January kicked off with two new computing hardware vulnerabilities known as Meltdown and Spectre, which take advantage of CPU design flaws that allow malicious software to access what should be protected areas of memory. This access enables the potential theft of sensitive information such as passwords, encryption keys, and Personal Identifiable Information ‘PII’. These types of vulnerabilities are particularly worrisome in multi-user and multi-tenant virtualized environments found in the cloud as well as high value targets such as smartphones.
One common element between both Meltdown and Spectre is that they will require software updates to the operating system, be it VMWare, Xen, Windows, MacOS, Linux, IOS, or Android. It is worth noting that vendors will likely not release updates for out-of-support software, which will be problematic for machines running old operating systems (think: Windows XP/2000) and highlights the importance of upgrading technology.
A key difference between the two vulnerabilities is that while Meltdown is relatively quick and easy to mitigate, Spectre will require more time and effort to address. Why? Because Spectre requires (a) vendors to package many variations of microcode updates to address all their hardware models (which then need to be installed), and (b) most end-user applications will need to be recompiled and re-released by vendors, resulting in a significant volume of patching.
Mitigating Risk with Patching
Because Spectre vulnerabilities are ubiquitous and have varying risk profiles, a risk-based approach to patching currently offers the best return on investment from an information security standpoint. IT providers like Eze Castle Integration can simplify this effort through fully-managed patch management services, which help ensure software and firmware remain up-to-date.
To give you more insight into how a centralized patch management service can benefit your firm, here’s a look at how our Eze Patch Management Service works, spear-headed by our Network Operations team.
Our NetOps team takes a phased approach to patch management, with the end goal of reducing as much overall risk to the client as possible. The phases include:
Discover & Test Patches: Immediately after a patch is issued by the software provider (i.e. Microsoft), NetOps deploys the patch to a lab environment that simulates a client infrastructure. This testing phase allows our team to identify any unforeseen issues and make adjustments as necessary before issuing updates more broadly.
Pilot & Plan Deployment: Shortly after the testing phase, patches are deployed to ‘pilot’ clients and early adopters, providing NetOps with additional insight into the effectiveness of the patch.
Deploy Patches: Finally, during the deployment phase, all subscribed clients are issued the necessary patches. Ongoing monitoring takes place to ensure patches are applied as intended.