Solution Providers: Ignore The Meltdown And Spectre Microprocessor Exploits 'At Your Own Peril'
Solution providers should rely on patching, vulnerability management, endpoint detection and response, and customer education to help customers thwart the threat posed by the Meltdown and Spectre exploits.
"The channel should be very worried," said Alton Kizziah, vice president of global managed services for Kudelski Security. "Ignore it at your own peril. I don't see how anybody would be able to not pay attention to this."
Security researchers late Wednesday disclosed two major flaws in the microprocessors inside nearly all of the world's computers. The flaws in the method used by most modern processors for performance optimization could allow an attacker to read sensitive system memory, which could contain password, encryption keys and emails.
[Related: Intel Downplays 'Inaccurate' Chip Security Flaw Report]
"This affects pretty much everyone with a CPU, unless they develop their own silicon," Kizziah said. "Based on all the buzz, we knew it was going to be a big one."
The Meltdown and Spectre exploits can be executed against mobile devices, desktops, laptops and servers running in cloud environments. All told, the flaw affects nearly every device an end user has or operates, said Michael Knight, president and CTO of Encore Technology Group, Greenville, S.C.
"This is significantly different because it's a critical hardware flaw, not a software flaw," said Knight. "The scale is massive."
Knight anticipates the disclosure of the exploit will prompt the channel to look beyond the single bit of software being used and more deeply probe the sub-components of the software. In addition, Knight said this should prompt solution providers to run vulnerability assessments not only at the endpoint, but also upstream to address potential hardware issues.
"Everybody had always had implicit trust for the CPU. That's hardware," Knight said. "But these are now items that are going to be looked at."
The most important thing solution providers can do at this juncture is to ensure their patch management program is up to speed and that they have buy-in from customer executives around following smart and efficient patching practices, according to Kizziah of Phoenix-based Kudelski. Solution providers, though, need to be cognizant that patching vulnerabilities will impact how the rest of the system runs.
For instance, the software patch needed to fix Meltdown could slow down a computer by as much as 30 percent. Kizziah said solution providers must prepare and test prior to installing patches to ensure that systems already pushed to the limit won't stop functioning altogether as a result of the patch.
In addition, solution providers applying Microsoft's patch need to adjust the registry key so that the end user's anti-virus offering will continue to function, according to Kizziah.
"It just requires more work and more thoughtful assessment before you roll out patches right away," Kizziah said.
As far as Knight is concerned, solution providers should start by helping their customers understand what endpoints they have in their environment, which of those endpoints have an attack surface that's susceptible to Meltdown or Spectre, and which of those endpoints have patches available for them.
"This is a flaw at the architectural level," Knight said. "It doesn't matter what version of software you're running, or your operating system. Everything is equally vulnerable."
For those endpoints that can't currently be patched, Knight recommended looking into the feasibility of layering endpoint detection and response or another offering on top of the endpoint to mitigate risk. Endpoint detection and response examines the process from end to end and can stop an exploit in a multitude of ways, Knight said, while a signature-based approach only looks for a specific type of event.
Manufacturers might eventually provide compensation for customers to replace vulnerable hardware that can't be patched or mitigated, Knight said. But he cautioned that the cost offset would likely only apply to the equipment itself, leaving solution providers on the hook for any services that need to be rendered to make the hardware operational.
Replacing the hardware susceptible to these exploits isn't a reasonable reaction at this juncture, said Kizziah, who considers that course of action to be more of a "nuclear option."
"How would you replace the hardware across millions and millions of devices?" Knight said.
Solution providers also can mitigate the threat by ensuring appropriate user credentials are in place since the exploit requires access to the system itself, Kizziah said. The number of users with administrative privileges should be kept to a bare minimum, according to Kizziah, and they should only have access to systems that are relevant to their job responsibilities.
In addition, Knight said the breach can only be exploited if the end customer clicks on something. Therefore, Knight said solution providers should ensure their customers are up-to-date and vigilant against phishing threats and have an appropriate level of network security in place that's focused on intrusion prevention.
All told, Kizziah said solution providers need to avoid getting buried or distracted by the hype and focus their time and energy on the things that they can control.
"Solution providers are going to want to do more to help, and there's not a whole lot they can do right now because of the way this thing works," Kizziah said. "You can't chase every exploit. You have to focus on the vulnerability."