If cyber security isnt already top of mind for you, consider these two words: Meltdown and Spectre.
Though just revealed publicly this past December, these two security flaws have long existed in computer processor chips. If exploited, the flaws allow hackers to read sensitive data stored in the memory of the devices that house them. Cyber security experts have described them as the most serious threat in years.
The flaws are a result of the way the chips were engineered around 1995. Hard to believe they havent been modified in significant ways since (at least related to how they handle memory), but its true.
The original engineers did not consider threats that could materialize from chips connected to the Internet continuously (How could they? That wasnt even imagined back then.). As a result, they created an unpredictably flawed feature called speculative execution that would eventually allow malicious code to manipulate a processor and obtain what could be very sensitive data.
The Meltdown flaw affects Intel and Apple processors. The Spectre flaw affects processors from Intel and Apple, as well as ARM and possibly AMD (Although, AMD is challenging that assertion a bit.).
These flaws affect not only desktop and laptop computers, but any type of computing device, including smartphones, tablets, copiers, fax machines, printers, and the wide range of smart internet-of-things (IOT) devices. In other words, nearly every modern computing device.
What does this mean for organizations that process secure data?
Unfortunately, it means the data is at risk of unauthorized access from criminals and any other type of unauthorized entity. Here are a couple important points:
- The flaws impact basically ALL computing devices: desktop computers, laptops, tablets, smartphones, copy machines manufactured since 1995, printers, fax machines, Internet of Things (IoT) devices and more.
- They allow access to parts of memory where passwords, credit card numbers, Social Security Numbers and other personal data is located.
What should organizations do to protect themselves?
Organizations should take the following steps to protect their data:
- Patch. Download the most recent operating system (OS) patches and apply them as soon as possible. Check for notices from your associated manufacturers to ensure they have validated that the patch will work. Some initial patches did not work. You also want to be sure you are not downloading a fake!
- Configure automatic updates. If theyre not already, all devices should be set to automatically download OS security patches as soon as the manufacturer makes them available. This is should be a basic security practice for all businesses and individuals.
- Be aware. Now that these flaws have been publicized, the bad guys are working just as hard to exploit them as the good guys are to patch them. Ensure your staff is well trained and prepared to respond to the phishing ploys and other scams that are sure to come as a result
Meltdown and Spectre may have the distinction of being the first security flaws announced in 2018, but they certainly wont be the last.
Contrary to conventional wisdom, advances in technology can sometimes be the cause of issues like this. The chips impacted by the Meltdown and Spectre vulnerabilities, for instance, were designed many years ago before the advent of IoT devices. As a result, their design didnt account for an always-connected-to-network scenario. Even though computing technologies, networks and the way to access them have evolved dramatically, manufacturers have continued to build the chips in essentially the same way.
As technologies rapidly advance, it will be increasingly important to continually review, test and enhance previously conceived and actively used security. As Meltdown and Spectre reminded us, yesterdays security may not be enough today.
Check out this video to learn more about Meltdown and Spectre.