Clues from Meltdown and Spectre
It didn't take long for 2018 to begin to surpass 2017 for cybersecurity concerns.
In January it was revealed that there were two baked-in flaws in the microprocessors used by billions of devices globally, from laptops to servers and mobile devices. The security flaws caused consternation and a flurry of activity around the world as organizations struggled to apply software patches to the flaws to Windows, Linux and MacOS.
But software patches can't fix hardware design flaws, they can only attempt to minimize the risk with a costly performance trade-off in some cases.
And the lesson from Meltdown and Spectre isn't just about the importance of patching. It's that technology alone isn't the cause - or the solution to - cyber risk.
WHAT IS MELTDOWN AND SPECTRE?
Both flaws take advantage of a design choice in modern microprocessors called speculative computing.
Speculative computing allows central processing units (CPUS) and graphics processing units (GPUS) to try to jump ahead when executing computer programs and solving complex problems.
This can be beneficial - it allowed computers to take advantage of otherwise idle time and capability that was being wasted while waiting for the results of previous instructions or calculations.
Think of it like trying to get ahead in high school math class by reading ahead and trying to guess at what problems you'll need to be working on next.
If you guess right, you'll be ahead of the rest of the class. If you guess wrong, you'll abandon the work and you'll be no worse off for the effort as you were waiting for you next assignment anyway.
The problem with this speculative computing is that the whole process of guessing allowed programs to bypass security controls that chip designers had tried to bake into the processors to keep computer programs from being able to see sensitive information held by Windows, Mac OS or Linux that they shouldn't have permission to see or from other programs.
The designers of the hardware security controls hadn't anticipated that someone would abuse the speculative computing capability to bypass these controls in a clever and complex way.
The impact of this flaw is it allows potentially malicious programs to access information that computer scientists and engineers thought they'd found a near impenetrable way to protect.
Meltdown was so-named because it melts down these hardware-based protections and Spectre was named both after the speculative computing process and the fact that it is a much more difficult flaw to correct and will likely haunt us all for years to come.
KEY LESSONS FOR LEADERS
You can’t fix cybersecurity with technology alone or with an overly technology focused strategy.
Cybersecurity is about people, process, culture and technology combined. Developing effective risk management strategies means creating layers of controls that can work together.
For example, a holistic cybersecurity would address these risks in the following way:
1) People - Cybersecurity awareness and accountability for employees that reinforces how they can spot common ways that these flaws could be used to attack your organization such as phishing e-mails.
2) Process – Having a robust process to ensure key devices are secured as soon as possible including servers, personal computers and mobile devices. But more than just patching devices, a good patching process will also look at ensuring key software such as the web browsers supported by your organization are patched to limit the use of websites as an attack vector for flaws such as Meltdown and Spectre.
3) Culture – Does your organization have someone who has been designated to lead your cybersecurity strategy and has your senior management and or board expressed clearly how important cybersecurity is to your key organizational objectives?
Do your employees know how important they are in protecting your organization and how important this issue is to your organizations’ on-going success and viability? A good employee engagement process is about more than delivering cybersecurity training. It’s about informing, empowering, rewarding good behaviours and attitudes and correcting risky behaviours and attitudes.
4) Technology – Do you have the tools in place to keep track of your organization’s inventory of computing devices and software so when major issues are announced you can quickly assess your exposure, prioritize risk reduction through efforts such as patching and effectively monitor your environment to detect signs of any initiated or in-progress attacks?
David Shipley is the co-founder and CEO of Beauceron Security Inc. He is a certified information security manager (CISM) and an international speaker on cybersecurity and cyber risk. David frequently appears in the media to talk about cybersecurity, technology and society.