Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

2 mins to read

Security Advisory: Meltdown and Spectre – Processor Flaws Expose Networks to New Class of Vulnerabilities

Andrew Retrum

Managing Director - Technology Risk and Resilience

Views
Larger Font
2 minutes to read

Security researchers have identified a flaw, present in most computer processors, that allows unauthorized disclosure of information. The flaw, which affects most major processor manufacturers, is the first known instance of a security vulnerability at the processor level, and could be exploited in servers, workstations (including laptops), network infrastructure, mobile devices, IoT devices and consumer electronics – essentially any system utilizing an impacted processor.

The vulnerabilities allow an authenticated attacker with access to a company’s system to execute code that may compromise data currently being processed on the system within other processes. The attacker must have physical or logical access to the system to exploit, or has exploited a separate vulnerability to be able to take advantage of these processor-level vulnerabilities remotely. Memory controlled by one process is not typically able to be accessed by another process. These vulnerabilities circumvent current protections and currently have publicly available exploit code.

The exposure means that passwords, documents, emails and other data residing on affected systems may be at risk. In a shared services environment, such as many cloud environments, there is a risk of one customer using the attack to access data of another customer sharing the same hardware.

Protiviti has published a Flash Report with important links and steps organizations should take now to evaluate impacted systems and address any issues.

The MITRE Corporation, which manages federally funded cybersecurity research and is responsible for providing identifiers, is calling the vulnerabilities Meltdown and Spectre, and has released three distinct Common Vulnerabilities and Exposures (CVE) numbers: CVE-2017-5754 (Meltdown), and CVE-2017-5753 and CVE 2017-5715 (Spectre).

Mitigations for the uncovered vulnerabilities are already available. Here’s a quick to-do list for companies:

  • Each of the three major cloud-hosting providers (Amazon Web Services, Google Cloud and Microsoft Azure) have provided responses. Get familiar with the information relevant to you.
  • Immediately evaluate your organization’s vulnerabilities and apply patches to in-house devices and systems – taking care to put the patches through standard patch testing to identify potential adverse system performance or issues.
  • Reach out to partners that process sensitive data and solicit information on how they are responding to these vulnerabilities.
  • Be aware of the wide variety of systems impacted. Patch management programs that focus on the end-user environment and specific server platforms, such as Windows or Linux, will not have sufficient coverage to manage this risk. Work to identify and address other impacted systems. Commonly overlooked systems include virtualized platforms, connected devices, and vendor systems that are sitting on the company network.
  • Provide company leadership and the board of directors with regular, transparent updates that give an appropriate sense of the risk exposure, actions being taken to mitigate the risk and any potential impact on the business.

Protiviti will continue to monitor the situation and will provide updates as warranted. Download the Flash Report here.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

Andrew Retrum

By Andrew Retrum

Verified Expert at Protiviti

Visit Andrew Retrum's profile

Andrew Retrum is a Managing Director within Protiviti’s Technology Consulting Practice and the Global Technology Risk...

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...