If you read any of the information on the recent Meltdown and Spectre processor vulnerabilities that were identified this month, the news is decidedly unsettling.
While no exploits using the vulnerabilities have been executed, according to DELL the fact that processor vulnerabilities exist on all Intel processors manufactured since 1995, as well as AMD and ARM processors, means that we have reached an unenviable tipping point in information security according to Malcom Harkins, Chief Security and Trust Officer at Cylance.
“We’ve reached a watershed moment,” Harkins shared in a conversation with Federal Technology Insider last week. “In much the same way as Code Red, NIMDA, Blaster, Nachi, and SQL slammer changed the cyber risk cycle in the early 2000s and lead Microsoft to introduce Patch Tuesday, the identification of these processor vulnerabilities will again drive change.”
Despite Harkins’ confidence that the identification of this class of vulnerabilities will drive change, there’s a long path ahead for federal InfoSec teams to ensure the integrity of information that’s critical to both national – and personal – security.
First and foremost, Harkins is concerned because people believe that processor vulnerabilities are harder to detect so they think it will take longer to uncover a potential vulnerability. They may appear harder to detect but in reality they just require a different set of skills and tools than the usual researcher possesses. His other major concern is processor vulnerabilities take much longer to fix, if a fix is even feasible.
“If you think of your laptop or server as a house – the main floor of the house is like the operating system and the windows and doors are like the apps, or software. The house’s foundation is the equivalent of the processor. If you get a crack in a window or even a wall, it’s easier to see and even if you don’t see it your neighbors most likely will. However, if you get a crack in the foundation you’ll likely not know about it until something really serious, like your house sinking, happens,” he said.
In other words, where you might be able to patch an OS-level vulnerability in relatively short order, you have little chance of easily mitigating a processor vulnerability. So you may be left exposed and thus reacting when something very bad happens. For the federal government that could be anything from a pretty typical data breach to an attack on a weapons operating system.
Moreover, now that the vulnerabilities have been identified it means Intel and other chip manufacturers are looking for ways to remediate the situation, it also means that attackers get the equivalent of free play. “While publicizing a vulnerability is problematic. Responsible vulnerability disclosure is always the lesser of two evils. We have to worry though that it cedes the advantage to the malicious actors and gives them the opportunity to weaponize the vulnerability far more quickly. Starting with a known issue is a head start for the attacker and a license to dig around to see what else they can find, and eventually exploit,” Harkins continued.
As well as being difficult, to detect processor vulnerabilities they are also very complicated to fix. While the chip manufacturers have developed patches, the scale of objects to be patched – from cloud servers and data centers to your smartphone – is almost unimaginable and certainly not easily manageable in a reasonable timeframe across the billions of compute devices that are exposed. And even our traditional methods of malware detection and blocking, like anti-virus, are rendered largely useless against Meltdown and Spectre.
Despite the general tenor of gloom, Harkins was quick to point out that employing some good cyber hygiene and fundamental best practices, while not completely mitigating the issue at hand, are the right ways to approach this problem. “You’ve got to think about mitigating for all vulnerabilities – including these processor vulnerabilities – in terms of the kill chain that you’d use to stop the execution of malicious code,” he said. “The bottom line is if something can execute code, then it can execute malicious code, so that makes pre-execution prevention of malicious code even more fundamental to a robust cybersecurity posture,” Harkins concluded.
In other words, prevention of these sorts of vulnerabilities up front in the development lifecycle is the best approach that we should all expect the creators of technology to take. But we cannot be 100% certain there are no vulnerabilities which is why pre-execution prevention is the best cure, because in this case a patch, though needed, may be operationally untenable to deploy.
Want to learn more about the AI Revolution and how it’s preventing cyber attacks? Fill out the form below to download the ebook:
