you’ve heard it before, but it’s not a matter of “if,” it’s a matter of “when.”
Of course, if you feel like your organization could benefit from some professional assistance, don’t hesitate to contact us at ProviNET. We’re here to help you make heads or tails of this complex security topic and we have a nice compliment of services and strategies to help you mitigate your organizations risk.