Quick Facts on Meltdown and Spectre for Small Businesses
2018 started off with a bang for cybersecurity experts and anyone with a computer. Here is a summary from various news sources of what has happened:
· In June, 2017, a security researcher, Jann Horn, working for Google’s Project Zero team, identified a significant vulnerability at the computer memory hardware level. If the flaw is exploited, a hacker could theoretically steal whatever is in the computer memory.
· The team notified key vendors/providers such as Google, Intel, Microsoft, Apple, AMD, Mozilla, Linux, Amazon and many more. Vendor teams worked on patches and it seems they agreed to keep the news quiet until January 9th, for January’s “Patch Tuesday”.
· On January 1, 2018, an anonymous poster called Python Sweetness posted comments on Tumblr. More details were disclosed in the Register on January 2. There are numerous online informative articles by news media.
· There are 2 specific flaws identified, called Meltdown and Spectre. There are even logos developed for the flaws that the researchers have used for additional awareness. There is a website hosted by Graz University of Technology with details.
· Meltdown flaw affects all computers that use an Intel microprocessor, which is nearly all computers. The flaw has been there for over 20 years. Software patch can address the problem, at least in part.
· The flaws impact Apple Mac and iOS devices as well.
· Spectre is reported to be much harder to fix and there are no specific patches yet. It is also thought to be harder to exploit.
· To date, there are no known exploits of these vulnerabilities.
Possible Impact to Small Businesses
· If your small business is using cloud computing, there may be a risk since it would be theoretically possible for a hacker to use the same cloud service and be able to access your data through the flaw on the hardware
· Once patches are installed on your computers, there may be a slow-down in processing. Early reports say the patch may degrade processing time as much as 30%.
· Microsoft is not releasing the patch to computers that are using 3rd party anti-virus software until that software is updated.
Action for Small Businesses
· Talk with your cloud computing provider if you use cloud services, or check out their website for updated information.
· Check your anti-virus software provider’s website to see if they have released a patch for your computers. If so, be sure you have installed the patch. Then check to see when your last Microsoft patch was installed. Install it is it didn’t auto-install.
· If your anti-virus software provider has not released a patch, monitor their progress. If they don’t release it soon, consider changing providers.
· Be prepared for slower processing. Hopefully in coming months the vendors will find ways in increase processing times.
· Only download software and apps from known sources such as the actual software manufacturer or app store to reduce your risks.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.