The Sky is (Not) Falling

Publication: The Kansas Banker, April/May Issue

May 21, 2018, 12:00 PM -05:00

"The sky is falling." This is how one security writer described the initial panic experienced by the IT world early this year. Two unprecedented vulnerabilities named Meltdown and Spectre were reported on January 3, 2018.

These two vulnerabilities were and are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms. There were several matters which made these vulnerabilities seem scarier than other vulnerabilities.

They were / are widespread.
Mitigation came from three main groups of companies: processor companies, operating system companies, and cloud providers. Resolution might require updates from three different sources.
There were unanticipated incompatibilities in the initial updates which could crash patched systems.

Technical Aspects of the Vulnerabilities

The vulnerabilities are classified as speculative execution vulnerabilities and if exploited, both vulnerabilities allow unauthorized access to protected areas of memory. This unauthorized access could allow an attacker to collect sensitive information such as passwords and nonpublic customer information.

Meltdown allows unauthorized access to memory, including protected kernel memory. The vulnerability affects almost all Intel processors manufactured since 1995 and some ARM processors.
Spectre allows unauthorized access to memory used by other computer processes. The vulnerability affects almost all processors. It has been verified on Intel, AMD, and ARM processors.

Additional information provided by the researchers who discovered both vulnerabilities can be found at https://meltdownattack.com/.

Mitigation

Over the past few months, a process of mitigation has emerged. Initially, incompatibilities with updates occurred which could render systems unusable. It was and continues to be of utmost importance that you verify and test updates before installation. Prudently pursue and ensure the following security processes are effectively implemented within your organization:

Installation of security software updates (e.g., antivirus software, endpoint security software, etc.)
Installation of operating system (OS) updates (e.g., Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.)
Installation of web browser updates (e.g., Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.)
Installation of firmware updates for microprocessors (e.g., BIOS updates issued by computer system manufacturers, such as Dell, Lenovo, HP, Apple, etc.)
Prevention of malicious code execution (e.g., website blocking, website ad-blocking, phishing detection, security awareness training for users, etc.)

Back to Basics

Did you notice the mitigation items listed are the core elements of strong security cultures? Even though the vulnerabilities were recently discovered and the exploits breached protected memory as never before, basic security standards remain the first line of defense.

As it became apparent the sky was not falling, the vulnerabilities reminded us of the important fundamentals of security. No matter how far reaching an exploit may be, the potential of your organization being impacted is significantly lessened if:

The vulnerability doesn't have access to your systems.
Operating system or application weaknesses needed by the exploit are patched.
Security software is installed (advanced end-point protection software with artificial intelligence is a game changer).

Make it So

The Meltdown and Spectre vulnerabilities serve as an important reminder to establish and maintain security best practices in your bank:

Monitor availability for operating system and application updates.
Test updates to ensure compatibility.
Apply updates and patches on a regular schedule.
Install and maintain security software (e.g., antivirus software, endpoint security software, etc.).
Prevent malicious code execution (e.g., Internet filtering, phishing detection, security awareness training over how to identify malicious emails and not click links in emails, etc.)

There will continue to be emergencies to address, policies to tweak, and fires to put out, but if you lay a good security foundation, the sky will not fall.

Written By

Carl Cope

Carl worked for nine years as an information security auditor and consultant for CoNetrix and now serves as the Chief Operations Officer. CoNetrix is a provider of information technology consulting and managed IT services for business, IT/GLBA audits and security testing, Aspire cloud hosting, and the developer of Tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs.