The Aftermath of Meltdown and Spectre: Now What?
The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many within and outside the security industry into a tizzy. In the days following their public announcement, companies are struggling to understand the scope of the issue, their vulnerability and what they can do about it.
My colleague’s recent post on the matter focuses on one the first concerns for most organizations in the wake of the news: patch your systems. In this case, patches will be needed across a vast array of operating systems, and many of these patches are still to be developed and released. While alarming, this discovery also offers the opportunity for every organization to prepare for the next crisis, which is imminent in today’s threat landscape.
Where to Start
The immediate question most business, IT and security leaders ask when trying to prepare for the next “big one” is: “Where do I begin? I have to do something!” My response to this question, in the immortal words of Douglas Adams, is, "Don't panic!" This is the unknown of the unknowns, and it’s human nature to panic in situations like these. Remember that making decisions while in this state of mind will usually end badly.
Once your blood pressure has come down, then what? My recommendation is to ensure you have two critical processes in place as part of a robust information security program:
- Risk assessment and management. Prepare a rational risk management plan based on patch availability and system sensitivity. This plan should include conducting a risk assessment to take inventory of assets, understand the threats to those assets and prioritize said risks versus others to the business. Then, execute and monitor the progress of that plan. If you have a plan in place and are using it, you’re already ahead of the game. But make sure to regularly re-visit and revise it to reflect any changes to the business and the threat landscape. Finally, when major incidents like Meltdown and Spectre occur, communicate the plan to the board and C-suite (or share the updated version, in the case they previously heard the details). Having this plan in place not only gives those on the front lines (namely, IT and security) a point of reference, it gives those at the helm the confidence that the right steps are being taken when a crisis strikes.
- Threat and vulnerability management. When vulnerabilities like Meltdown and Spectre come to light, there are a few things each company needs to learn as quickly as possible:
- Details of the vulnerability;
- If/how the organization is exposed;
- What, if any, patches are available;
- What should be done immediately to mitigate the threat as much as possible; and
- How to prioritize those steps.
These processes will help minimize the vulnerability’s potential impact to the business, and they are invaluable to show during internal reviews and external audits from regulators. In particular, the threat component of threat and vulnerability management requires that you have the ability to keep a constant awareness of new threats and vulnerabilities as they arise. This can be accomplished by leveraging paid threat subscriptions and public threat exchanges so you can properly assess the impact of those threats to your organization and determine what should be done about them.
The Ongoing Battle
While the scope of the recent Meltdown and Spectre vulnerabilities may be huge, the fundamental challenges for organizations are the same as with every other major vulnerability announced over the years. The key when faced with these situations is to take a step back and keep in mind that managing a security program is not and never will be a one-time effort. Tomorrow there will be a new challenge to face. But having a strong plan and solid processes in place will make what feels like a daily grind more manageable and effective.