Government Technology Insider
  • About
  • State & Local
  • Civilian
  • Defense & IC
SUBSCRIBE
No Result
View All Result
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Beyond Modernization
    • Technology Trends Shaping the Future of Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
Government Technology Insider
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Beyond Modernization
    • Technology Trends Shaping the Future of Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
No Result
View All Result
Government Technology Insider
No Result
View All Result
Home Cybersecurity

Processor Vulnerabilities Present One More Information Security Challenge to Federal Agencies

by Jenna Sindle
February 6, 2018
in Cybersecurity
Reading Time: 5 mins read
A A
Processor Vulnerabilities
Share on FacebookShare on Twitter

If you read any of the information on the recent Meltdown and Spectre processor vulnerabilities that were identified this month, the news is decidedly unsettling.

While no exploits using the vulnerabilities have been executed, according to DELL the fact that processor vulnerabilities exist on all Intel processors manufactured since 1995, as well as AMD and ARM processors, means that we have reached an unenviable tipping point in information security according to Malcom Harkins, Chief Security and Trust Officer at Cylance.

“We’ve reached a watershed moment,” Harkins shared in a conversation with Federal Technology Insider last week.  “In much the same way as Code Red, NIMDA, Blaster, Nachi, and SQL slammer changed the cyber risk cycle in the early 2000s and lead Microsoft to introduce Patch Tuesday, the identification of these processor vulnerabilities will again drive change.”

Despite Harkins’ confidence that the identification of this class of vulnerabilities will drive change, there’s a long path ahead for federal InfoSec teams to ensure the integrity of information that’s critical to both national – and personal – security.

First and foremost, Harkins is concerned because people believe that processor vulnerabilities are harder to detect so they think it will take longer to uncover a potential vulnerability.  They may appear harder to detect but in reality they just require a different set of skills and tools than the usual researcher possesses. His other major concern is processor vulnerabilities take much longer to fix, if a fix is even feasible.

“If you think of your laptop or server as a house – the main floor of the house is like the operating system and the windows and doors are like the apps, or software. The house’s foundation is the equivalent of the processor.  If you get a crack in a window or even a wall, it’s easier to see and even if you don’t see it your neighbors most likely will. However, if you get a crack in the foundation you’ll likely not know about it until something really serious, like your house sinking, happens,” he said.

In other words, where you might be able to patch an OS-level vulnerability in relatively short order, you have little chance of easily mitigating a processor vulnerability.  So you may be left exposed and thus reacting when something very bad happens.  For the federal government that could be anything from a pretty typical data breach to an attack on a weapons operating system.

Moreover, now that the vulnerabilities have been identified it means Intel and other chip manufacturers are looking for ways to remediate the situation, it also means that attackers get the equivalent of free play.  “While publicizing a vulnerability is problematic.  Responsible vulnerability disclosure is always the lesser of two evils.  We have to worry though that it cedes the advantage to the malicious actors and gives them the opportunity to weaponize the vulnerability far more quickly.  Starting with a known issue is a head start for the attacker and a license to dig around to see what else they can find, and eventually exploit,” Harkins continued.

As well as being difficult, to detect processor vulnerabilities they are also very complicated to fix. While the chip manufacturers have developed patches, the scale of objects to be patched – from cloud servers and data centers to your smartphone – is almost unimaginable and certainly not easily manageable in a reasonable timeframe across the billions of compute devices that are exposed.  And even our traditional methods of malware detection and blocking, like anti-virus, are rendered largely useless against Meltdown and Spectre.

Despite the general tenor of gloom, Harkins was quick to point out that employing some good cyber hygiene and fundamental best practices, while not completely mitigating the issue at hand, are the right ways to approach this problem. “You’ve got to think about mitigating for all vulnerabilities – including these processor vulnerabilities – in terms of the kill chain that you’d use to stop the execution of malicious code,” he said. “The bottom line is if something can execute code, then it can execute malicious code, so that makes pre-execution prevention of malicious code even more fundamental to a robust cybersecurity posture,” Harkins concluded.

In other words, prevention of these sorts of vulnerabilities up front in the development lifecycle is the best approach that we should all expect the creators of technology to take.  But we cannot be 100% certain there are no vulnerabilities which is why pre-execution prevention is the best cure, because in this case a patch, though needed, may be operationally untenable to deploy.

Want to learn more about the AI Revolution and how it’s preventing cyber attacks? Fill out the form below to download the ebook:

Fields marked with * are required.

Government Technology Insider will use the information you provide on this form to be in touch with you and to provide updates and marketing. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at editors@governmenttechnologyinsider.com. Please view our privacy policy for more information on how we protect and manage your personal data.

 

Tags: BIOSCode RedCyber Attacks on Federal GovernmentCylanceFederal CybersecurityIntelIntel Chip VulnerabilityMalcom HarkinsMeltdownNIMDAProcess VulnerabilitiesSpectre

RELATED POSTS

Contributed Articles

The Combination of Digital Twin and AI Technology is Transforming Governments

September 1, 2023
Reliable 5G
Cybersecurity

How Agencies like CISA are Preparing Federal Organizations for Secure, Reliable 5G

January 21, 2022
federal cybersecurity
Cyber Security

Prioritizing A Strong Federal Cybersecurity Team Exemplifies Agency Maturity

November 1, 2021

TRENDING NOW

  • Advana

    Meet Advana: How the Department of Defense Solved its Data Interoperability Challenges

    12112 shares
    Share 4845 Tweet 3028
  • Zero Trust Implementation and Success are Just Steps Away for Federal Agencies

    81 shares
    Share 32 Tweet 20
  • The FAA Modernizes Data Management to Accelerate Access and Manage Costs

    49 shares
    Share 20 Tweet 12
  • The Benefits of Automation for Constituent Identity Verification

    15 shares
    Share 6 Tweet 4

CONNECT WITH US

BECOME AN INSIDER

Get Government Technology Insider news and updates in your inbox.

Strategic Communications Group is a digital media company that helps business-to-business marketers drive customer demand through content marketing, content syndication, and lead identification.

Related Communities

Financial Technology Today
Future Healthcare Today
Modern Marketing Today
Retail Technology Insider
Today’s Modern Educator

Quick Links

  • Home
  • About
  • Contact Us

Become a Sponsor

Strategic Communications Group offers analytics, content marketing, and lead identification services. Interested?
Contact us!

© 2023 Strategic Communications Group, Inc.
Privacy Policy      |      Terms of Service

No Result
View All Result
  • Home
  • About Government Technology Insider
  • State & Local
  • Civilian
  • Defense & IC
  • Categories
    • Acquisition
    • AI & Data
    • Customer Experience
    • Cybersecurity
    • Digital Transformation
    • Hybrid Work
    • Public Safety
  • Contact Us