What in today’s tech environment makes below the operating system vulnerabilities a risk worth worrying about?

1.2k views1 Upvote6 Comments

CISO in Education, 1,001 - 5,000 employees
The surface area for below the operating system vulnerabilities just continues to proliferate more and more and more. From an education standpoint that would be fascinating research, but it also depends on who's issuing grants, because if no one wants to study that or pay someone to study that, then it's never going to get done.
1 1 Reply
Board Member, Advisor, Executive Coach in Software, Self-employed

Yeah. It's interesting when you mention the attack surface. You've got the equivalent of urban sprawl this way. With more devices, more applications, more virtualization and stuff like that. And then we have the equivalent of the depth from the GUI, as it starts walking its way down into the layers of Silicon. Which again, when you go within those, those are also widening. So you have everything kind of going deeper and everything getting wider. And then you're proliferating more devices that have both deeper stacks that are now potentially vulnerable and a wider variety of them in different parts of the world. So it becomes this multi-dimensional attack surface growth.

CISO in Software, 51 - 200 employees
I think where this gets extraordinarily interesting is in the Azure/GCP/AWS environments. That has a material impact on me. And I think all of us in some way, shape or form are in the cloud, whether we want to be or not. That's what we do. We are SaaS. And if AWS comes out tomorrow and says, "Hey, there's a kernel level, firmware level issue on every service that we have. And we don't know how long it's been going on and we're not sure what information has been leaked.. that would be Spectre/Meltdown on steroids, right? That's going to be a bad day, it’s not going to be fun. That's that vertical risk, it's not sprawling so much left to right as it is up and down, because we are so ingrained in GCP and AWS and Azure. If those services go down, our services go down.
1 1 Reply
Board Member, Advisor, Executive Coach in Software, Self-employed

Yeah. And you can take the same thing for the internet, whether it be Charter SpectrumSptig, AT&T, whatever, because you go “there's the compute stack that's in the cloud. If that goes down your service is dead.” But there's also the connection between you and your customer, and between the data center and the customer stuff that is internet controlled. So you have the same thing, even with the telcos. That would be the equivalent of an AWS or an Azure Richter 10 level issue.

Board Member, Advisor, Executive Coach in Software, Self-employed
There's certainly been an uptick in the vulnerability research and discovery of vulnerabilities in below the operating system areas. It was a relatively obscure research area even 10 years ago, other than for nation state actors, but in the broad public community that has been growing. And even in the past year or so multiple substantial vulnerabilities, not only in IOT devices, but PCs and servers, and even the cloud infrastructure have been found. There was a report several weeks ago by Steve Mancini, who's at a company that focuses on below the operating system security issues. He's not only the CISO, but he runs the threat and intelligence team. They published a report on the malware trick bot and it doing discovery and the potential for it to play with things in the firmware. And there's been other discoveries in the UEFI area of vulnerabilities. 

You're even seeing more security companies now, startups starting to focus in that area because the real threat researchers, the real hardcore hardware security folks are seeing the threats because they've been working them in the companies that they've supported in the hardware ecosystem, but they don't see that the market has been addressing it well enough. So they're going and creating their own startups to try and get better security development, life cycle, better detection and mitigation of maliciousness and stuff.
CIO in Education, 201 - 500 employees
As more and more is connected/integrated, there are no true ‘safe spaces’ from risk and vulnerability anymore. If there’s a gap, it’ll be found.

Content you might like

Structured Business Data62%

Unstructured Business Data37%


2k views2 Upvotes

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.6k views132 Upvotes319 Comments

Fraud mitigation19%

Protection of reputation and brand56%

Protection of consumer data19%

Regulatory or compliance requirements6%