Cybersecurity has been close to the front of everyone’s minds for years. The more businesses digitise, the more sensitive information they place at risk of being leaked. This may result in substantial damage, both financial and reputational.
The January announcement of Meltdown and Spectre, two bugs affecting the vast majority of modern processors used in just about every static or mobile device, has caused global consternation, especially since fixes are only available for some devices and some patches have made devices inoperable.
The key question here is just how much of a risk are Meltdown and Spectre and without patches closing them off entirely, how can you protect your business?
What are Meltdown and Spectre?
Both Meltdown and Spectre are bugs in the logic used by modern processors to speed up code execution. A modern CPU uses its extra capacity to execute instructions speculatively in order to avoid delays. Meltdown and Spectre are each different ways of exploiting this speculative execution to run unintended code, or to leak information.
Meltdown uses out-of-order execution, one of the features which give modern processors such fantastic performance. It reads otherwise inaccessible areas of memory, potentially giving it access to system usernames and stored passwords.
Spectre uses a different aspect of speculative execution, where the processor essentially guesses the memory value it will need to access before it has been ‘asked.’ It reads areas of memory assigned to other programs, allowing code using this exploit to pull data from other running programs.
Is Your Business at Risk?
Until patches have been created by manufacturers and deployed, every machine is potentially vulnerable to both Meltdown and Spectre. Without a doubt, some, if not all, of the devices used by your business are at risk.
How to Defend Against Meltdown and Spectre
While Spectre and Meltdown both represent worrying vulnerabilities, they cannot be exploited remotely. An attacker needs code to be executed on a device which can exploit the weaknesses.
This means that standard security best practices will defend against these exploits. While operating system-level fixes are still in the works, many software developers have already developed fixes for their products, so ensuring all software your business routinely uses is kept up-to-date is critical.
As we have mentioned, both of these exploits need some malicious code to be run in order for them to ‘attack’ a machine. More extreme steps to safeguard your data can include creating an application ‘whitelist’ for managed devices, where any piece of software not expressly permitted is blocked from execution. At the very least, it is best to ensure that everyone with access to your company data is extra-vigilant with email attachments and files from questionable sources.
More than anything else, Spectre and Meltdown should illustrate the reality of cyber security. New threats are constantly emerging, threatening platforms which were believed to be safe. Security experts need to be constantly vigilant, scanning for potential vulnerabilities, and deploying fixes as they are found. The reality is that no system is ever completely safe.
Sources:
Spectre Attacks: Exploiting Speculative Execution:https://spectreattack.com/spectre.pdf
Meltdown:https://meltdownattack.com/meltdown.pdf
Central London (WFH), to £300 p/d. Initial contract 3mth expected to roll.
Central London (WFH), £300 p/d. Initial 3-6mth contract. Expected to roll.
Central London (WFH), £70k
Central London (WFH), £80k + Bens
Central London (WFH), to £35k + Excellent Bens. (Freelance £250 p/d).
Central London, £45k + Excellent Bens - 6 mth FTC (expected to roll to Perm)