Meltdown and Spectre: How big a technology threat are they to UK businesses?
When news of the cyber security vulnerabilities known as Meltdown and Spectre first broke at the start of this year, it looked like a potential catastrophe for businesses of all sizes.
A flaw in almost all Intel processors, and in some processors from other manufacturers, allowed hackers to gain access to protected systems and information.
It was the potential scale of the problem that made it so alarming – almost all computers were thought to be susceptible. Apple released a statement to confirm that ‘all Mac systems and iOS devices’ were affected. Not only could hackers gain access to privileged information on individual devices, they might also be able to breech cloud computing systems.
What was the problem?
The closely related vulnerabilities were discovered by academics at several universities. Meltdown relates to the kernel in a computer – the central part of an operating system that manages the operations of the computer and its hardware. It allows malicious programmes to access privileged information that is usually walled off.
With access to the kernel, an attacker could make changes to a system, install hard-to-detect malware, or access other systems across an organisation.
Spectre is subtly different. The vulnerability allows a malicious application to access information from other applications running on the same device. One example might be the details kept in the memory of an online banking app.
Patches described as ‘garbage’
Soon after the news broke, companies whose products were affected by the vulnerabilities started to release downloadable patches to shore-up systems and devices. But this didn’t solve the problems straight away.
The situation was complicated by the fact that different patches were required for different operating systems and browsers – there was no single silver bullet. What’s more, some patches led to reduced computer performance, especially when undertaking tasks such as video editing that rely heavily on a machine’s processor.
As some of the early patches were recalled amid concerns over their effectiveness, Linux creator Linus Torvalds publicly criticised Intel’s attempts to solve the problem. ‘The patches are complete and utter garbage,’ he wrote. ‘They do things that do not make sense.’
What’s the risk?
There is good news, however. Although research indicates that some parties have been experimenting with the vulnerabilities, the risk to most companies and individuals from Meltdown and Spectre is now thought to be small.
‘We’ve seen no evidence yet of Meltdown and Spectre being exploited on any commercialised scale by any cybercrime actors,’ says Nicholas Griffin, Senior Cyber Security Specialist at Performanta.
According to Griffin, the vulnerabilities cannot be exploited without a high level of knowledge. As a result, most companies should be more concerned about other, less complicated cyber security threats such as phishing.
‘Unless you’re particularly high profile, such as a government or an organisation that deals with sensitive information, then you’re very unlikely to be a target,’ says Griffin.
Tactics and strategies
Having patching and vulnerability management programmes that keep important systems up to date is still advisable – not just to protect against Meltdown and Spectre, but against other threats too. Griffin notes that while there were some ‘teething problems’ with regard to the earliest patches that were released for Meltdown and Spectre, they have now largely been resolved.
‘Priority number one is patch, patch, patch,’ says Griffin. Beyond this, he recommends using tools such as endpoint detection response solutions, which monitor systems for signs of unusual behaviour in real time. Whereas a patch is generally a response to a known vulnerability – like reinforcing a weak part of a wall or fence around a property – these systems act like a CCTV system. If suspicious activity is spotted, then action can be taken to prevent an exploit before it takes place – hopefully keeping a company’s systems and data safe.
According to Griffin, a common mistake ‘is to use blind security solutions in isolation, without really taking the time to consider how security is being layered in the business.’ It is far better to ‘look at security more holistically and gain an understanding how to layer security defences. That makes for much more effective cyber defences overall.’
He adds that it is also important to identify how information and systems are accessed – and by whom. ‘It’s a case of putting higher-level processes in place that are designed to protect your assets, rather than just relying on security technology to do the job for you.’
But what practical steps should businesses be taking to make sure that the next Meltdown or Spectre doesn’t catch them off guard? ‘It’s essential to take the time to review your organisations’ security efforts as they currently stand,’ says Griffin. ‘SMEs should consider partnering with security specialists who can help establish a strong baseline of coverage for their defences as a whole. That will lead you down the path of being security aware and, then, hopefully truly secure. The ultimate goal is obviously to keep yourself, your clients and your business safe.’
Find out more information on how Hiscox Cyber and Data Insurance can help protect your clients from emerging cyber risks.