Have you patched yet for Meltdown and Spectre? Firmware and OS? No? You’re not alone. Many device manufacturers haven’t made patches available yet. Many operating systems remain unpatched. Basically, this vulnerability might remain open in one form or another for a very long time (forever). Yup, this one’s a doozy.
The infinite patch cycle begins
Patching for architectural issues ain’t easy. Microsoft, in their patch announcement (before they pulled back the patch) , said it well:
“Addressing a hardware vulnerability by using a software update presents significant challenges, and some operating systems require extensive architectural changes. Microsoft is continuing to work together with affected chip manufacturers to investigate the best way to provide mitigations.”
Bottom line: Patching could take a long, long time. And the process isn’t going to be easy:
- Many systems won’t ever have a patch released for them.
- Others will only receive either the firmware or the OS patch, but not both.
- Some patches will brick devices because they are hastily deployed.
While we haven’t seen any attacks from the wild that exploit this vulnerability, we can’t wait until they arrive before we act. So what’s a responsible security team to do in the face of this widespread weakness?
Move on. Focus elsewhere. Solve a solvable problem.
I know - it sounds like a bad idea. Let me clarify.
Of course, I don’t mean “pretend it didn’t happen.” We should all do what’s reasonable - patch where we can, with what we have, and validate that those patches are indeed effective with Breach and Attack Simulation (I recommend our recently released simulations for both Meltdown and Spectre).
But then, it’s time to move back to the remaining big issues in our environments. If Meltdown and Spectre have shown us anything, it’s that no matter how well we feel like we have our security taken care of, there is going to be something, somewhere, out of our control.
Cyber security isn’t about stopping everything. It isn’t about an strong perimeter, or 100% patched systems. It’s about mitigating business risk. If we can stop the risk of stolen or compromised data at the endpoint - great. But if we can stop stolen data from ever leaving our network - also great. If we can combine both, for defense in depth - all the better.
All that matters is that we break the kill chain. Every attack is composed of multiple phases - the steps that attackers take to get in, find juicy data, and then get that data into their hands. Meltdown and Spectre are complex weaknesses that attackers will eventually use to compromise sensitive data. They are also potentially weaknesses that will never fully be fixed. So rather than spend cycles trying to fix an unfixable problem, we need to focus on things we can solve.
Bottom line: We can mitigate this vulnerability by ignoring it - as long as we spend the time and effort to stop attacks elsewhere in the kill chain.
So, patch where you can, when you can. Then, like any vulnerability, measure the effectiveness of your patch by whether or not it can effectively stop exploits and attacks. Then, focus on where you can stop attackers elsewhere in the kill chain.
With so much focus on these vulnerabilities, the attacker community is bound to be working overtime to create new exploits that can hit us all where we are weakest. Let’s not let those attackers be the ones that show us whether or not ALL our defenses are ready.