There has been a lot of reporting in the press about Meltdown and Spectre, a couple of recently identified IT security issues. Some of my customers have been asking me whether they need to worry about these. I gave them the typical consultant’s answer. Yes, and No. Because the best response to these newly identified threats is exactly what we should already be doing to protect ourselves and our customers against security threats.
Let me break it down…
These two attacks both exploit the fact that modern CPU hardware can be tricked into executing instructions that would normally be disallowed. No one can see the results of executing these instructions since they remain invisible. However side effects can be detected.
Specifically, an attacker can check whether specific addresses have been copied to cache memory by timing how long an access takes. An attacker can then build up a picture of what’s in memory that they aren’t allowed to access, one byte at a time, and can eventually identify, for example, an encryption key.
Almost every modern CPU chip is vulnerable, including those used in PCs, servers, phones etc.
Meltdown allows a user application to see the contents of system memory, which should be something that’s forbidden. This access could allow a malicious program to access passwords, encryption keys, and other highly sensitive information. Although Meltdown is fairly easy for an attacker to exploit, patches are already available for most operating systems. Sometimes these patches may have a significant impact on the performance of your system so you must always take care when deploying them. On the other hand, they will be sufficient to protect you from Meltdown.
Spectre allows a user application to see the contents of another program’s memory. This could also allow access to passwords, encryption keys, or other highly sensitive information. Spectre is much more difficult for an attacker to exploit, as it requires detailed knowledge and understanding of the program being attacked. Some patches are available for Spectre, but many more programs will need to be patched in the future.
You can read more about Meltdown and Spectre at meltdownattack.com.
The things you need to do in response to Meltdown and Spectre are exactly the same as you need to do to protect yourself from any other threat. Remember that there are new threats being reported every day so you must keep yourself informed, and make decisions about the appropriate actions to protect yourself, and your customers.
This is absolutely essential. You can’t afford to wait for weeks before installing security patches. Attackers exploit known vulnerabilities as fast as they can, in the hope that people haven’t yet installed security patches. If you have a very quick and efficient patch management process for identifying and installing security patches, you stand a good chance of stopping attacks before they have a chance to happen. There will be more patches released for Spectre, as applications are analyzed and hardened, so this patching is not a one-off response to today’s threat. It must be an ongoing part of your operations.
Don’t delay just because you need to do testing, or because you are worried about the performance impact of the patches. It is generally better to get the patches in fast, and then deal with any issues that they cause. The alternative is to accept that you WILL be hacked – with all the cost and embarrassment that follows.
If you use cloud services, then you should make sure that your cloud service provider has installed the patches. Some services, like AWS, had already patched most of their systems before the notifications of Meltdown and Spectre became public, but do contact your cloud service provider to ensure that they are patched. It’s even more important to ensure that you understand your cloud service provider’s patching policy and are confident that it meets your needs.
There are major security breaches reported in the press every week, and nearly every one of these exploits a vulnerability for which a patch was already available. The need to install security patches is an essential security practice, even without Meltdown and Spectre.
Do you know what sensitive information you store, and where it is located? Encryption and good access controls can help to protect sensitive information, but an even better control is not storing sensitive data unless you really need it. And if there is sensitive data that you really do need to keep, make sure you only store it where it’s required, and not in multiple places.
Reducing the amount of sensitive data you hold, and the number of places that it’s stored, can significantly reduce the “attack surface,” so that even if you do suffer a security breach, the data that gets leaked is less likely to be sensitive. It also makes it easier to concentrate your defenses on the things that really matter, while allowing people to have easier access to your less sensitive systems and data.
Meltdown and Spectre can’t attack you remotely; they need to be run on your computer. So one way to protect yourself is to never run any software that you haven’t written yourself. In the real world this might be a little difficult. You can, however, make sure that the servers that store your sensitive data never run any software that isn’t essential. And you can also ensure that whatever software you do run comes from a trusted source and is protected throughout the delivery chain.
This is much easier to do if you keep your sensitive data in very few locations, as I’ve already advised. This means that everyone in your organization must understand that they can’t browse the web, or carry out any other standard user activities, on your sensitive servers. Establishing this regulation may take a bit of training and reinforcement, but that is a small price to pay for the additional security.
Even if you install every available patch, and your staff is 100% trustworthy, and you never run inappropriate software, and you take every other precaution you can think of, you can never completely eliminate the possibility of a security breach. So you also need to make sure that you detect any breach as quickly as possible, so you can do something about it.
Unfortunately, at the moment there is no way to detect that you have been breached using Meltdown or Spectre. However, such breaches are not going to do serious damage until the attackers try to make use of the information they have stolen. By closely monitoring the behavior of your systems and networks, you should be able to detect unusual activity and respond to it. This will be much better than waiting weeks or months for your customers to discover problems and tell you about them!
There are many Security Incident and Event Management (SIEM) and Security Analytics tools that can help you to detect unusual behavior, ranging from open source log file analysis tools to highly sophisticated big-data analysis engines. Don’t wait until after you’ve been breached before you research these tools and decide how you can best monitor your network. If you don’t have appropriate monitoring and alerting in place already, then you should address this urgently.
Do you know how to respond if you do detect a security breach? Many of the most embarrassing security breaches would have been a lot less painful if the organization had planned their security incident response, and rehearsed to make sure that everyone would do the right thing.
Who is going to communicate with the press? with customers? with the regulatory authorities? Where will they get the information they need? How will you preserve the information you might need to produce in court? Is it safe to carry on working, or should you shut everything down? You really don’t want to think about these questions for the first time when you are in the middle of a critical situation. Plan and rehearse your security incident response just like running a fire drill, then when the real emergency comes everyone should just do the right thing.
Meltdown and Spectre are unusual, because they make use of vulnerabilities in CPU architecture, instead of in software. This doesn’t alter the way you should respond. You need to be prepared for the many different attacks that might compromise your systems. If you prepare correctly, and you follow the five tips in this blog, then you should reduce both the likelihood that you will be breached, and the pain that a breach would cause.
For more advice on cybersecurity, please listen to my recorded webinar: Your Cybersecurity Challenges in ITSM.