We started the New Year with yet another cyber security alert with the revelation of major flaws in computer chips. Known as ‘Meltdown’ and ‘Spectre’ these two bugs could allow your IT systems to be hacked.
To clarify where the vulnerabilities lie:
- Meltdown affects laptops, desktop computers and Internet servers with Intel chips and ‘snoops’ on data using the kernel memory
- Spectre affects some chips in smartphones, tablets and computers powered by Intel, ARM and AMD. It gets programmes to perform unnecessary functions thereby leaking data
For any business or enterprise, there is a high chance that it will be affected by Meltdown and / or Spectre. Nearly all modern processors have the Spectre flaw, which is not manufacturer-specific, and Apple has confirmed that all iOS and Mac Devices are affected by Meltdown and Spectre.
With these vulnerabilities now in the public domain, businesses really need to protect themselves. Any organisation that collects and stores data is a much more lucrative target than a consumer, giving hackers access to much more valuable data. It therefore follows that hackers will be looking at ways to exploit these flaws – now they know about them.
While many UK organisations have patched hardware to protect the business from Meltdown, a huge percentage of corporate mobiles are still vulnerable to Spectre. In a study based on anonymised and aggregated data from devices across the public, private and third sectors*, it was found that only 4% of corporate mobiles have had the security updates for Meltdown and Spectre. 24% of devices in this study could not be updated at all because of the age of the device.
Factor in the trend to BYOD, where employees bear the responsibility for updating their own mobile devices, and many businesses could be vulnerable to an attack.
What Should Your Business Do?
If you haven’t already, the advice is to patch. However, patching is an interim solution and there are compatibility issues. Performance is also a problem with some applications and services experiencing a significant reduction in performance (up to 30%) and in some cases patching results in software malfunctions.
Eventually the hardware manufacturers will roll out permanent fixes, in the form of new chipsets. However, this could take years and will also involve a significant cost if a business is to replace all affected hardware.
It’s not just mobile devices servers and PCs that are affected by Meltdown and Spectre. Any device that uses affected chipsets from Intel, AMD and ARM are vulnerable; including IoT devices (and industrial IoT), POS terminals, and systems that support industrial controllers.
Identifying what systems within your business are vulnerable is a significant challenge.
Our advice for militating against Meltdown and Spectre – having consulted with colleagues and security experts – is the following:
- Initiate a thorough audit of all hardware, software, systems and peripheral devices to identify exactly what is vulnerable
- Prioritise those vulnerabilities according to threat risk and the sensitivity of data that is vulnerable to attack
- Update corporate mobile devices and provide employees with support to protect their personal devices
- Patch where feasible, balancing performance considerations against threat and compliance risk
- Explore options for protecting data in light of Meltdown and Spectre. These may include introducing new policies for BYOD and handling specific data, enhanced security solutions, and robust IAM programmes
- Ensure that monitoring and detection solutions are part of your organisations approach. Identifying unusual behaviour and breaches early will enable a timely response
A critical area to shore up is your Identity and Access Management (IAM) programme. To exploit the Meltdown and Spectre vulnerabilities an intruder needs physical access to the vulnerable system. Preventing them from getting access in the first place is the most effective security tool your organisation has at its disposal.
To find out more about IAM and how Burning Tree can support you, please get in touch with our team. Call +44 (0)1252 843 014 or email email@example.com