Stay Calm and Carry On with These Steps to Protect Your Business
Lessons learned from Meltdown and Spectre
By now you've inevitably witnessed the hysteria around Meltdown and Spectre, the security flaws found in the processors of today's computing devices that can expose sensitive information – even if it's encrypted – and leave your employees and customers at risk.
If you're wondering whether your business is affected, the answer is almost undeniably yes. While the scope and scale of Meltdown and Spectre are impossible to estimate, if you're using modern laptops and smartphones, they are part of the billions of devices impacted today, regardless of your company size or industry. And any cloud service providers with which you engage also are at risk.
The good news is there's no reason for panic. In fact, now is the time to go back to the basics and put fundamental and repeatable security processes in place. These critical steps will help mitigate the impact of Meltdown/Spectre as well as minimize overall risk and keep your organization between protected in the future.
- UNDERSTAND YOUR ENVIRONMENT
It is a massive task, but taking inventory of assets that may be effected is a critical first step ot patching holes. You will need an even more granular understanding of the hardware, down to the operating systems and processors, than anything you likely have today in order to make sure the right patches are applied to the right systems.
- STAY INFORMED
Your business needs to be plugged into appropriate threat information channels to keep up-to-date as news of vulnerabilities, threats and countermeasures is released by the CPU manufacturers and operating system vendors. As you gather that information, you need to plan and apply the appropriate patches to the appropriate systems quickly and correctly.
- MANAGE YOUR RISK
Managing risk is the foundation of a good information security program and with these vulnerabilities, now more than ever. With the variety of patches that need to be applied to address these issues, and the possible problems of performance or stability they introduce, companies need to understand the risks that patching itself introduces and what compensating measures can be used instead to reduce risk. In addition, you need to understand what your third parties and cloud service providers are doing to address the risk in their environments.
- TEST, TEST, TEST
Organizations should regularly perform testing of patches before they are applied to production systems, but with Meltdown/Spectre this is more vital than ever as the patches themselves are reportedly causing both performance slowdowns and stability issues. Companies must understand the impacts of patches prior to applying them, otherwise they risk impacting their business operations even more than the vulnerability itself, via "bricking" machines or other unwanted side effects.
BACK TO BASICS WINS THE RACE
It's understandable that there was a great deal of uncertainty following the Meltdown and Spectre news. These are two of the most serious security vulnerabilities in recent history. But remember that security programs are not a one-time effort. You'll inevitably face a steady and evolving stream of sophisticated threats, as well as those considered low-hanging fruit by cyber criminals because they continue to be effective (e.g. phishing). By getting back to basics and focusing on the above-mentioned four core areas, you'll be positioned to respond in an efficient, predictable and repeatable manner that minimizes risk to your business.
Michael Lines is the vice president of strategy, risk and compliance at Optiv.