The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

Security Advisory: Meltdown and Spectre – Processor Flaws Expose Networks to New Class of Vulnerabilities

Views
Understand the GDPR legitimate interest vs. consent dilemma
Larger Font
2 minutes to read

Security researchers have identified a flaw, present in most computer processors, that allows unauthorized disclosure of information. The flaw, which affects most major processor manufacturers, is the first known instance of a security vulnerability at the processor level, and could be exploited in servers, workstations (including laptops), network infrastructure, mobile devices, IoT devices and consumer electronics – essentially any system utilizing an impacted processor.

The vulnerabilities allow an authenticated attacker with access to a company’s system to execute code that may compromise data currently being processed on the system within other processes. The attacker must have physical or logical access to the system to exploit, or has exploited a separate vulnerability to be able to take advantage of these processor-level vulnerabilities remotely. Memory controlled by one process is not typically able to be accessed by another process. These vulnerabilities circumvent current protections and currently have publicly available exploit code.

The exposure means that passwords, documents, emails and other data residing on affected systems may be at risk. In a shared services environment, such as many cloud environments, there is a risk of one customer using the attack to access data of another customer sharing the same hardware.

Protiviti has published a Flash Report with important links and steps organizations should take now to evaluate impacted systems and address any issues.

The MITRE Corporation, which manages federally funded cybersecurity research and is responsible for providing identifiers, is calling the vulnerabilities Meltdown and Spectre, and has released three distinct Common Vulnerabilities and Exposures (CVE) numbers: CVE-2017-5754 (Meltdown), and CVE-2017-5753 and CVE 2017-5715 (Spectre).

Mitigations for the uncovered vulnerabilities are already available. Here’s a quick to-do list for companies:

  • Each of the three major cloud-hosting providers (Amazon Web Services, Google Cloud and Microsoft Azure) have provided responses. Get familiar with the information relevant to you.
  • Immediately evaluate your organization’s vulnerabilities and apply patches to in-house devices and systems – taking care to put the patches through standard patch testing to identify potential adverse system performance or issues.
  • Reach out to partners that process sensitive data and solicit information on how they are responding to these vulnerabilities.
  • Be aware of the wide variety of systems impacted. Patch management programs that focus on the end-user environment and specific server platforms, such as Windows or Linux, will not have sufficient coverage to manage this risk. Work to identify and address other impacted systems. Commonly overlooked systems include virtualized platforms, connected devices, and vendor systems that are sitting on the company network.
  • Provide company leadership and the board of directors with regular, transparent updates that give an appropriate sense of the risk exposure, actions being taken to mitigate the risk and any potential impact on the business.

Protiviti will continue to monitor the situation and will provide updates as warranted. Download the Flash Report here.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

Andrew Retrum

By Andrew Retrum

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Article

What is it about

The big picture: C-suite leaders in traditional aerospace and defense (A&D) companies are launching and growing their aftermarket services and...

Search