The Key Takeaway from Gartner’s Seven Steps To Deal With Spectre and Meltdown
Analyst and research firm Gartner today released “Security Leaders Need to Do Seven Things to Deal With Spectre/Meltdown,” a report written to help enterprises deal with the continuing fallout of what might be the security crisis of the still-young year.
As reported previously, Spectre and Meltdown are the recently-discovered long-standing vulnerabilities within nearly every modern microprocessor’s speculative execution function. Without proper patching for them, nearly every endpoint is vulnerable to hackers exploit this the natural process to obtain normally secured passwords and data. However, because the issue stems from hardware flaws rather than software, the patches for them have proven to be inconsistent or at times outright damaging.
According to their press release, a good portion of Gartner’s advice on Spectre and Meltdown focuses on determining what endpoints are necessary to patch and which ones are not. This maxim is primarily rooted in the fact that patches so far released have resulted in significant performance slowdowns. Additionally, some older systems have not received a patch of any kind and are not likely to in the future. This can and should influence where enterprises choose to store their most precious data and whether to hold off on patches until they can demonstrate minimal performance impacts.
But the greatest takeaway of all is also the most aligned with common sense: don’t allow untrusted or unknown codes onto your system. Spectre and Meltdown are not remotely executable—they need to be on an enterprise’s system to function. By simply taking the time to strictly regulate what can and can’t run on your OS, you can cut the risk of Spectre and Meltdown to negligible. It’s simple advice, but it is often the simplest advice that goes neglected. Too many enterprises are too loose with what they allow onto their systems—and the threat of Spectre and Meltdown is becoming less and less hypothetical by the day.
You can read the full press release here.