Meltdown and Spectre - What Next?
Corporate enterprises face one of the biggest security risks of recent times: the “Meltdown” and “Spectre” critical vulnerabilities in the architecture of processors affect almost every computer and mobile device on the planet.
Those vulnerabilities exploit processors’ speculative execution technique that optimally queues functions that are expected to run. It gives cyber-criminals access to data running through the CPU itself. It is achieved by allowing a malicious application operating on a device to peek into the memory of another application on the same device and suck out its contents.
“Meltdown”, designated as CVE-2017-5754, can enable hackers to gain privileged access to parts of a computer’s memory used by an application/program and the operating system (OS). Meltdown affects Intel processors.
“Spectre”, designated as CVE-2017-5753 and CVE-2017-5715, can allow attackers to steal information leaked in the kernel/cached files or data stored in the memory of running programs, such as credentials. Spectre affects processors from Intel, Advanced Micro Devices (AMD), and Advanced RISC Machine (ARM).
Microsoft is releasing updates for Windows to block malicious attempts to exploit the Meltdown vulnerability in Intel processors. At the same time, fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and cloud computing companies.
So what should enterprise users and admins learn from the “Meltdown” and “Spectre” vulnerabilities?
There are three primary dimensions of the issue:
Late/no patching. Commercial devices patch timing is an industry-wide challenge. Though iOS and Google native mobile devices experience a relatively swift patching, most Android devices remain unpatched, meaning that potentially any data on these devices is at risk. Data present in any one of those could have been stolen.
Technology Blackhole. Speculative execution derived vulnerabilities have existed for a decade or more. The complex technology and the abundance of mobile apps and malware form uncertainty and a huge attack surface. Users and system admins never know what other unknown vulnerabilities may cause data compromise. Not everything is known or told. Hackers and government agencies keep priceless knowledge on exiting breaches to themselves, though surprises keep popping up.
Defense vs. detection. A strong cyber-defense starts with the realization that everything is hackable and every organization will be compromised at some point. Organizations have maxed out on their ability to lock down systems and networks, leaving mobile devices as the weakest entry point to their cyber environment. Vulnerabilities require complementary attack vectors to facilitate the exploitation but organizations fail to block entry-points thus allowing vulnerabilities big impact. Threat detection systems are constantly late to respond and introduce after the fact resolution. It is clear that traditional techniques for detecting attacks and protecting mobile devices are just not sufficient.
What should organizations do?
Organizations should take active steps toward creating an effective defense.
This defense should:
Deploy platforms that rely on dedicated mobile security hardware and software that leverage trusted environments;
Differentiate between mobile worker types and the risk that is associated with their work. Employees with secretive work should use trusted hardened mobile devices where other employees can use commercial BYO devices;
Block unauthorized access points to the organizational network via mobile devices, including rapid security patches across enterprise mobile devices. To maintain this practice, security-minded organizations should utilize purpose-built mobile devices with security-rich operating system that allows enhanced defenses;
Create a fusion of multiple defense layers across the organizational wireless environment providing in-depth protection against cyber-attacks, including communications within a persistent VPN and a locked down private network;
Dismantle all attack vectors – interception, injection, intelligence and forensic wire, and employ fused controls to eliminate careless use impact.
Cyber-criminals outsmart security defenders but operate within a known set of attack vectors, regardless the vulnerability. Shutting down the attack vectors, while allowing accepted reductions in users' experiences, will guarantee safe enterprise mobility.