It has been a few weeks since security researchers discovered that nearly every processor on earth is vulnerable to Meltdown and Spectre vulnerabilities. Panic is spreading.
We agree that this is a serious set of vulnerabilities. But, no need to panic. We got this.
No Immediate Danger
The first thing to remember is, these vulnerabilities are still theoretical. There are no real-world applications of these exploits (yet). The difficulty of actually exploiting these vulnerabilities remains well beyond the skill level of most hackers. While there is an intense focus on this vulnerability due to the number of affected hosts, there is no reason to panic. Use this vulnerability as a chance to keep working toward better security maturity across your entire organization.
What are Meltdown and Spectre?
- Great overview (with nice logos): https://meltdownattack.com/
- Some more details: https://www.theinquirer.net/inquirer/analysis/3023798/intel-arm-and-amd-all-affected-by-meltdown-and-spectre-security-bypassing-cpu-design-flaw
In short: both of these vulnerabilities affect Intel and AMD processors and how data is stored in memory. Since processors are inside everything, from smartphones to cloud infrastructure, these vulnerabilities affect, almost everything. The flaw allows an attacker to gain access to memory or files based on predictable storage patterns.
That is bad.
Let’s say you host your applications in a cloud environment that does not patch for the Spectre vulnerability. Theoretically, a hacker could manipulate the memory in the cloud environment to see secret data from your environment, without having any access to your environment. That memory might contain anything, like passwords or encryption data.
That is really bad.
In comparison, when the Meltdown vulnerability is exploited, the hacker could then access restricted files. Even files with strict access controls, such as between different users, and even administrator files could be open to anyone. In other words, the security protections you put in place to protect your files could be entirely bypassed.
That is super bad.
What Do I Do?
- Patch your stuff
- Double-check all those network and system-level controls to keep unwanted malware out
- See step one
To be blunt, there is simply no reason you cannot patch your environment. If you have software that is so fragile that OS patching will break it, then you need to get new software (or hire better developers.) What routinely amazes us is how few organizations regularly patch. In fact, a recent report showed that patching remains one of the top ten fundamental security tasks that organizations still do not do.
I Heard the Patches Are More Trouble
Some of the initial, emergency patches for these vulnerabilities created performance issues. One report said that older Windows 7 and 8 machines are really hit hard, with degraded processor performance as much as 35%! That is, obviously, unacceptable for high-performance environments (like cloud environments.)
However, new patches are being released that (allegedly) will reduce this performance impact. Unfortunately, because this is a flaw at the processor and firmware level, it is difficult to patch this vulnerability in the OS. At best, these are band-aids. The real changes must be made at the BIOS or processor architecture level.
In light of the patch problems, this underscores the need for all the other important security controls, namely network and system level access controls.
We Must Be Safe Because We Have a Next Generation…
Honestly, none of the “next generation” stuff can detect or block this attack at this time. Theoretically, antivirus products will detect this, but antivirus products are notoriously easy to bypass. The same goes for NGFWs and IDS/IPS products.
This is Bad for the Cloud
Meltdown and Spectre vulnerabilities are uniquely damaging to cloud security due to how they allow accessibility to confidential data as well as the performance degradation. Since cloud providers run multiple customers on a single host, there is a possibility of data crossing over from one environment to another.
That is catastrophically bad. But, again, nobody has done this in the wild…yet.
Cloud providers are patching their systems. AWS and Google have already patched their environments. (More information on AWS updates).
If you run a private cloud or virtualized on-premise environment, then you must patch your own systems. All of the virtualization providers have released patches.
How Serious is the Threat?
While everything we have said sounds awful, the threat here is not as dire as it may appear.
It is a forgone conclusion that organized crime and nation state hackers are already working on exploit kits for these vulnerabilities. Considering the extensive resources these groups possess, it is only a matter of time before they release something (they may have already.) Moreover, when they do release an attack, most of us will not know about it until the exploits spread, are discovered, and analyzed.
However, cloud providers are getting ahead of this threat. Nevertheless, this is why you must be vigilant on patching, as well as all the other recommended security best practices. Hackers feed on poorly managed, maintained, and secure environments. If you want to stay ahead of the threat, keep your systems patched.
Lastly, do not become distracted with news that doomsday is here and there is no hope. Solutions do exist. This meltdown will pass and you can return to the normal chaos of life.