5 Ways to Prevent a Spectre or Meltdown Attack

How enterprises can safeguard customers’ personal data and information stored on PCs

The discovery of the Spectre and Meltdown threats came as a shock to most individuals and organizations. The underlying vulnerabilities that they exposed continue to affect PCs, smartphones, servers, network and security appliances, and some IoT devices — anything that requires a central processing unit (CPU) to function is at risk of loss of the sensitive information held in its memory. As CPUs are foundational to everything in IT, the programs and operating tasks of everyday devices and the secrets they hold are susceptible. Not since Y2K has a vulnerability affected so many systems and required a deliberate, phased plan of action for remediation efforts.

By the end of 2019, we can expect to see more variants of attacks that exploit speculative execution and require additional remediation.

“The risk is real, but with a clear and pragmatic risk-based remediation plan, information security and risk management leaders can provide business leaders with confidence that the marginal risk to the enterprise is manageable and is being addressed,” says Neil MacDonald, vice president and distinguished analyst at Gartner.

Although patches have addressed the current Spectre and Meltdown issues, they may not be the best solution. By the end of 2019, we can expect to see more variants of attacks that exploit speculative execution and require additional remediation.

Gartner Top 10 Strategic Technology Trends

Download eBook

To defend against Spectre and Meltdown, MacDonald recommends security leaders take the following steps:

  1. Create a detailed inventory: Nearly every modern IT system will be affected to some extent. The starting point for security leaders must be to inventory all affected systems.
  2. Develop and prioritize remediation efforts: The vulnerabilities are not remotely exploitable. A successful attack requires the attacker to execute code on the system. Whitelisting and application controls on all systems will reduce the risk of unknown code execution.
  3. Recognize that patches are not always the right answer: Information security leaders must be prepared for scenarios in which a patch is not a solution. There will be a lack of patches for older systems. Patches might also fail because the impact on performance is not offset by the reduction in risk, such as with network and storage controllers.
  4. Be diligent about hygiene: For systems that are not patched or only partially patched, multiple mitigating controls can reduce risk. “The single most important issue to address is restricting the ability to place untrusted/unknown code onto the device. By doing this, we significantly reduce the risk, because attacks require local code execution — for Spectre and Meltdown — and any future attacks,” says MacDonald.
  5. Plan for the future, not the past: This is not the last we will see of these issues. The underlying exploitable implementation is still present and will remain so for years to come. Further research on this design flaw — involving speculative execution to discover new types of attacks— is expected and will likely require additional patches for hypervisors, OSs, browsers and firmware upgrades during the next several years.

Gartner clients can learn more in Security Leaders Need to do Seven Things to Deal With Spectre/Meltdown by Neil MacDonald.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

2019-2021 Emerging Technology Roadmap for Large Enterprises

We gathered expertise from IT professionals across 198 organizations to benchmark adoption stages and risk and value factors for 108 infrastructure and operations technologies for this year. The emerging technologies profiled are spread across six technology buckets: compute and storage, compute and storage (cloud), digital workplace, IT automation, network and security.

Read Free Gartner Research

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching