Recently, there has been a lot of discussion regarding the Spectre and Meltdown vulnerabilities. This alert provides a simple overview of what these vulnerabilities are, what systems could be affected, as well as steps that companies can take to reduce the risks that these vulnerabilities create.
- What Are The Spectre And Meltdown Vulnerabilities?
Spectre and Meltdown are the names of two flaws that can affect a computer’s central processing unit (“CPU”). Certain CPU chips made by Intel and other manufacturers are vulnerable to the Spectre and Meltdown flaws. The CPU allows the computer to carry out instructions provided by a computer program. Unfortunately, security flaws that affect the CPU permeate the functionality of the computer system. As the CPU is a core aspect of the computer system, most every aspect of system functionality is at risk.Both the Spectre and Meltdown flaws work by causing issues with system memory, which computers use to store data. The way that system memory stores information and how it is accessed is crucial to system performance and security. Security researchers have created a page explaining the different aspects of Spectre and Meltdown in more detail. “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, [potentially malicious] applications can access system memory.” Meanwhile, “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”
- Which Systems Are Impacted By The Spectre And Meltdown Vulnerabilities?
Any systems that use or rely upon CPU chips that are vulnerable to the Spectre and Meltdown flaws could be impacted. Unfortunately this is a vast swath of potentially vulnerable systems. Most companies will use some physical computers locally, such as laptops, desktops, tablets, smart phones and others, as well as leveraging certain remotely provided computing resources, maintained by another portion of the same entity or by an external vendor.
As such, every company that leverages computing resources will need to ascertain which systems are exposed to the Spectre and Meltdown vulnerabilities. This will involve:
- Identifying and understanding any local physical computing resources that the company allows employees, contractors or others to use on behalf of the company.
- Working with qualified personal to identify which of these devices contain CPUs subject to the Spectre or Meltdown vulnerabilities.
- Identifying all externally provided computing resources, such as cloud computing resources leveraged by the company.
- Working with each identified provider of the externally provided computing resource to understand whether the provided computer resource leverages CPUs that are subject to the Spectre or Meltdown vulnerabilities.
- What Steps can Companies Take to Reduce Spectre and Meltdown Risk?
Given the widespread nature of the Spectre and Meltdown vulnerabilities companies may wish to focus on using their limited resources effectively to reduce their risk in the most effective manner possible, while understanding that completely eliminating all Spectre and Meltdown vulnerability risk may not be possible. After performing the steps above to identify which computing systems leveraged by the company are at risk, companies will want to consider taking the steps below:
- Run vendor provided software management tools to identify and update applicable computer systems with appropriate released vendor patches to reduce Spectre and Meltdown exploit risk. Ensure that appropriate personnel are aware that system testing should occur after this process runs, as performance and stability issues could be created.
- Review and update applicable security policies, incident response, and business continuity plans if these documents are not effectively providing guidance and empowering appropriate stakeholders to identify and remediate Spectre and Meltdown vulnerability risk.
- Identify any systems where particularly sensitive data is kept and engage with appropriate internal or external personnel to identify and implement appropriate compensating controls due to any increased risk of data exfiltration as a result of potentially latent Spectre or Meltdown vulnerability risk.
- Consider working with appropriate legal counsel to identify whether Spectre and Meltdown present legal risks to the company, as potentially informed by the data being stored, or any products or services being offered by the company to external entities. Companies will likely want to be particularly concerned as to any increased data breach risk, or the risk that products and services being offered to others are subject to known Spectre or Meltdown vulnerabilities that have not been effectively addressed and disclosed.