Security and Risk Management Leaders Need to Take a Balanced Approach to Tackling a New Class of Vulnerabilities. Gartner
Security and risk management leaders must take a pragmatic and risk-based approach to the ongoing threats posed by an entirely new class of vulnerabilities, according to Gartner, Inc. "Spectre" and "Meltdown" are the code names given to different strains of a new class of attacks that target an underlying exploitable design implementation inside the majority of computer chips manufactured over the last 20 years.
Security researchers revealed three major variants of attacks in January 2018. The first two are referred to as Spectre, the third as Meltdown, and all three variants involve speculative execution of code to read what should have been protected memory and the use of subsequent side-channel-based attacks to infer the memory contents.
"Not all processors and software are vulnerable to the three variants in the same way, and the risk will vary based on the system's exposure to running unknown and untrusted code," said Neil MacDonald, vice president, distinguished analyst and Gartner fellow emeritus. "The risk is real, but with a clear and pragmatic risk-based remediation plan, security and risk management leaders can provide business leaders with confidence that the marginal risk to the enterprise is manageable and is being addressed."
Gartner has identified seven steps security leaders can take to mitigate risk:
1) Acknowledge the Risk, but Don't Panic
Modern operating systems (OSs) and hypervisors depend on structured, layered permission models to deliver security isolation and separation. Because this exploitable design implementation is in hardware--below the OS and the hypervisor--all software layers above are affected and vulnerable. However, memory can only be read, but not altered. Exploitation of the flaw requires untrusted code to be introduced and executed on the target system, which should be extremely difficult on a well-managed server or appliance such as a network or storage appliance. There is also an advantage in not rushing to "panic patch." Early patches created conflicts with some antivirus offerings and locked up Windows desktops. Some conflicted with the use of AMD microprocessors, so that the systems would not boot. Other early patches had performance impacts that have been improved by subsequent patches.
2) Start With a Detailed Inventory
Nearly every modern IT system will be affected to some...