If you pay any attention to technology news, you’ve certainly heard of Meltdown and Spectre. These exploits, both attacking the same core vulnerability, have even received a fair amount of mainstream news coverage. The reason these exploits are receiving so much media coverage is that unlike almost every other computer security issue, the root vulnerability is not located in software but rather in the core hardware of any computing device – the CPU (or more commonly, the “processor”). Practically speaking, because the vulnerability is a flaw in hardware, it is not possible to completely prevent these exploits without replacing the processor. Additionally, almost every processor in every commonly used technology device (computers, smartphones, tablets, etc.) is affected. As bad as this problem sounds, and yes this is a really bad flaw, the practical implications are probably much less frightening for the vast majority of technology users than originally reported.
The first thing to keep in mind is that while the exploits have been given scary sounding names, they are NOT viruses. In other words, there is not an actual attack currently in the wild. So for all the alarms being raised in the media, there is currently no immediate danger. All that was disclosed was the description of the root vulnerability (a security flaw in the design of a CPU’s “speculative execution” feature) and the exploits possible (named Meltdown and Spectre). What the exploits are able to do is read data out of computer memory that is supposed to be protected. Things like passwords and security information that should not be possible to be accessed by ordinary software can be extracted with these exploits.
While the root vulnerability is very serious, actually implementing an attack will require a way to deliver malicious code. In other words, a malware/virus will need to be created to carry out the Meltdown or Spectre exploits. Because any malware attempting to perform a Meltdown or Spectre attack would be able to be mitigated just as any other malware can, standard security precautions should in practice protect most technology users and their data. Additionally, operating system developers have been releasing patches that significantly mitigate the risks from Meltdown and Spectre, making it much harder to actually gather sensitive data with a successful attack. So for systems that have been updated to protect against these new exploits, the risk is greatly reduced. All that being said, however, the disclosure this vulnerability in a key architectural function of the processors we use in all our technology devices should serve as a wake-up call for everyone to review their key security practices.
The key thing to keep in mind is that the more secure your base technology platform is, the more secure you will be from exploits such as Meltdown and Spectre, as well as any malware in general. For example, while the processors used in the iPhone and iPad are technically vulnerable to these exploits, since delivering malware to an iOS device is practically impossible there is almost no risk to these devices. On platforms that are more susceptible to malware (i.e. Windows, Android) continued vigilance to security best practices continues to be an important priority, even more so now.
The bottom line is that for as scary as the Meltdown and Spectre exploits appear to be, they are simply just another vulnerability for criminal malware to take advantage of. True, this particular vulnerability may not be completely fixable until sometime in the future when we are able to purchase new technology devices with redesigned processors, but patches from operating system developers and adequate security precautions should mitigate the risk for most technology users.
If you have any questions about protecting your technology and data, please don’t hesitate to ask me a question!
If the Equifax data breach has taught you nothing else, it should be that any company can be subject to a security compromise if they are not careful. According to news reports, Equifax was breached through a vulnerability that was disclosed and a patch made available 2 months prior to when their system was infiltrated. Given the extremely sensitive nature of the data that Equifax keeps on hundreds of millions of people, waiting at least two months to implement a patch on a vulnerability that serious can only be considered irresponsible at best. However, the relatively simple mistake that Equifax made (not paying attention to the disclosure of a security flaw) is something that many thousands of businesses repeat every single day. It is often only a matter of time before a security vulnerability is exploited for many businesses who do not do their due diligence when it comes to security.
To be sure, most small businesses have much simpler networks and technology systems than a large corporation like Equifax. However, this is no excuse to be lax on security. Many small businesses, especially any in the medical or financial fields, have a lot of information that can be extremely valuable to identity thieves. In addition, any company that works with businesses in the medical or financial industries, as well as those who service governmental agencies, are also vulnerable as their business could be used as a staging point to breach other businesses. Suffering a serious data breach can be fatal for many small businesses so it is certainly worth the effort to make sure that a business has adequate security in place to protect their valuable data, including customer information.
The problem is that most small business owners are not technology experts. How can someone who is very busy running their business and servicing their clients be expected to learn and implement relatively complicated technology security practices? Generally they must rely on either their technology staff or their outsourced technology service providers to do so. Even then, as the Equifax incident has shown, it is possible for technology professionals to fail in their tasks. So what is a small business owner to do? The answer is to have a second opinion on their technology security – i.e. a Security Check-Up.
If you currently have technology staff or an outsourced technology provider, it is in your best interest to review their technology procedures and then have another technology provider perform a security audit to ensure that adequate security precautions are in place. If you are like many small businesses who do not have any professional technology help, then hire a trustworthy technology professional to perform a Security Check-Up as soon as you can!
If you need help with evaluating the security precautions of your business, please feel free to contact me right away. I am currently lining up clients to perform Security Check-Ups for the last quarter of the year so make sure you are protected before a security breach impacts your business.