The latest threat to cybersecurity isn’t a new form of ransomware — it’s a pair of hardware bugs that have the ability to impact virtually any device that has a chip in it – including servers, desktops and mobile devices. These infiltrators, dubbed “Meltdown” and “Spectre”, enable attackers to steal and exploit data from the memory of other programs located on the same computer. In instances where there is a shared server or cloud-based system, the implications can be disastrous.
Further, these bugs are in practically every computer and device manufactured in the last 20 years, which makes it almost impossible to consider a remediation strategy to address vulnerabilities across all devices simultaneously. So, how can companies ensure they’re protected against the latest cyber threats – including those to hardware as well as software?
We reached out to Doug Brush at Kivu Consulting, which offers strategies to help companies mitigate data breach incidents, for some information and advice.
Neeraj Sahni: How easy would it be for a hacker to exploit these new hardware vulnerabilities?
Doug Brush: In the case of Meltdown, one program can be used to retrieve data from other programs typically protected by enforcements within the data processing chip. Though a severe threat to security, identifying the affected chips and applying patches to software has actually been effective in curbing these attacks. Spectre, on the other hand, attacks data that’s running on another part of the machine and stored in a cache memory. Therefore, it would take a highly-skilled hacker to be able to exploit the data. As a result, Spectre is harder to exploit, but also harder to patch.
NS: What information would hackers need before they could begin to exploit it?
DB: A hacker would need access to the system (physical or via remote access through Remote Assistance Tool [RAT], Remote Desktop Protocol [RDP] or other software) to run the malicious programs. It’s worth noting that any unprivileged user or service account on the system has the potential to run this vulnerability, assuming the proper knowledge and skill in activating the malware.
NS: How easy would it be to exploit these programs at scale?
NS: Would a hacker be able to target specific data or search for data of interest?
DB: Current testing of the threats has shown that they permit read data to be randomly cached. That means that if the malware application is being run while the cache capture is in progress, it will allow an attacker to see information that’s being passed to the application. In other words, whatever is currently running on a computer is subject to being seen by this exploit. This may include passwords and other sensitive business data.
Preventing a major Meltdown
Companies are advised to be watchful, consider a thoughtful approach to implementing software updates and monitor data actions carefully in the age of cyber threats. Kivu Consulting advises running various tools against IT assets to identify instances where these vulnerabilities exist and provide mitigation recommendations.
A note of caution: While many chip manufacturers have responded with patches to help work around these flaws, companies should be mindful that some of these have caused system slow-downs and failures. Therefore, companies should take time to assess where the vulnerabilities exist within their infrastructure before deciding on a mitigation approach that makes sense for them. Given that this is a hardware issue, any patches applied will need to come from the manufacturer of the computer processors (these can usually be downloaded from a trusted vendor). It’s recommended that a test environment be used to verify each patch before implementation.
Each company should work with a cybersecurity vendor to weigh for themselves the potential risk of damage for each cyber threat, based on a complete understanding of their own protections and potential flaws in data access before deciding if the risk of a data slowdown or stoppage resulting from a patch is worth it.
Neeraj Sahni is Senior Vice President of Cyber Risk at Willis Towers Watson.