In the security industry, we all tire of hearing how the latest malware or vulnerability is "the big one." Previous widely publicized vulnerabilities — such as Heartbleed or Shellshock — could be patched and managed with relative ease, though that's still a daunting task for some large enterprises because of the number of systems that must be evaluated.
While superficially just another large vulnerability, Meltdown and Spectre represent an entirely new class of threat that dramatically escalates the need for effective security programs and practices.
These vulnerabilities will likely take years for large organizations to fully remediate, if they ever are before being made obsolete by equipment turnover. Businesses are struggling to understand the true scope of the issue. They are trying to decipher conflicting guidance from vendors, as well as manage the impact the patches have on applications.
With Meltdown and Spectre, we are witnessing the next evolution in security vulnerabilities and threats, one with a scope and spread that is nearly impossible to estimate today.
From Bacterial to Genetic
Malware has been rapidly evolving for as long as microprocessors have existed. In the early days, we had what I call "bacterial" threats, because, similar to bacteria, they were self-contained and did damage through multiplication and spreading. These were relatively simple malware — such as Slammer or Blaster — which, while they caused widespread disruption, were not too difficult to fix. The growth of malware led to the parallel evolution in tools designed to detect and prevent its execution, such as antivirus and intrusion-detection systems.
As malware evolved, the emphasis shifted from the direct execution of malicious software to the use of malware to exploit vulnerabilities in operating systems and applications. I call this the "viral" age of threats. Viral threat malware is usually singular and works through the exploitation of vulnerabilities, similar to how viruses infect vulnerable cells and hijack them for their own purposes.
With these viral threats — such as Poodle, Heartbleed, and Shellshock — the emphasis on the protective side led to new tools to understand the IT environment, discover vulnerabilities, and patch them in a timely manner. As the continual stream of publicly announced breaches demonstrates, we still have a long way to go in meeting this basic bar for protecting information and IT-driven business processes.
With Meltdown/Spectre, I believe we have seen our first large-scale example of a "genetic" threat, or a vulnerability in the processing hardware that lies at the heart of our IT ecosystem. The unforeseen consequences of hardware designs have us facing a problem unlike anything we've ever seen, not only in scope (almost the entire computing universe), but also in scale (the effort required to remediate these issues).
Hardware and software vendors and researchers are working furiously to try and understand the impact of these vulnerabilities and how to fix them. Early announcements to replace the affected CPU chips have rightfully been supplemented with more practical advice to apply appropriate patches as they're released. However, that directive hides a host of issues unlike anything seen in dealing with prior vulnerabilities, no matter how widespread.
Addressing the Meltdown/Spectre vulnerabilities will likely require an exponential increase in the level of effort required for remediation, largely due to the number of patches required, the complexity of putting the right patch on the right system, and the testing required to understand the performance and stability impacts of the patches.
We are still in the early stages of this triage. Exploits are actively being developed; in fact, researchers have already found over 130 malware samples designed to exploit Meltdown and Spectre. Companies must focus on building or enhancing the critical aspects of their security program that are needed to address this issue, in particular:
If companies have not elevated the discussion around IT and information security risks and actions to boardroom levels, now is the time. IT health is critical to any modern organization's success, and Meltdown/Spectre is the perfect example to use in discussing the risks and challenges in cyber-risk management. This function cannot be limited to a "black box" to be managed and cared for with little board- or executive-level oversight. This is a bedrock component to any company's success, and leaders among technology and security disciplines should have a seat at the table.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Michael Lines is Vice President, Strategy, Risk, and Compliance Services for Optiv, a security solutions integrator. He is responsible for leading Optiv's security experts in helping companies develop and run the security programs that meet their business, risk, and ... View Full Bio