Here at Solutions Review we’ve been providing extensive coverage of the Meltdown and Spectre revelations and the fallout from them. We even spoke to Neil Weitzel, Director of Security Research at SIEM vendor Cygilant, about what these flaws might mean for the future of cybersecurity.
We’ve been lucky to also speak with InfoSec expert Dr. Eric Cole about these vulnerabilities, and he offered his own opinions on the matter. Think of this interview as a companion piece to our first interview, offering a different perspective and best practices in the wake of these discoveries.
Solutions Review: Intel has been downplaying the severity of Meltdown and Spectre as threats. Do you agree with them that the dangers are being over-exaggerated, or is this far more serious than Intel wants to admit?
Dr. Eric Cole: All threats are serious, but as I’ve said many times the severity of a threat or data breach is all about how much data was compromised. At this point, there’s no evidence that Spectre or Meltdown have resulted in serious losses of data. Don’t get me wrong, they certainly could, and this is why it’s important for individual consumers and enterprises to apply the patches the vendors are providing.
Also, you need to look at this from a couple of different perspectives. As an individual owner of a Mac or PC, these threats won’t affect me any more or less than any other threat if I don’t do anything stupid – and by that, I mean click on suspicious links or attachments. Neither Meltdown nor Spectre can be remotely activated without some code injection. So, if that code never makes it onto a user’s machine, they’ll be fine.
The real concern is with cloud service providers whose servers house the data of multiple customers. If servers get compromised using these exploits, then the damage could be widespread.
SR: Should these issues have been discovered much sooner than they were?
EC: Technologically, we wouldn’t be where we are today without the amazing advances in chip processing speed. Companies like Intel, AMD and ARM have been on the forefront of chip design.
As for their “discovery” – the features that enable Meltdown and Spectre have been around for nearly 20 years. The real discovery is that they can be exploited to extract data, and that’s a function of the increasing sophistication of the hacking mind, although it’s important to note that these issues were discovered by Google engineers and not by malicious actors.
SR: Patches are being released daily to alleviate Meltdown and Spectre. What do you make of these patches? Will they be enough to solve the problem?
EC: Once any vulnerability has been exposed, the race begins to patch and mitigate it. Patches may not be enough to solve the problem, especially since Spectre is truly embedded in the chip design. But as with any vulnerability, patches are essential to slowing down the adversary. The good news with both these exploits is that they still rely on injecting malicious code into the target. So, if machines are protected from malware, the threat of these chip-based side channel attacks is mitigated.
SR: There have been increasing reports that the patches released aren’t integrating with anti-virus software. Does this foretell of future security problems?
EC: This is largely a result of Microsoft’s announcement that anti-virus software must conform to Microsoft’s Meltdown/Spectre fixes to allow future security updates. This is largely for corporate customers running commercial-grade anti-virus programs.
Thanks again to Dr. Eric Cole for his time and expertise!
Eric Cole, PhD, is an industry-recognized security expert with over 30 years of experience in consulting, training, public speaking, and expert witness testimony. The founder and CEO of Secure Anchor Consulting, Dr. Cole’s career has spanned industry and government roles including CTO at McAfee, Chief Scientist for Lockheed Martin, and member of the Commission on Cyber Security for the 44th President, Barack Obama. He is most recently the author of Online Danger: How to Protect Yourself and Your Loved Ones from the Evil Side of the Internet available on www.onlinedanger.com or on Amazon.
Latest posts by Ben Canner (see all)
- Why Due Diligence Matters to Determining Third-Party Risk - August 15, 2019
- The 11 Top Enterprise Threat Intelligence Platforms of 2019 - August 14, 2019
- What Makes Next-Generation SIEM So Essential? - August 8, 2019