Skip to main content

The Aftermath of Meltdown and Spectre: Now What?

January 17, 2018

The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many within and outside the security industry into a tizzy. In the days following their public announcement, companies are struggling to understand the scope of the issue, their vulnerability and what they can do about it. 

My colleague’s recent post on the matter focuses on one the first concerns for most organizations in the wake of the news: patch your systems. In this case, patches will be needed across a vast array of operating systems, and many of these patches are still to be developed and released. While alarming, this discovery also offers the opportunity for every organization to prepare for the next crisis, which is imminent in today’s threat landscape. 

Where to Start

The immediate question most business, IT and security leaders ask when trying to prepare for the next “big one” is: “Where do I begin? I have to do something!” My response to this question, in the immortal words of Douglas Adams, is, "Don't panic!" This is the unknown of the unknowns, and it’s human nature to panic in situations like these. Remember that making decisions while in this state of mind will usually end badly. 

Once your blood pressure has come down, then what? My recommendation is to ensure you have two critical processes in place as part of a robust information security program: 

  1. Risk assessment and management. Prepare a rational risk management plan based on patch availability and system sensitivity. This plan should include conducting a risk assessment to take inventory of assets, understand the threats to those assets and prioritize said risks versus others to the business. Then, execute and monitor the progress of that plan. If you have a plan in place and are using it, you’re already ahead of the game. But make sure to regularly re-visit and revise it to reflect any changes to the business and the threat landscape. Finally, when major incidents like Meltdown and Spectre occur, communicate the plan to the board and C-suite (or share the updated version, in the case they previously heard the details). Having this plan in place not only gives those on the front lines (namely, IT and security) a point of reference, it gives those at the helm the confidence that the right steps are being taken when a crisis strikes.
     
  2. Threat and vulnerability management. When vulnerabilities like Meltdown and Spectre come to light, there are a few things each company needs to learn as quickly as possible: 
  • Details of the vulnerability;
  • If/how the organization is exposed;
  • What, if any, patches are available;
  • What should be done immediately to mitigate the threat as much as possible; and
  • How to prioritize those steps. 

These processes will help minimize the vulnerability’s potential impact to the business, and they are invaluable to show during internal reviews and external audits from regulators. In particular, the threat component of threat and vulnerability management requires that you have the ability to keep a constant awareness of new threats and vulnerabilities as they arise. This can be accomplished by leveraging paid threat subscriptions and public threat exchanges so you can properly assess the impact of those threats to your organization and determine what should be done about them. 

The Ongoing Battle

While the scope of the recent Meltdown and Spectre vulnerabilities may be huge, the fundamental challenges for organizations are the same as with every other major vulnerability announced over the years. The key when faced with these situations is to take a step back and keep in mind that managing a security program is not and never will be a one-time effort. Tomorrow there will be a new challenge to face. But having a strong plan and solid processes in place will make what feels like a daily grind more manageable and effective. 

Related Blogs

August 31, 2015

Black Hat Tools Arsenal: Burp-Hash Plugin, Part 2 - How it Works

This is a follow-up post about our Burp-Hash plugin for the Burp Suite that we presented at the Black Hat USA Tools Arsenal. You can read the backstor...

See Details

October 18, 2017

Criminals Often Prey on Victims… Know the Top 5 Things to Protect Yourself

Criminals oftentimes utilize current events (natural disasters, large data breaches, public massacres, terrorist attacks, etc.) to target not just the...

See Details

October 31, 2014

Decoding IBM WebShere Portlet URLs

Portlet based web applications built with the IBM Web Experience Factory, previously known as the WebSphere Portlet Factory, produce long URL's contai...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

February 11, 2011

Patching and the Uncertainties of Exploitability

In late December, the latest IIS FTP service vulnerability was made public by Matthew Bergin.  This event is significant because it’s been a while sin...

See Details

February 04, 2016

Third-Party Risk Assessment | Optiv

Reduce your information risk through better vendor management.

See Details

February 02, 2012

Risk Management Business Case | Optiv

This is something we’ve seen a number of clients struggle with over the years. There really is a strong need to include risk management as one compone...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.