Blogs

What Compliance Professionals Need to Know About the Meltdown and Spectre Vulnerabilities.

By David Tremont posted 01-18-2018 09:59

  

Well, here we are again with the discovery of the largest security flaw ever facing the American public and for that matter the entire world.  Just when we think we have all our ducks in a row for ensuring our systems are compliant, the monkey wrench gets thrown into the engine and we sit here scratching our heads, or to be honest, freaking out on how to begin to understand the severity of this vulnerability.  Do we have a plan for remediation, what effect does this have on our compliance to our clients and customers, who are our cloud providers, what SaaS applications do we have?  The list goes on and on.

With all the different types of hardware the Meltdown and Spectre vulnerabilities affect, I must tell you as a Director of Security it was a jaw dropping moment to just wrap my head around all the systems and vendors we use and what we do to ensure we are compliant.  I am talking about the plethora of hardware such as storage systems, blade chassis and a host of other affected hardware that use Intel, AMD and ARM processors.

So, take a deep breath and let’s delve through the quagmire of information and look at this from the perspective of compliance. First, let’s look at whom is getting hit by these new vulnerabilities to our hardware.

The Senate has been hit hard. This will mean if your firm is doing mostly government work, you’re probably on the radar at this point, and should consider the patches becoming available.  Also take into account Governmental Agency Compliance.  But be careful, Microsoft has provided useful patches and then there are fake ones used to harm the situation even further.  Silicon produced an article, by Steve McCaskill, “Fake Meltdown & Spectre Websites Target Users With Fake Patches” that will help you determine the good from the bad.

You mustn’t forget the impact on the budget for 2018 as well.  Not only in the computing world but within the IT sectors of companies as well.  The ramifications of how much these bugs will impact computing is still playing out, but we must also consider how it could also compromise servers for cloud platforms and other far-reaching effects.

To start off, a good question would be, “Do I have a good patch management program in place?” because let’s face it, the large majority of what we should do is making sure our patching is as automated as we can get via SCCM and other 3rd party products.  As well as, making sure we have all the necessary tools to scan for the vulnerability.  Now I know I made this sound easy but patch management is mainly for laptops, desktops and servers, and unfortunately, not all platforms will be remediated.  Dell is an example where no patch will be created for machines that are four years old or more.  Here is a link to “Dell Support” concerning the Meltdown and Spectre Vulnerabilities.

However, when I get an audit from our clients they will ask the question, “Do you have a patch management system in place and if so provide documentation?” Well, what do you know, we do have a good patch management system in place and are automated to perform patches twice a month. Additionally, if you are required to perform vulnerability scans there are tools that can determine if you have eliminated the threat of these two flaws.

Eureka, I am compliant!  Well hold your horses everyone, as that is the tip of the iceberg.  In most environments, there are storage systems that operate similarly to a server using those processors as well as blade chassis and the interconnects for those chassis and hold on virtualization patches.  Virtualization patches are the worst-case scenario because they use shared resources for that processor(s) and now they could exploit the host.  To make matters even worse patch management is not so automated when it comes to these types of systems.

Secondly, we need to make our vendors (Azure, AWS, Google Cloud, Dropbox, Sharefile, etc.) comply to audits we pose to them and we all need written documentation from those providers, especially if you are using shared resources in the cloud, assuring us they are doing everything possible to remediate the vulnerability. Undoubtedly your client audit will ask for proof from vendors because let’s face it you also should have a vendor management program as well.

Third, don’t freak out.  Use your security policies and procedures, and stick to them.  Make sure your patch management systems are in place and test before you deploy to your entire enterprise.  Be vigilant and dare I say relentless in making your vendors comply with your audit and keep on top of what they are doing to make sure your data is protected.  Also, be current in the Security Advisories involved, and which companies have been affected. Firms that are ISO compliant should be following guidelines and procedures that is aligned with their ISO Certification.  Meltdownattack.com has been providing such information about both Meltdown and Spectre vulnerabilities.

If you do not have these programs in place this is a good place to start to turn those lemons into lemonade.  Use this to be a good way to start a patch management program even if it is a manual based process because the key is to have a documented process to ensure compliance and reduce your risks. 

You can bet there are already lawsuits pending because of this serious flaw.  Try to keep the plethora of information to a minimum and just get the facts, engage your teams and have a plan, it may take time, but to be compliant you need to show that you are progressing through the issues and you are making a best effort to protect your client’s data.

Finally, let’s look at what your peers are saying about this troublesome CPU bug.  There has been conversation about verifying reddit threads.  While there are some claims that state Microsoft has yanked updates, their new updates continue to show up, download and install.  Something to look out for would be a computer that has been shut off for 24 hours showing no updates pending, will repopulate the new Microsoft update after clicking, “Check for Updates”.  There has also been verification that Microsoft is tightening its focus on Windows 10 security with several new tools in its latest major OS update.

Likewise, in the ILTA Communities; there has been discussion about how the new Microsoft patching via Windows Update can cause a “Blue Screen” after the needed patches from Microsoft have been applied.   It was also noted that everything is very dependent on configuration and activity of the server.  A link to Microsoft Support “Protection Against Speculative Execution” was also provided to help members identify the vulnerabilities. 

One major concern from members would have to be that this flaw was discovered in December, and according to some accounts as early as June 2017, but not brought to light until now.  The only certain course of action is that we mustn’t look back but move forward from this new attack on technology.  If you get down to the nuts and bolts that create Meltdown and Spectre, it has been stated that it is no different than its virus predecessors, not including the fact that it’s nearly impossible to detect, and will not bring about the technological apocalypse.  For a final thought, being compliant and ever vigilant will help in the fight against attacks and hardware vulnerabilities in the future.

0 comments
260 views

Permalink