Now that we’ve had half a year to process the Spectre and Meltdown flaws released in January, what’s been done about it? Are we now “safe” or are there other CPU flaws out there that we just don’t know about?
Unfortunately, there’s always the risk of as-yet unknown vulnerabilities that could be exploited for malicious purposes. But in the meantime, security researchers and other organizations are working hard on fixes to make the Internet (and in this case, computer architecture itself) a safer place. Here’s what they’ve been working on so far:
As if that weren’t enough, two new variants of Spectre were announced last week, Spectre 1.1 and 1.2. These new variants can be used to overflow the CPU’s store cache buffers and override read-only PTE flags (Page Table Entry flags, which are part of the memory of the chip) to write any new code to CPU memory.
This may sound like things have gotten worse, not better. But with the disclosure of the original bugs, it’s only natural that security researchers hunt out all the ways to exploit them so that patches can be made as soon as possible to prevent bad actors from taking advantage.
Patch, patch and patch. Intel and Google released patches for both Spectre and Meltdown back in March, and they’ve shown to have less impact on performance than originally thought. We can’t emphasize enough about the importance of keeping your systems patched and up to date. As new flaws are discovered, fixes are made and rolled out to keep end users protected. According to a Ponemon survey, more than 60 percent of data breaches reported were due to an unpatched vulnerability, and of those business, 34 percent knew they were vulnerable and did nothing. Not good!
Some helpful advice: If you feel overwhelmed by the sheer number of vulnerabilities and patches currently out there, take a moment (or a few) to prioritize and patch rather than going about it willy-nilly. Focus on the zero-day vulnerabilities that have already caused data breaches in companies similar to yours. If you aren’t running the latest operating systems, (a Spiceworks survey found that 14 percent of businesses still run Windows XP) you should be more diligent about your patches.
Another tip is to invest in a SOC 2 audit. This type of audit takes a deep dive into your current security controls and will identify any extra measures you should take to protect yourself. If you use a third-party data center provider (or are considering a new one), make sure they have completed a SOC 2 audit and can provide the independent auditor’s report to prove it.
Did you know that Online Tech has been audited against 174 SOC 2 control criteria and had no exceptions? We can help you with your audits, too! Check out our SOC 2 resources or contact us to see how we can help you become SOC 2 compliant. We also offer comprehensive security services, including patch maintenance for our cloud and managed colocation clients.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.