Pragmatic approach needed for Meltdown

The Meltdown and Spectre vulnerabilities revealed in January represent an entirely new class of security threat, and a pragmatic approach is needed to safeguard against them, according to Gartner.

The research firm has shared steps security leaders can take to tackle Spectre and Meltdown, which involve speculative execution of code to read what should have been protected memory.

Gartner VP and distinguished analyst Neil MacDonald noted that not all processors and software are vulnerable to the three variants in the same way. “The risk will vary based on the system’s exposure to running unknown and untrusted code,” he said.

“The risk is real, but with a clear and pragmatic risk-based remediation plan, security and risk management leaders can provide business leaders with confidence that the marginal risk to the enterprise is manageable and is being addressed.”

The first step security leaders can take is to acknowledge the risk but don’t panic, Gartner said. Exploitation of the flaw requires untrusted code to be introduced and executed on the target system, which should be difficult on a well-managed server or appliance such as a network or storage appliance.

In addition, early patches provided to address the issue created conflicts with some antivirus offerings and locked up Windows desktops, representing the danger of “panic patching”.

Security leaders should next draw up a detailed inventory of vulnerable systems — Gartner noted that not since Y2K has there been a single vulnerability affecting such a wide range of systems, from desktops, to mobile devices, to servers and virtual machines as well as network and storage appliances.

Next, a risk-prioritised remediation plan should be developed, which can include introducing components such as application control and whitelisting on all systems.

Remediation efforts should be prioritised based on level of risk presented, and the approach to addressing the vulnerability will vary depending on the affected systems — in some cases, the most risk-appropriate decision may be not to patch, but in other cases patches should be applied as soon as possible.

For systems that are not or only partially patched, introducing multiple mitigating controls such as restricting the ability to place unknown or untrustred code onto a device can reduce risk. This should mean taking a default deny approach to installing or executing untrusted code.

Finally, Gartner said security experts should plan to introduce further mitigation efforts through the next few years as the new class of vulnerabilities develops.

“Ultimately, the complete elimination of the exploitable implementation will require new hardware not yet available and not expected for 12 to 24 months. This is why the inventory of systems will serve as a critical roadmap for future mitigation efforts,” MacDonald said.

“To lessen the risk of future attacks against vulnerabilities of all types, we have long advocated the use of application control and whitelisting on servers. If you haven’t done so already, now is the time to apply a default deny mindset to server workload protection — whether those workloads are physical, virtual, public cloud or container based. This should become a standard practice and a priority for all security and risk management leaders in 2018.”

Image credit: ©stock.adobe.com/au/Glebstock

Follow us and share on Twitter and Facebook