With the January 3rd announcement of the side-channel MELTDOWN/SPECTRE vulnerabilities and resulting impact on billions of devices it seems IT Security is 35 points behind at the start of a 4th quarter and the other team knows we are throwing long on every play. Clearly, the understanding that everyone associated with technology – from processor engineer to student worker racing to a workstation with a browser pop-up announcing the user has “won” an Amazon GiftCard – now knows they have a long-term role in IT Security.
We aren’t in the 4th quarter!
IT security takes a game plan. In the frenzy of announcement, we sometimes lose sight of the greatest risks. Let’s take MELTDOWN. It is not in the wild. It would take intrusive software on the device to exploit this vulnerability that security researchers discovered. It has even been said it requires a statistical probability either over a long period of time or across many devices to have successful mapping memory from the vulnerability and then plant an exploit. Guess what? It is even harder when a user reboots 🙂 The NIST National Vulnerability Database rate these as a medium risk vulnerability with a low exploitability score. Contrast that with ransomware that are high risk and have double the exploitability.
So what’s the game plan? If I was the lone IT support with 300 end-user devices and a handful of servers I would expect to spend 30 hours a month on IT Security and compliance. Some of this time each month is not just patching, scanning, fighting AV and packet-sniffing alerts but educating users THAT REMAINS THE GREATEST RISK, increasing security via automation, and getting rid of legacy security “holes” (like too many local administrators and old OSes). We’re not going to lose this game! We are only at half-time and while a little behind we have a good game plan of USER EDUCATION, vulnerability management, patch management, more security automation, and our all-SEC running back.
So what to do about MELTDOWN/SPECTRE? Intel has said if the OS is patched MELTDOWN does not really require firmware. Of the two variants of SPECTRE, both INTEL and flip-flopping AMD have announced they still must complete a firmware that addresses one of the variants. It will be weeks before that firmware is out. Chrome is about to release a browser version that purposely slows down direct cache processing to close the timing hole that can be exploited via the Chrome browser. Part of risk management is knowing your high value targets and that means the first thing to patch are servers with lots of credentials in memory and in February when there is a long-field-tested stable firmware test the firmware on one low-impact system and then apply the firmware to high-value targets.
There is a lot of information on these exploits but one of the best reference is Intel itself. At the below link INTEL provides both what they and other vendors from Acer as an OEM to Microsoft to Ubuntu are doing. Now let’s go out there on the field and take the lead!