Are Spectre and Meltdown just hype?

By Hugh Darvall, Director of Sales ANZ at Flexera

Often, it’s the dramatic things that get our attention and what we see as a risk. We’re more scared of flying than of driving, and terrified of snakes and spiders when we’re more at risk from the common cold. So, do our fears lie in the right place?

There has been much hype around the Spectre and Meltdown vulnerabilities that emerged in January, a huge impact in the world of software vulnerabilities. While some of this is justified by the fact that those vulnerabilities affected a majority of all processors in the market, the reality is that this was just another vulnerability on top of all the others in the market, which security professionals need to assess and manage every day.

The Big Threats that Need Attention

So just how big of a risk were Spectre and Meltdown? Through Secunia Research at Flexera, more than 121 vulnerability intelligence advisories were issued on Spectre and Meltdown. However, most advisories were scored below “Moderately Critical” (one to three out of a maximum score of five). As a matter of fact, 5 advisories scored “Highly Critical” (four out of five).

To put this in perspective, Secunia Research issued another 52 unrelated advisories scored “Highly Critical” in the two weeks following the public disclosure of Meltdown and Spectre. The vulnerabilities were found in widely used software like: Cisco Webex Meetings Server, Cisco Webex Advanced Recording Format (ARF) player, Microsoft Internet Explorer versions 9,10 and 11, IBM Rational DOORS Next Generation 6, IBM Websphere Application Server 9.0, Debian GNU Linux 8 and 9, Jackson 2.0 and Gentoo Linux.

Security professionals can’t afford to get distracted with the latest public outcry or doomsday scenarios fuelled by non-specialised media or the general public. They must constantly analyse all vulnerabilities affecting their systems and prioritise the biggest threats. That analysis also includes the assessment of the business impact of applying a patch – or making changes in security configuration – versus the security risk of not taking action. They need support from their CIO and executive leadership to design and implement processes that allow for better assessment and prioritisation.

Three Steps to Prioritise Threats Based on Risk, and Not Name

A common sense approach is key to risk mitigation and one all security teams should take. This approach starts by identifying the biggest threats to your organisation through deep intelligence followed by a full risk assessment. Once teams uncover what really matters to safeguard your company, they can efficiently apply scarce resources for the strongest impact.

CIOs can increase protection by supporting a standardised, risk-based approach to managing vulnerabilities. By taking three steps, a deeper understanding will emerge of the largest exposure and how to use resources to solve.

Step One: Determine Criticality

You take the first step toward reducing risk by identifying the biggest vulnerabilities. The starting point is working with reputable data. It is important to source vulnerability intelligence that’s verified and rated based on a standard set of criteria for accurate risk levels.

Step Two: Prioritise, Don’t React to Hype

When the headlines about the next breach hit, you’ll be prepared with powerful intelligence and a full view of the real risk. Remediation activities can then be prioritised for optimal effect. This common-sense approach puts you in control, enabling focused action and a smart allocation of resources. It also results in faster remediation of the most important vulnerabilities and improved security for your business.

Step Three: Conservative Mitigation Approach

After priorities are defined, it’s time for patches. The best programmers apply patches with an emphasis on testing in controlled environments. IT teams will benefit from a proactive approach of uncovering any performance hits or compatibility issues that a patch may cause. Patching is essential to reduce the attack surface, but it must be done sensibly and with an understanding ahead of time of potential impacts on system performance and stability. Using established processes and tools ensures mitigation happens carefully and conservatively, with a focus on risk-based models.

By following this simple three-step approach, your security team turns the unknown into a proactive action plan to manage the important risks. Ultimately, this will protect your organisation’s business, clients and reputation from the damaging effects of an attack.