The discovery of the Spectre and Meltdown threats came as a shock to most individuals and organizations. The underlying vulnerabilities that they exposed continue to affect PCs, smartphones, servers, network and security appliances, and some IoT devices — anything that requires a central processing unit (CPU) to function is at risk of loss of the sensitive information held in its memory. As CPUs are foundational to everything in IT, the programs and operating tasks of everyday devices and the secrets they hold are susceptible. Not since Y2K has a vulnerability affected so many systems and required a deliberate, phased plan of action for remediation efforts.
By the end of 2019, we can expect to see more variants of attacks that exploit speculative execution and require additional remediation.
“The risk is real, but with a clear and pragmatic risk-based remediation plan, information security and risk management leaders can provide business leaders with confidence that the marginal risk to the enterprise is manageable and is being addressed,” says Neil MacDonald, vice president and distinguished analyst at Gartner.
Although patches have addressed the current Spectre and Meltdown issues, they may not be the best solution. By the end of 2019, we can expect to see more variants of attacks that exploit speculative execution and require additional remediation.
To defend against Spectre and Meltdown, MacDonald recommends security leaders take the following steps:
- Create a detailed inventory: Nearly every modern IT system will be affected to some extent. The starting point for security leaders must be to inventory all affected systems.
- Develop and prioritize remediation efforts: The vulnerabilities are not remotely exploitable. A successful attack requires the attacker to execute code on the system. Whitelisting and application controls on all systems will reduce the risk of unknown code execution.
- Recognize that patches are not always the right answer: Information security leaders must be prepared for scenarios in which a patch is not a solution. There will be a lack of patches for older systems. Patches might also fail because the impact on performance is not offset by the reduction in risk, such as with network and storage controllers.
- Be diligent about hygiene: For systems that are not patched or only partially patched, multiple mitigating controls can reduce risk. “The single most important issue to address is restricting the ability to place untrusted/unknown code onto the device. By doing this, we significantly reduce the risk, because attacks require local code execution — for Spectre and Meltdown — and any future attacks,” says MacDonald.
- Plan for the future, not the past: This is not the last we will see of these issues. The underlying exploitable implementation is still present and will remain so for years to come. Further research on this design flaw — involving speculative execution to discover new types of attacks— is expected and will likely require additional patches for hypervisors, OSs, browsers and firmware upgrades during the next several years.