Newly Discovered Security Flaws Are Built into Almost All Computers. But You Aren’t Defenseless.
Security researchers gave everyone who uses a computer or mobile device a rude introduction to 2018. Last week, a team of experts announced the discovery of two major security flaws in the microprocessors that run almost every computer in the world. Given the appropriately ominous names Meltdown and Spectre, these flaws could allow hackers to steal anything stored in the memory of computers, mobile devices and cloud computer systems.
The most disturbing aspect of these security holes are a feature, not a bug. That is, they are features that were built into the heart of every computer almost 20 years ago to help process information more quickly. Only recently did it become clear that these design features could be exploited for nefarious purposes.
As the researchers describe it, Meltdown, “allows a program to access the memory, and thus also the secrets, of other programs and the operating system.” Meanwhile, Spectre “allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”
These flaws are hardwired into microprocessors from Intel and other chip makers who make the silicon brains of almost every computer and device in the world. According to The New York Times, repairing the Spectre flaw could require redesigning and replacing millions of microprocessor cores. And repairing the hole created by Meltdown requires a software patch which could dramatically degrade computer performance.
The Spectre of a Meltdown
So what’s the solution? Intel released a statement saying:
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Translation: Don’t get hacked.
Intel CEO Brian Krzanich said on Friday that the company would not recall its chips and that security patches would be available for “95 percent of affected systems” within days. However, the website publicizing the discovery notes that, while Meltdown can be fixed with a software patch, Spectre opens up a whole class of attacks for hackers and cannot be repaired with any single patch. The website states, "As [Spectre] is not easy to fix, it will haunt us for a long time."
That means it’s up to you, the end user, to install software updates as soon as chipmakers and software companies roll them out. You should keep all your software updated, including your web browsers and plugins like Flash. Also, run security software to make sure you don't have any malicious software on your computer right now.
The good news is that hackers need to install malware on your computer before they can exploit these security holes. The most likely threat is from phishing emails designed to trick users into clicking on a link and downloading malicious software. Control the devices and computers on your network including laptops, workstations and servers used to monitor processes, files, user activity, network activity and other aspects of the system for suspicious behavior. And, of course, follow best practices in your email usage and never, ever click on a suspicious link or download files from an unknown source.
The Fix is In
As of last week, Microsoft said Windows users will need to install an update from the company to fix most of the problems. The open-source Linux operating system has already posted a patch for that operating system while Apple is expected to have a full update in coming days.
Dealing with these and other security flaws is a lot of work, but the Gordon Flesch Company can help. The traditional approach to managing IT — by adding technology experts to the payroll — simply isn’t practical for many businesses. If you’re a small or medium-sized business, you can have cybersecurity resources usually available only to large enterprises when you enlist the help of a virtual Chief Information Officer (vCIO). Unlike other things labeled “virtual” these days, a vCIO is an actual human being that serves on a team of technical experts at your disposal.
Tackling malware and protecting your network is a never-ending battle, but it can be managed. To make sure your business is completely protected, reach out to a Gordon Flesch Company representative today for a free, no-obligation consultation to determine your business security needs. And if you’re considering whether Managed IT and the vCIO services that come along with it are right for your business, be sure to check out our helpful comparison guide below.