Meltdown and Spectre:
Changes in the Nature of Vulnerabilities
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
As most of us were recovering from celebrating the new year, computer specialists were in shock and starting to panic. On January 3rd, 2018, the public was made aware of two computer vulnerabilities that are so significant they were given names: Meltdown and Spectre. For those readers who are not familiar with computer vulnerabilities, names have never been given before. Vulnerabilities are found in software almost daily. Thousands of vulnerabilities are identified every year. To fix those vulnerabilities, software companies write updated software code and send it out to customers in the form of updates or patches. We are all familiar with the process. Microsoft asks us to update our computers, as do the applications on our phones. These updates fix bugs, or vulnerabilities, or they provide new functionality for the software.
What is so significant about the vulnerabilities known as Meltdown and Spectre is that they are bugs in the hardware of the computer. They affect the processors made by Intel, IBM, ARM, and AMD. Millions of devices made in the past 10+ years have these processors and therefore have these vulnerabilities. In addition to devices, virtual machines are also affected. This is huge! The only good news is that so far, these vulnerabilities have not been exploited in the wild (the real world, as opposed to the computer testing lab).
To better understand vulnerabilities, picture your computer device as a building. The internal structure of the building – the foundation, framing, walls, and roof – represents the hardware of the computer device. The finishing components – the windows, siding, paint, and molding – represent the software on the computer device. Vulnerabilities have always been in software. Anyone who has done a remodel on a building knows that replacing windows or siding is much easier than replacing internal framing or the foundation. A lot of the patches and updates your computer devices get are simple fixes, like replacing the caulk on your windows. Trying to fix Meltdown and Spectre is the equivalent of not just fixing the foundation of your building, but jacking up the entire building and replacing the foundation entirely.
Meltdown exploits “out of order execution” and Spectre exploits “branch prediction and speculation execution.” To continue our building analogy, picture a long hall with many doors off of it. Inside each room a task is being performed for a program (software). The hardware is designed so that each application can only see the information it needs to run; MS Word cannot see what YouTube is doing on the processor. Meltdown breaks down the walls in the room so that a threat agent is able to see through the wall and what is happening in the room. Spectre tricks the room into opening the door so a threat agent is able to see the task being performed in the room.
If you are thinking that this sounds really serious, you are right. When the vulnerabilities were first made known to the public, there was barely controlled panic in the cybersecurity industry. Large, popular software companies issued hasty software patches. A lot of those patches caused more harm than good. It is hard to fix a foundation using tools designed to install baseboard and crown molding. In order to truly fix these vulnerabilities, the foundational architecture of computer processing chips needs to be redone, which means we all eventually need new devices or new processing chips. That will take months, if not years.
What can you do?
- Don’t panic. As I mentioned earlier, these vulnerabilities have not been exploited in the wild.
- Figure out if you are at risk. While a lot of computing devices have these vulnerabilities, not all do. Perform an authenticated vulnerability scan using Qualys (or Nessus) on your computing devices (laptops, desktops, servers, etc.) to find out if you are at risk.
- Once you know which devices are at risk, figure out what information is stored on those devices, or what information flows through those devices.
- Risk rank the devices. Not all data has the same importance. The database that stores your customers’ personally identifiable information is a higher risk than the notes from your last employee meeting.
- Patch your systems. Have your IT teams test the patches that are issued, but don’t delay updating your systems. Update with not only the operating system patches, but the browser patches as well. The Equifax breach happened because they delayed installing a patch for 5 months.
- Make sure your antivirus is up to date. In order to exploit Meltdown and Spectre, a threat agent has to be logged into your system. They will do that via a virus or another software vulnerability.
Vulnerability management is a significant cyber security business process. Vulnerabilities are like weeds; new ones are always popping up. Vulnerability management is not just an IT issue. Business leadership should be having conversations with the IT department, or their IT vendors, to understand what is being done to mitigate and patch vulnerabilities. Together, business leadership and IT leadership can protect business data and avoid a data breach.
Ben Hunter, III Advisory Services Manager, CPA, CITP, CISA, CRISC, CFE
Ben is a Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training by obtaining the ISACA certifications: Certified Information Systems Auditor […]