With the recent Spectre and Meltdown flaws sending a wave of disruption across IT and all business communities, the scope of the problem continues to unfold. Either one or both of the flaws are present in Intel chips from the last 15 years embedded in countless processors running PCs, servers, and phones.
The bottom line is that Intel chips contain a long-standing feature that makes them vulnerable to hacking. Because few problems have been so widespread, these connected security flaws show why patch management best practices have never been more crucial than now.
It is the nature of Spectre and Meltdown as well as the patch confusion that show why new approaches are vital. The short story is that Meltdown is a bug that could allow an attacker to read kernel memory (the protected core of an operating system). It impacts Intel and Qualcomm processors, as well as one type of ARM chip. The other bug, Spectre, involves two known attack strategies that are more difficult to patch and defend against.
Patch Challenges Ahead
Even as the United States Computer Emergency Readiness Team (US-CERT) provides guidance specifics, it agrees with other experts that because the flaws are on the CPU level, total hardware replacement is the only sure safeguard. While that’s an impossible alternative for most, the rush to release patches also leaves little time for the requisite testing and refinement.
The challenge of patching such widespread and complex hardware flaws is only overshadowed by the patchwork fashion of fixes. While January 15 was the target date that Intel expected to have issued updates for at least 90 percent of their CPUs, others could take significantly longer.
Making matters worse, Intel has been advising some customers to hold off installing patches due to potential performance slowdowns and random reboots. This highlights the fact that the patches may not offer total protection or could create other bugs and instabilities that will need to be resolved. The bottom line is that the security community has no clear approach to how best to resolve this problem in the short term. The best solution lies in the nature of comprehensive patch management best practices.
The Nature of Patch Management
Since Meltdown and Spectre target CPU weaknesses rather than OSes or applications, traditional sandbox approaches can’t detect the attacks. While unpatched server and software vulnerabilities are among the top IT security threats for businesses, it’s not acceptable to entertain the possibility of compromising performance or security. Here, patch management must evolve to identify this type of threat and mitigate the attack.
Even today, most attacks use vulnerabilities for which patches already exist. In fact, most of the vulnerabilities that are ultimately exploited are due to poor patch management. Consequently, this problem goes far beyond patching to the need for comprehensive security solutions and services providers that can institute patch management best practices for critical vulnerabilities. The tenets of this type of planning include:
- Scanning for threats early and often
- Developing context for responding to vulnerabilities
- Instituting sound vulnerability management strategy based on comprehensive, up-to-date scan data
Bringing It All Together
While they are only a start, these practices enable organizations to quickly and easily see the threat context. These best practices are made possible by the implementation of vulnerability-checking tools or services that scan the environment and report any missing patches or known vulnerabilities. Today’s advanced risk mitigation approaches use security software solutions that bring added IT security monitoring to application, network, and host firewalls.
For example, leading-edge security architecture providers such as CheckPoint have developed IPS updates that can detect Spectre and Meltdown exploit attempts. To prevent attack, enterprises must implement a multi-faceted prevention strategy that delivers proactive protection along with CPU-level exploit detection capable of exposing such hidden threats. Users should patch their machines with the latest updates on the OS level as well as any patches provided by the hardware manufacturers.
Today’s organizations must take a multipronged approach to meeting evolving threats that exploit critical vulnerabilities. The first step is to create a comprehensive patch management strategy that can be updated to address emerging threats. This goes hand-in-hand with implementing tools that can automate many of the test elements and software that can mitigate the vulnerability by other means to reduce the risk of the patch interfering.
For most organizations, this approach will best be implemented with the support of a security services and solutions partner. By enlisting a partner to help develop a comprehensive plan based on the latest solutions and evolving patch management best practices, organizations will be best poised to overcome IT security threats.