Meltdown and Spectre: The looming death of security (and what to do about it)
Meltdown-Spectre
Meltdown and Spectre, the recently exposed flaws in the underlying architecture of many processors manufactured over the last two decades, are just the latest security crisis to hit the IT industry. It's time to acknowledge that while businesses may like to think of their systems as secure, it's better to consider them to be constantly and fundamentally insecure. That means thinking about security as an ongoing process rather an end point, which in turn leads to a few more things that need considering.
This will happen again
The Spectre and Meltdown flaws have existed in some form in most CPUs from Intel since 1995. Other chipmakers are also affected. To many, it may seem baffling that such serious vulnerabilities could go undetected for so long; however, it's simply a function of the incredible complexity of the systems we all rely upon. Before too long, another bug will send everyone scrambling. It may not be a flaw in CPU design, but there will be something else. Remember Heartbleed? That hole in the OpenSSL cryptographic library also came with its own logo and panicked everyone a couple of years back. And what about Shellshock? That was another big bug from recent years.
Total security is a mirage, and believing your systems to be entirely secure is a dangerous illusion. If you assume your systems are insecure you will make better decisions.
The biggest weaknesses may not be your own
There was once a time you could build a wall and a moat around your systems and data, and only give access to privileged insiders. That time passed with the arrival of the internet, but many companies seem not to have noticed. Spectre and Meltdown are good examples of this, because the flaws could potentially affect everything from PC on your desk and the smartphone in your pocket right through to the cloud service crunching your big data. No matter how good you are at patching, you are now reliant on a constellation of service providers and partners. Where you can, it's time to put pressure on the rest of your supply chain to take security seriously.
Download now: Incident response policy (free PDF)
Don't keep it if you don't need it
If you assume that systems are -- or will be -- compromised, how does that change a company's strategy? One thing to consider is whether they need to harvest as much data as they do right now. If some data -- particularly about customers -- is being collected simply because it has always been collected, perhaps now is time to reconsider that policy. Do you really need that data? Does the benefit of collecting it outweigh the cost of having it compromised?
Patching just became a core part of your strategy
The software code shipped by vendors is inevitably imperfect, so there are always patches to apply. Applying these patches has long been seen as a tedious and unrewarding job. Especially in corporate environments, where patches have to be tested to make sure they don't cause unexpected problems when they are implemented, updates are often forgotten or filed at the bottom of the to-do list.
That's no longer acceptable: after the WannaCry ransomware wreaked havoc last year, it was discovered that many companies could have been protected if they had bothered to use the patch that had already been made available by Microsoft. It's also well documented that hackers are mostly using known vulnerabilities to launch their attacks on businesses, and that having systems up-to-date is the best first line of defence.
Just because there's no such thing as total security that doesn't mean you shouldn't try: my colleague Ed Bott has an excellent list of what Windows admins should be doing right now and a proper patching policy is a priority.
Plan for failure
If you assume that security is dead, you may have a better chance of riding out the storm if you do get hit. Too many organisations panic in the face of a security incident and make a bad situation worse. Have a plan ahead of time: that means discussing worst-case scenarios with management and with your communications team so that you at least have an outline of what do to when things go wrong. Open those lines of communication early so that you know who to turn to on the day when it inevitably all goes wrong.
Agree? Disagree? Let me know by posting a reader comment below.
PREVIOUS AND RELATED COVERAGE
The Linux vs Meltdown and Spectre battle continues (ZDNet) Fixing Meltdown and Spectre will take Linux -- and all other operating systems -- programmers a long, long time. Here's where the Linux developers are now.
Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus (ZDNet) Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows.
How the Meltdown and Spectre security holes fixes will affect you (ZDNet) Get ready to patch every piece of computing gear in your home and company to deal with this CPU nightmare.
How the Meltdown and Spectre chip flaws will impact cloud computing (TechRepublic) Mitigations for two critical architectural flaws in CPUs can cause performance degradation, but real-world impact is lower than synthetic benchmarks.
Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre (TechRepublic) Two critical architectural flaws in CPUs allow user processes to read kernel memory, affecting Intel, AMD, and ARM processors. Here's what you need to know.