Our Cybersecurity Practice Director, Luke Potter, was recently approached by SC Media, the leading cybersecurity source in the UK and Europe, to provide commentary for the article, “Ghostbusters 2: how to deal with Spectre, the sequel.”
The article addressed how Spectre 1.1 and 1.2 have emerged from the shadows, what they are, and how do you mitigate them and any exploits that follow.
Luke’s response to the journalist’s questions:
Do the latest vulnerability disclosures point to the inescapable fact that these processor design flaws will continue to be a pain point for security teams for the foreseeable future – and just how much of a real-world concern to enterprise security teams is this?
These ‘new’ vulnerabilities are effectively bypassing the initial mitigation for Spectre “1.0” which hit the media in January of this year. The researchers have found yet another way to circumvent known mitigations and identified a new exploit method which demonstrates how this particular vulnerability is proving difficult to mitigate using software/microcode updates alone, and we may well see similar variants making repeat appearances in the future. Absolutely enterprise security teams need to be concerned around this. Vulnerability management has to extend to all types of software and hardware throughout organizations. Historically, vulnerability management teams have focused purely on ‘operating system’ level security and patching. Whereas wider system coverage has to be included, such as the firmware on devices, micro-code versions on processers and BIOS versions. Updates at this level have to form part of an effective cybersecurity strategy. Further to this, hopefully, CPU designs going forward will take these kinds of issues into account.
How should the enterprise respond to these vulnerabilities and the exploits that will likely follow – what’s the best practice mitigation advice for the ongoing Spectre threat?
All organizations should closely monitor security bulletin feeds from their operating system and hardware providers. We are already seeing patches being released, so it’s key that organizations test and then roll-out these updates as soon as possible. Ensuring that updates are applied to both software/operating systems and to the physical processors themselves via microcode updates. It is also highly likely that we’ll see new spectre variants as other processer related vulnerabilities as research continues. Especially with the value of the ‘bounty’s’ being paid for this kind of research. In terms of mitigations, clearly the first and foremost has to be applying the relevant patches as mentioned. However as part of general good security practice organizations must restrict untrusted code execution, but with things like Javascript in browsers, this is almost impossible to control this in all circumstances. Organizations need to carefully control system usage and access, ensuring that the principle of least privilege is always applied. Where systems are ‘shared’, such as terminal servers and/or organizations providing virtualized hosting services, it’s critical that patching of these servers/systems are prioritized.
Read the full SC article here.
Learn about our Vulnerability Management here.
About Luke Potter
Luke oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognized cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.