4 Best Practices to Protect Your Business
It’s been weeks since the Meltdown and Spectre vulnerabilities took the security world by storm, yet we’re still living in a state of chaos and confusion. The best “fix” for these bugs is still forthcoming, and patches should be implemented once they’re available. Michael Lines offers guidance to help you master the art of patching.
By now, you probably know that Meltdown and Spectre exploit critical vulnerabilities in modern processors, allowing malicious programs to steal data that is being processed on a computer. The unforeseen consequences of these hardware design flaws leave us facing a problem unlike anything we’ve ever seen, both in scope and scale (billions of desktops, laptops, smartphones and cloud computing platforms are affected). As a result, hardware and software vendors and researchers are still trying to determine the best “fix” for these bugs, and companies are still struggling to understand the scope of the issue, their vulnerability level and what they can do about it.
Early announcements to replace the impacted CPU chips have rightfully been supplemented with more practical advice to apply appropriate patches as they are released. This, in and of itself, is a complicated process, as patches will need to be applied across a vast array of operating systems, and many of these patches are still to be developed and released.
But there’s no need to panic. Here are several best practices to help you master the patching process.
#1: Know Your Assets
You can’t patch systems, services and other assets effectively if you don’t understand your environment. Taking inventory of assets is a critical first step to patching the holes. And, given the increasingly sophisticated malware that exists today, you will need an even more granular understanding of the hardware (down to operating systems and processors) in your environment, so you can apply the right patches to the right systems.
#2: Test Continuously
Organizations should regularly perform testing of patches before they are applied to production systems. This is more important than ever when patching Meltdown/Spectre vulnerabilities, as the associated patches are reportedly causing both performance slowdowns and stability issues. Companies must understand the impacts of patches prior to applying them, otherwise they risk impacting their business operations even worse than the vulnerability itself.
#3: Manage Your Risk
Meltdown and Spectre have reminded us that risk management is the foundation of a good information security program. Not only should you be aware of your assets and the risk level associated with each, but you also must consider the risks that patching itself introduces, such as the performance and stability issues mentioned above. That said, it’s a good idea to research alternative methods of vulnerability management, as some countermeasures may have more benign side effects than the available patches do.
#4: Leverage Threat Intelligence
Cyber criminals are increasingly collaborating to wreak havoc on businesses and consumers alike, so we, as the potential victims, must work together as well. Threat intelligence communities exist so participants can report and stay up-to-date on new vulnerabilities, threats and countermeasures. And this threat data will help you apply patches to your environment quickly, correctly and appropriately. While some threat intelligence exchanges require a paid subscription, others are free – so, even if you’re a small business, threat data is available to help you defend against today’s advanced malware.
Incident Response is Key
While the hysteria over Meltdown and Spectre is understandable, it’s important not to panic. The ability to react in a predictable and repeatable way is what is most critical.
Most importantly, remember that building an effective security program is not a one-time effort. Cyber criminals become more sophisticated by the day, threats are continuously evolving, and your security strategy must adapt right alongside them. Meltdown and Spectre have reminded us that we must go back to the basics, and now is the time to put fundamental security processes in place to minimize risk, maintain protection and bring clarity to the current state of chaos.
Michael Lines is Vice President of Strategy, Risk and Compliance Advisory Services at Optiv, where he leads a team of security experts in helping organizations develop and run the security programs that meet their business, risk and compliance needs.
