Vulnerabilities / Threats

2/20/2018
10:30 AM
Michael Lines
Michael Lines
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Meltdown/Spectre: The First Large-Scale Example of a 'Genetic' Threat

These vulnerabilities mark an evolutionary leap forward, and companies must make fighting back a priority.

In the security industry, we all tire of hearing how the latest malware or vulnerability is "the big one." Previous widely publicized vulnerabilities — such as Heartbleed or Shellshock — could be patched and managed with relative ease, though that's still a daunting task for some large enterprises because of the number of systems that must be evaluated.

While superficially just another large vulnerability, Meltdown and Spectre represent an entirely new class of threat that dramatically escalates the need for effective security programs and practices.

These vulnerabilities will likely take years for large organizations to fully remediate, if they ever are before being made obsolete by equipment turnover. Businesses are struggling to understand the true scope of the issue. They are trying to decipher conflicting guidance from vendors, as well as manage the impact the patches have on applications.

With Meltdown and Spectre, we are witnessing the next evolution in security vulnerabilities and threats, one with a scope and spread that is nearly impossible to estimate today.

From Bacterial to Genetic
Malware has been rapidly evolving for as long as microprocessors have existed. In the early days, we had what I call "bacterial" threats, because, similar to bacteria, they were self-contained and did damage through multiplication and spreading. These were relatively simple malware — such as Slammer or Blaster — which, while they caused widespread disruption, were not too difficult to fix. The growth of malware led to the parallel evolution in tools designed to detect and prevent its execution, such as antivirus and intrusion-detection systems.

As malware evolved, the emphasis shifted from the direct execution of malicious software to the use of malware to exploit vulnerabilities in operating systems and applications. I call this the "viral" age of threats. Viral threat malware is usually singular and works through the exploitation of vulnerabilities, similar to how viruses infect vulnerable cells and hijack them for their own purposes.

With these viral threats — such as Poodle, Heartbleed, and Shellshock — the emphasis on the protective side led to new tools to understand the IT environment, discover vulnerabilities, and patch them in a timely manner. As the continual stream of publicly announced breaches demonstrates, we still have a long way to go in meeting this basic bar for protecting information and IT-driven business processes.

With Meltdown/Spectre, I believe we have seen our first large-scale example of a "genetic" threat, or a vulnerability in the processing hardware that lies at the heart of our IT ecosystem. The unforeseen consequences of hardware designs have us facing a problem unlike anything we've ever seen, not only in scope (almost the entire computing universe), but also in scale (the effort required to remediate these issues).

Fight Back
Hardware and software vendors and researchers are working furiously to try and understand the impact of these vulnerabilities and how to fix them. Early announcements to replace the affected CPU chips have rightfully been supplemented with more practical advice to apply appropriate patches as they're released. However, that directive hides a host of issues unlike anything seen in dealing with prior vulnerabilities, no matter how widespread.

Addressing the Meltdown/Spectre vulnerabilities will likely require an exponential increase in the level of effort required for remediation, largely due to the number of patches required, the complexity of putting the right patch on the right system, and the testing required to understand the performance and stability impacts of the patches.

We are still in the early stages of this triage. Exploits are actively being developed; in fact, researchers have already found over 130 malware samples designed to exploit Meltdown and Spectre. Companies must focus on building or enhancing the critical aspects of their security program that are needed to address this issue, in particular:

  • Asset management: Beyond knowing what systems are tied to what applications in what locations with what data, companies will likely need to understand what operating systems, CPUs, and possibly motherboards are in use in these systems to apply the right patches to the right systems. In addition, with the extensive use of cloud and SaaS solutions, companies must understand what their vendors are doing in terms of remediation, and the effects this can have on the performance and stability of the applications and business processes they have deployed in the cloud. 
  • Threat and vulnerability management: Companies must leverage threat information channels to keep up-to-date with new vulnerabilities, threats, and countermeasures, so they can apply patches quickly, correctly, and appropriately. Orchestrating the variety of patches across the variety of hardware, operating systems, and CPU models is a complex challenge that makes the simple patches of the past seem like a walk in the park. 
  • Risk management: Continual management of risk is the key to a successful information security program and is vital to the successful remediation of this issue. Beyond the simple calculation of ensuring that the most business-critical systems are patched first, additional consideration needs to be given to possible compensating controls that can be implemented if patches are not available, or have a detrimental impact on system or application performance and stability. These risk calculations need continual updating as the threat profile changes and as exploits for these vulnerabilities are announced.
  • Testing: Because patches addressing Meltdown/Spectre affect the CPU of the systems, organizations need to perform more comprehensive testing than in the past. The traditional approach of a virtualized test environment that is not the same as the production environment may lead to issues where it is impossible to know what effects patch application will have on performance and stability. Creative testing scenarios should be developed to possibly leverage segments of production systems or disaster-recovery systems to test patches properly.

If companies have not elevated the discussion around IT and information security risks and actions to boardroom levels, now is the time. IT health is critical to any modern organization's success, and Meltdown/Spectre is the perfect example to use in discussing the risks and challenges in cyber-risk management. This function cannot be limited to a "black box" to be managed and cared for with little board- or executive-level oversight. This is a bedrock component to any company's success, and leaders among technology and security disciplines should have a seat at the table.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Lines is Vice President, Strategy, Risk, and Compliance Services for Optiv, a security solutions integrator. He is responsible for leading Optiv's security experts in helping companies develop and run the security programs that meet their business, risk, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8939
PUBLISHED: 2019-02-19
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.
CVE-2019-8935
PUBLISHED: 2019-02-19
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
CVE-2019-3812
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.