In the security industry, we all tire of hearing how the latest malware or vulnerability is "the big one." Previous widely publicized vulnerabilities — such as Heartbleed or Shellshock — could be patched and managed with relative ease, though that's still a daunting task for some large enterprises because of the number of systems that must be evaluated.
While superficially just another large vulnerability, Meltdown and Spectre represent an entirely new class of threat that dramatically escalates the need for effective security programs and practices.
These vulnerabilities will likely take years for large organizations to fully remediate, if they ever are before being made obsolete by equipment turnover. Businesses are struggling to understand the true scope of the issue. They are trying to decipher conflicting guidance from vendors, as well as manage the impact the patches have on applications.
With Meltdown and Spectre, we are witnessing the next evolution in security vulnerabilities and threats, one with a scope and spread that is nearly impossible to estimate today.
From Bacterial to Genetic
Malware has been rapidly evolving for as long as microprocessors have existed. In the early days, we had what I call "bacterial" threats, because, similar to bacteria, they were self-contained and did damage through multiplication and spreading. These were relatively simple malware — such as Slammer or Blaster — which, while they caused widespread disruption, were not too difficult to fix. The growth of malware led to the parallel evolution in tools designed to detect and prevent its execution, such as antivirus and intrusion-detection systems.
As malware evolved, the emphasis shifted from the direct execution of malicious software to the use of malware to exploit vulnerabilities in operating systems and applications. I call this the "viral" age of threats. Viral threat malware is usually singular and works through the exploitation of vulnerabilities, similar to how viruses infect vulnerable cells and hijack them for their own purposes.
With these viral threats — such as Poodle, Heartbleed, and Shellshock — the emphasis on the protective side led to new tools to understand the IT environment, discover vulnerabilities, and patch them in a timely manner. As the continual stream of publicly announced breaches demonstrates, we still have a long way to go in meeting this basic bar for protecting information and IT-driven business processes.
With Meltdown/Spectre, I believe we have seen our first large-scale example of a "genetic" threat, or a vulnerability in the processing hardware that lies at the heart of our IT ecosystem. The unforeseen consequences of hardware designs have us facing a problem unlike anything we've ever seen, not only in scope (almost the entire computing universe), but also in scale (the effort required to remediate these issues).
Hardware and software vendors and researchers are working furiously to try and understand the impact of these vulnerabilities and how to fix them. Early announcements to replace the affected CPU chips have rightfully been supplemented with more practical advice to apply appropriate patches as they're released. However, that directive hides a host of issues unlike anything seen in dealing with prior vulnerabilities, no matter how widespread.
Addressing the Meltdown/Spectre vulnerabilities will likely require an exponential increase in the level of effort required for remediation, largely due to the number of patches required, the complexity of putting the right patch on the right system, and the testing required to understand the performance and stability impacts of the patches.
We are still in the early stages of this triage. Exploits are actively being developed; in fact, researchers have already found over 130 malware samples designed to exploit Meltdown and Spectre. Companies must focus on building or enhancing the critical aspects of their security program that are needed to address this issue, in particular:
- Asset management: Beyond knowing what systems are tied to what applications in what locations with what data, companies will likely need to understand what operating systems, CPUs, and possibly motherboards are in use in these systems to apply the right patches to the right systems. In addition, with the extensive use of cloud and SaaS solutions, companies must understand what their vendors are doing in terms of remediation, and the effects this can have on the performance and stability of the applications and business processes they have deployed in the cloud.
- Threat and vulnerability management: Companies must leverage threat information channels to keep up-to-date with new vulnerabilities, threats, and countermeasures, so they can apply patches quickly, correctly, and appropriately. Orchestrating the variety of patches across the variety of hardware, operating systems, and CPU models is a complex challenge that makes the simple patches of the past seem like a walk in the park.
- Risk management: Continual management of risk is the key to a successful information security program and is vital to the successful remediation of this issue. Beyond the simple calculation of ensuring that the most business-critical systems are patched first, additional consideration needs to be given to possible compensating controls that can be implemented if patches are not available, or have a detrimental impact on system or application performance and stability. These risk calculations need continual updating as the threat profile changes and as exploits for these vulnerabilities are announced.
- Testing: Because patches addressing Meltdown/Spectre affect the CPU of the systems, organizations need to perform more comprehensive testing than in the past. The traditional approach of a virtualized test environment that is not the same as the production environment may lead to issues where it is impossible to know what effects patch application will have on performance and stability. Creative testing scenarios should be developed to possibly leverage segments of production systems or disaster-recovery systems to test patches properly.
If companies have not elevated the discussion around IT and information security risks and actions to boardroom levels, now is the time. IT health is critical to any modern organization's success, and Meltdown/Spectre is the perfect example to use in discussing the risks and challenges in cyber-risk management. This function cannot be limited to a "black box" to be managed and cared for with little board- or executive-level oversight. This is a bedrock component to any company's success, and leaders among technology and security disciplines should have a seat at the table.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.