Technology is great but fundamental security flaws have just been discovered: Meltdown and Spectre

In the first days of 2018, the international IT industry publicised that it had identified two dangerous flaws dubbed ‘Meltdown’ and ‘Spectre’ which have compromised the basic security of practically all computers. When we say all, we mean ALL - not just the PC or laptop on your desk, but mobile phones, tablets, routers, cloud servers and basically any electronic device that has a degree of intelligence. That sounds like an overstatement, but it’s believed that nearly every computer chip made in the last 20 years is at risk. That’s big, and not just in terms of the number of devices affected, but how to, and who should, address the issue is also extremely complex. The flaws are so fundamental and widespread that security researchers are calling them catastrophic.

Meltdown and Spectre are the names given to what is fundamentally the same underlying vulnerability, which if exploited, could allow attackers to access data on electronic devices that has previously been considered completely protected. The underlying vulnerability is caused by a breakdown of the security fences that would normally be enforced by the processing chips / hardware. This weakness can allow a malicious program to gain access to data that it shouldn’t have the right to see, including information that only system administrator(s) should have access to, user and password information, personally identifiable information, and even data owned by other users and servers hosted on the same hardware. This last point should be of particular concern to those businesses that use and rely on cloud computing services because an attacker hacking a cloud server would have access to the information of the many businesses using that server. The following articles provide simple explanations, what the complexities in resolving it are, and what is being done.

Spectre and Meltdown explained: What they are, how they work, what's at risk

Meltdown and Spectre fixes arrive - but don't solve everything

What you should do?

There are plenty of articles available online which discuss the issues posed by Meltdown and Spectre as well as suggestions on what needs to be done, with the recommended solutions varying widely from applying software patches to replacing hardware.

The general recommendations from the industry are to ensure you have reputable commercial grade anti-virus and browsing protections in place, and operating system upgrades are continuously applied. It is important to note however that patches are known to cause system instability and potentially significant degradation of performance, therefore recommendations for fixes made on one day may be overturned the next. Our recommendation, before you do anything, is to talk to your IT service provider and get their guidance on the right approach for your business.

Spectre and Meltdown are also timely reminders that all businesses should be addressing cyber-security and ensuring their risk registers have identified IT vulnerability as a potential risk to the business.

Contact us if you need assistance with developing your risk register, creating a cyber-security policy and implementing a Business Continuity Plan.