Processors are a big deal. They run our computers and devices, and they handle our sensitive data. So news reports in January 2018 about suspected vulnerabilities affecting processors from multiple chip companies captured a lot of attention – and for good reason. The vulnerabilities, named Spectre and Meltdown, make it possible for attackers to access data and information. An untold number of processors are affected, which means that the vulnerabilities extend to an equally untold number of computers, devices, and even networks.
Hardware vendors became aware of initial Spectre and Meltdown vulnerabilities beginning in June 2017. Unbeknownst to most of us, for the next seven months, security experts at Intel, Advanced Micro Devices (AMD), Arm Holdings (formerly Advanced RISC Machines), and others were working feverishly to patch and prevent exploits. As of February 2018, bad actors had not yet released weaponized exploits to the public – exploits specifically meant for Microsoft™ Windows™ operating systems. However, threat agents have released proof-of-concept code demonstrating the vulnerabilities’ impact and targeting Linux™ operating systems.
Since the public disclosure in January 2018, more computer manufacturers and software developers have been transparent about their plans to patch. With the vulnerabilities taking advantage of speculative execution, which allows modern-day CPUs to operate on multiple instructions at once, the biggest concern with patching is just how much of a performance hit computers would take. Users have reported delayed or recalled patches, blue screens of death, random restarts, processing slowdowns, and antivirus incompatibility.
Protecting Your Environment
A threat is defined as a “potentially negative occurrence.” Now that the Spectre and Meltdown vulnerabilities have been disclosed, hackers are hard at work attempting to exploit the existing threats. The latest incident aside, IT managers should always be thinking about how to protect their environment. Patching is only one of many layers of defense against outsiders, but it’s not foolproof. A few additional steps that can help defend against threats and protect your environment include:
Data backup. If a patch already exists to remediate a threat, back up your data. This step is critical, especially if manufacturers and developers insist on installing patches immediately. While rolling back the patch might be an option, it’s a best practice to be able to perform a restore should something go wrong.
Patch testing. If possible, evaluate the deployment of patches in a test or nonproduction environment. If a secondary environment that mirrors production does exist, applying the patches there first is highly recommended.
Multiple patch application. Using the method of applying a patch and testing it before applying another patch on top is wise because it reveals a point-in-time assessment about which patch worked, which one did not, and which patch broke something else.
Endpoint protection. While some patches are incompatible with a few antivirus solutions, it’s always prudent to make sure that virus definitions are up-to-date. Zero-day threats are tough to contend with, but being days or weeks behind only exacerbates the problem.
Layered protection. Having only one layer of protection might have been good enough when a breach happened every five years, but those days are long gone, with no sign of returning anytime soon. Multiple levels of protection can help you secure and shield your environment:
- Next-generation firewall (NGFW). The most preferred form of protection is applied via a next-generation firewall, in which traffic is allowed or disallowed based on a set of rules and configurations. Unlike a standard firewall, an NGFW offers more advanced features, such as application awareness, stateful inspection (also known as dynamic packet filtering), identity awareness, and integrated intrusion protection.
- Virtual private network (VPN). Another form that helps keep data safe while in transit is a virtual private network. A VPN is a must-have for organizations with several sites that require point-to-point tunnels and for users who require remote access.
- Multifactor authentication (MFA). In the world of information security, at least two means of authentication should be required when accessing an environment or system. To comply with best practices, users should have something they know (end-user credentials), something they have (a token, code from text, or call to phone), and something they are (biometrics such as thumbprint or facial recognition). By requiring multiple means of authentication, the chance of more than one of them getting compromised dramatically decreases.
- Log aggregation and monitoring. Almost every event performed on hardware within environments is logged, and each event contains information that tells a story. That story includes the what, who, where, and why as it relates to the event. Having a tool in place that monitors events in real time is a critical step in understanding internal and external threats. System information and event management tools can either be hosted remotely or on premises, based on need and budget.
- Physical security. The oldest layer of defense is probably physical security. It’s just as relevant today as it was 20 years ago, but with the increase in cloud platforms, some of the liability has shifted to third parties. Protecting assets that an organization controls and performing due diligence on those controlled by others is necessary for peace of mind in a world full of threats.
- User-awareness training. With attackers targeting end users now more than ever as a way to gain access into organizations’ environments, awareness training has become essential to reduce threats. Whether organizations choose to train monthly, quarterly, or annually, the expense they incur might pay for itself.
Obviously, protecting against every vulnerability in real time has proven to be next to impossible. However, we can control how we prepare and respond to threats by staying vigilant and taking proactive steps. As threat agents sharpen the tools in their boxes, organizations should establish nimble and effective countermeasures to avoid both compromise and its ensuing consequences, including the negative press we all dread.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.