Meltdown and Spectre: The first cyber-security threats of 2018 and how to protect against them
The first big cyber-security issues of 2018 have landed and you may already be aware of the recently publicised Meltdown and Spectre security vulnerabilities. These affect pretty much all current computers, tablets, smart-phones and possibly many other devices. Along with the typically hyperbolic reactions in the media, we are also seeing understandable concern raised by businesses and consumers about what this means for them, and what they can do to help protect themselves.
The global IT community, manufacturers, vendors and security experts have already provided a lot of information online around what they are doing to limit the impact of Meltdown and Spectre, and what end-users can do themselves. However, we wanted to let our customers know what we are doing to address these issues, as well as distill some of that general advice here.
What are Meltdown and Spectre?
These are security flaws in the CPUs (central processing units) in our devices, which allow malicious code to access information on a device that it shouldn’t be able to.
Meltdown affects systems with Intel processors while Spectre affects a much broader set of processors including those produced by ARM and AMD. Between them they impact pretty much all devices, including PCs, servers,phones and the infrastructure running cloud services. There is plenty of detailed information about these vulnerabilities available online and a few links are included here and here for those who want the full technical breakdown.
How bad is it really?
While the scope of these flaws is significant, the likelihood of them being exploited is currently assessed as minimal. Spectre has a wider impact than Meltdown but seems harder to exploit. Both flaws require the affected systems to be already compromised before they can be exploited and, as yet, such exploits have not been observed ‘in the wild’. Naturally, now that the flaws have been publicised, they should be assumed to be a part of the bad-guys’ arsenal.
So, what can I do?
First, don’t panic! While this is a significant issue, the industry has responded quickly and patches are being made available for most common platforms.
If you have effective patch management in place then chances are you are already starting to mitigate the issues through automated patching/updating. Due to the nature of the issues, you need to be sure to be updating firmware as well as the operating systems. This should be available from the hardware vendor.
In some cases you will also need to be sure that your anti-virus software is also up to date, to ensure compatibility with the new ways the operating systems will be interacting with the hardware. Check with your anti-virus supplier for more details.
For home users our general advice around IT security applies. Make sure all your devices are set, wherever possible, to automatically update. And in this case, check with your hardware supplier’s website to see if they have released a firmware update for your device.
The National Cyber Security Centre has produced a great resource for home users relating to this threat, along with links to the major manufacturers’ advice on this topic.
Will patching impact my systems?
Due to the complexity of modern IT systems there is always a risk of unexpected issues arising during patching that the vendors were not able to test for. It is generally accepted however that, particularly with regards to security flaws, these risks are far outweighed by the risk of not patching.
That being said, due to the nature of these particular flaws and the way they need to be mitigated, there is likely to be an impact on system performance following patching. This is difficult to quantify and will depend on the type of system and the workloads running. The feedback we have from our own patching, and from providers such as Microsoft and Amazon, suggests that any such performance impact will be negligible in most cases. Our advice is still that patches should be applied as soon as possible.
What about Cloud services?
Most cloud service vendors, including Microsoft, Google and Amazon are already well underway with patching their systems. If you are running services on these platforms you may also need to update the ‘guest’ operating systems on virtual machines or take other steps yourselves. This should already be part of your patch management strategy.
Links to Statements and advice from the major cloud platform providers can be found below:
What are we doing?
So, what is Spectrum Internet doing about Meltdown and Spectre?
In line with our standard security practices, all of our core business systems and customer-facing services such as DNS servers have already been patched and updated. In addition, we are in dialogue with all of the hardware vendors who provide our networking equipment to make sure we are following their advice as relates to any updates required.
While this exploit is not expected to significantly impact devices such as routers and firewalls, many of these devices use affected chipsets and as such we will monitoring manufacturers’ guidance and, where necessary, we will automatically update any customer premises equipment (CPE) that is under our management. This includes all Home and Business broadband routers for customers in-contract.