Pub. 7 2018 Issue 3

L E A D I N G A D V O C A T E F O R T H E B A N K I N G I N D U S T R Y I N K A N S A S 28 “The sky is falling.” T HIS IS HOW ONE security writer described the initial panic experienced by the IT world early this year. Two unprecedented vulnerabilities named Meltdown and Spectre were reported on January 3, 2018. These two vulnerabilities were and are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms. There were several matters which made these vulnerabilities seem scarier than other vulnerabilities. • They were / are widespread. • Mitigation came from three main groups of companies: processor companies, operating system companies, and cloud providers. Resolution might require updates from three different sources. • There were unanticipated incompatibilities in the initial updates which could crash patched systems. Technical Aspects of the Vulnerabilities The vulnerabilities are classified as speculative execution vulnerabilities and if exploited, both vulnerabilities allow unauthorized access to protected areas of memory. This unauthorized access could allow an attacker to collect sensitive information such as passwords and nonpublic customer information. • Meltdown allows unauthorized access to memory, including protected kernel memory. The vulnerability affects almost all Intel processors manufactured since 1995 and some ARM processors. • Spectre allows unauthorized access to memory used by other computer processes. The vulnerability affects almost all processors. It has been verified on Intel, AMD, and ARM processors. Additional information provided by the researchers who discovered both vulnerabilities can be found at https:// meltdownattack.com/. Mitigation Over the past few months, a process of mitigation has emerged. Initially, incompatibilities with updates occurred which could render systems unusable. It was and continues to be of utmost importance that you verify and test updates before installation. Prudently pursue and ensure the following security processes are effectively implemented within your organization: • Installation of security software updates (e.g., antivirus software, endpoint security software, etc.) • Installation of operating system (OS) updates (e.g., Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.) • Installation of web browser updates (e.g., Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.) • Installation of firmware updates for microprocessors (e.g., BIOS updates issued by computer system manufacturers, such as Dell, Lenovo, HP, Apple, etc.) THE SKY IS (NOT) FALLING Carl Cope, CISA, CISSP, Conetrix