Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/20/2018
10:30 AM
Michael Lines
Michael Lines
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Meltdown/Spectre: The First Large-Scale Example of a 'Genetic' Threat

These vulnerabilities mark an evolutionary leap forward, and companies must make fighting back a priority.

In the security industry, we all tire of hearing how the latest malware or vulnerability is "the big one." Previous widely publicized vulnerabilities — such as Heartbleed or Shellshock — could be patched and managed with relative ease, though that's still a daunting task for some large enterprises because of the number of systems that must be evaluated.

While superficially just another large vulnerability, Meltdown and Spectre represent an entirely new class of threat that dramatically escalates the need for effective security programs and practices.

These vulnerabilities will likely take years for large organizations to fully remediate, if they ever are before being made obsolete by equipment turnover. Businesses are struggling to understand the true scope of the issue. They are trying to decipher conflicting guidance from vendors, as well as manage the impact the patches have on applications.

With Meltdown and Spectre, we are witnessing the next evolution in security vulnerabilities and threats, one with a scope and spread that is nearly impossible to estimate today.

From Bacterial to Genetic
Malware has been rapidly evolving for as long as microprocessors have existed. In the early days, we had what I call "bacterial" threats, because, similar to bacteria, they were self-contained and did damage through multiplication and spreading. These were relatively simple malware — such as Slammer or Blaster — which, while they caused widespread disruption, were not too difficult to fix. The growth of malware led to the parallel evolution in tools designed to detect and prevent its execution, such as antivirus and intrusion-detection systems.

As malware evolved, the emphasis shifted from the direct execution of malicious software to the use of malware to exploit vulnerabilities in operating systems and applications. I call this the "viral" age of threats. Viral threat malware is usually singular and works through the exploitation of vulnerabilities, similar to how viruses infect vulnerable cells and hijack them for their own purposes.

With these viral threats — such as Poodle, Heartbleed, and Shellshock — the emphasis on the protective side led to new tools to understand the IT environment, discover vulnerabilities, and patch them in a timely manner. As the continual stream of publicly announced breaches demonstrates, we still have a long way to go in meeting this basic bar for protecting information and IT-driven business processes.

With Meltdown/Spectre, I believe we have seen our first large-scale example of a "genetic" threat, or a vulnerability in the processing hardware that lies at the heart of our IT ecosystem. The unforeseen consequences of hardware designs have us facing a problem unlike anything we've ever seen, not only in scope (almost the entire computing universe), but also in scale (the effort required to remediate these issues).

Fight Back
Hardware and software vendors and researchers are working furiously to try and understand the impact of these vulnerabilities and how to fix them. Early announcements to replace the affected CPU chips have rightfully been supplemented with more practical advice to apply appropriate patches as they're released. However, that directive hides a host of issues unlike anything seen in dealing with prior vulnerabilities, no matter how widespread.

Addressing the Meltdown/Spectre vulnerabilities will likely require an exponential increase in the level of effort required for remediation, largely due to the number of patches required, the complexity of putting the right patch on the right system, and the testing required to understand the performance and stability impacts of the patches.

We are still in the early stages of this triage. Exploits are actively being developed; in fact, researchers have already found over 130 malware samples designed to exploit Meltdown and Spectre. Companies must focus on building or enhancing the critical aspects of their security program that are needed to address this issue, in particular:

  • Asset management: Beyond knowing what systems are tied to what applications in what locations with what data, companies will likely need to understand what operating systems, CPUs, and possibly motherboards are in use in these systems to apply the right patches to the right systems. In addition, with the extensive use of cloud and SaaS solutions, companies must understand what their vendors are doing in terms of remediation, and the effects this can have on the performance and stability of the applications and business processes they have deployed in the cloud. 
  • Threat and vulnerability management: Companies must leverage threat information channels to keep up-to-date with new vulnerabilities, threats, and countermeasures, so they can apply patches quickly, correctly, and appropriately. Orchestrating the variety of patches across the variety of hardware, operating systems, and CPU models is a complex challenge that makes the simple patches of the past seem like a walk in the park. 
  • Risk management: Continual management of risk is the key to a successful information security program and is vital to the successful remediation of this issue. Beyond the simple calculation of ensuring that the most business-critical systems are patched first, additional consideration needs to be given to possible compensating controls that can be implemented if patches are not available, or have a detrimental impact on system or application performance and stability. These risk calculations need continual updating as the threat profile changes and as exploits for these vulnerabilities are announced.
  • Testing: Because patches addressing Meltdown/Spectre affect the CPU of the systems, organizations need to perform more comprehensive testing than in the past. The traditional approach of a virtualized test environment that is not the same as the production environment may lead to issues where it is impossible to know what effects patch application will have on performance and stability. Creative testing scenarios should be developed to possibly leverage segments of production systems or disaster-recovery systems to test patches properly.

If companies have not elevated the discussion around IT and information security risks and actions to boardroom levels, now is the time. IT health is critical to any modern organization's success, and Meltdown/Spectre is the perfect example to use in discussing the risks and challenges in cyber-risk management. This function cannot be limited to a "black box" to be managed and cared for with little board- or executive-level oversight. This is a bedrock component to any company's success, and leaders among technology and security disciplines should have a seat at the table.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Lines is Vice President, Strategy, Risk, and Compliance Services for Optiv, a security solutions integrator. He is responsible for leading Optiv's security experts in helping companies develop and run the security programs that meet their business, risk, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.