The first week of January 2018 brought disturbing news on the cyber security front – and for once it was not the result of corporate ineptitude or poorly designed software. Actually, it was far worse. Independent security researchers announced the discovery of two vulnerabilities – dubbed Meltdown and Spectre – in the hardware underlying virtually all computers, servers, and smartphones currently in use. Without getting too technical, Meltdown and Spectre are each exploits that allow a hacker to abuse the normal function of a computer’s processor. They allow a hacker to break the isolation between different applications and the operating system, granting access to the computer’s memory, and thus the secrets of programs sharing the same processor.
Unlike most vulnerabilities, these flaws are in the hardware, not the software, of a device, which makes fixing them far more difficult and costly. The one significant mitigating factor is that the vulnerabilities do not themselves allow a hacker into your system, they are instead a method for a hacker already in your system to bypass internal controls and obtain data or passwords.
With a vulnerability this significant and widespread, what should you do?
- Apply patches and updates. Software makers are busy rolling out software updates and patches to mitigate the damage from these vulnerabilities. Thus, it is now even more important than normal to make sure that these patches and updates are applied as soon as possible.
- Be hyper-vigilant. Because the vulnerabilities can only be exploited once a hacker is in your system, redouble your efforts to keep hackers out or contained using robust security measures, such as strong passwords, multi-factor authentication, timely patch management, and system monitoring.
- Keep cyber security plans current. Ensure that your information security plans and incident response plans are up-to-date and that they are both technically and legally defensible.
- Monitor for potential intrusions. Be prepared to investigate any potential intrusions rapidly so that you can both cut off any improper access and ensure that any relevant legal obligations and risks are addressed.
Meltdown and Spectre underline yet again the inherent insecurity of our network and computer infrastructure. Companies (and users) must therefore remain alert and focused on taking all reasonable steps within their control to protect the security of their data.