Meltdown and Spectre are the names given to vulnerabilities recently discovered to exist in almost every central processing unit (CPU) manufactured in the last 20 years. These vulnerabilities could compromise sensitive data on nearly every server, PC, laptop, tablet and smartphone – including Apple devices – worldwide.
Researchers have known about Meltdown and Spectre for some months, and the risk is considered to be relatively small as no known exploit exists, so we urge you not to panic.
We are monitoring the situation closely and will update all clients and take appropriate action when necessary. But first, let’s take a more in-depth look at exactly what a vulnerability is and what you should do if you are concerned in the future.
What is a vulnerability?
A vulnerability can be defined as a security weakness resulting from a defect that the product developer or manufacturer did not intend to introduce. The flaws, in this case, were built into the chips to help them run faster.
We can split vulnerabilities into four main categories: low, medium, high and critical. Currently, Meltdown and Spectre are classed as Medium Level vulnerabilities.
For a hacker to capitalise on a vulnerability – an exploit must exist. An exploit is a piece of software code that takes advantage of the security weakness for the benefit of the attacker.
How to protect against vulnerabilities
Protecting your business, information and people against these vulnerabilities takes three forms:
- A hardware firmware upgrade must be applied which usually takes the form of a computer BIOS update.
- The Operating System (Windows, IOS, Android etc.) must be updated – typically known as a software update.
- The Antivirus product must be compatible with the Operating System Update.
Hardware and software updates only go so far. You also need to make your employees aware of potential threats. We highly recommend cyber awareness training for all staff. Network ROI will be happy to discuss your cyber training requirements.
Patches and updates
As it currently stands, every hardware manufacturer is working on updates to their systems – big players such as Microsoft and Apple have already released updates. Software and hardware manufacturers worked tirelessly to release updates – known as emergency patches. As a result, many patches weren’t tested fully with several causing serious operational issues.
Given the “medium” categorisation of the Meltdown and Spectre vulnerabilities, the fact that no known exploit exists, the issues the emergency patches are causing AND the fact that to exploit these vulnerabilities is a highly technical job, Network ROI have carried out the following actions:
- Antivirus products have been updated to be compatible with the operating system update.
- Our security team is monitoring the situation closely for developments
- We are delaying the release of January’s Microsoft patches until they have been properly tested and we are satisfied they stable
In order to protect your data and company in the meantime, we highly recommend that basic cybersecurity hygiene is observed – this includes educating users not to click on suspicious links or opening email attachments from unknown sources.
The security team at Network ROI recommend you consider following the Cyber Essentials or IASME Governance scheme as a minimum standard of cyber and information security.