Meltdown & Spectre: What Business Executives Need to Know

Background

On January 3rd, security researchers released a report describing two major cyber-security threats, called Meltdown and Spectre, which can compromise nearly any computer device made since 1995 regardless of operating system or CPU type.  This means servers, laptops, workstations, mobile phones, storage systems, gaming devices … all of them are potentially vulnerable to these two new attacks.

In modern computing nearly all sensitive data is encrypted when being transmitted across a network or when it is stored on a device.  However, in order for the data to be processed by a CPU, it must first be decrypted, and then processed.

Using different techniques, both Meltdown and Spectre, exploit a design flaw that is present in nearly every CPU made since 1995 that allows a malicious program to access this sensitive data between the time that is decrypted and processed.

Most major technology companies have already developed patches that will shut down the Meltdown attack and these patches are in the process of being widely distributed.  This is good.  However, there is a cost.  The fix to prevent Meltdown attacks will impact system performance, especially applications that are data intensive like a database server.

Spectre, on the other hand, has no known fix.  Some measures have been developed to make a Spectre attack more difficult, but the root cause that make the Spectre attack possible is so baked in to the physical architecture of a CPU, that it will be very difficult to ever completely block.

 

Advice for Executives

Every situation is different, but below are some general guideline that can be used to protect yourself and your company.

  • Don’t Panic:  while the exposure and potential threat of these new attacks is massive, both attacks are not easy to execute, especially remotely.  Like most security threats, the industry is able to respond quickly to mitigate the threat.  Also some hardware manufactures including AMD (Intel’s chief competitor) and ARM (a top manufacture of mobile phone CPUs) are saying that their devices are not threatened.
  • Stay Patched:  whether it is your own personal devices or your corporate network, make sure that you are consistently applying security patches (i.e. make sure that Automatic Updates are turned on).
  • Stop Using Old Hardware:  again, this can affect just about any device.  The major technology companies are being very aggressive to address these risks on supported platforms.  But older platforms like Vista and some versions Windows 7 will likely not be patched or at least not soon.
  • Have Layered Security:  layered security make it more difficult for bad actors to install malicious programs on your computer or devices.  This is not easy in all cases, but do it where you can.  For example, always use a firewall for static networks, including your home.  Always use anti-virus software on computers.  Make sure that your email is scanned for viruses and malware.  When you have more layers, it makes it harder to install malware and most bad actors will give up and move on to the next target.
  • Consider Cloud Based Platform for Your Most Sensitive Information:  the big cloud providers like Microsoft, Amazon and Google spend billions of dollars on security … research, monitoring, maintenance, patching, response, et al … because they have some much at risk.  The capabilities, resources and measures of a cloud provider are far more than what most companies or individuals can afford.  They will be secured first and they will be the hardest targets to crack … way harder than a small business network managed by an outsourced IT vendor that is always being squeezed to lower cost.