January 5, 2018
What An Interesting Start To The Year
I didn’t expect the year to kick off with it raining iguanas in Florida, a gas pumping crisis in Oregon, or the discovery and release of two massive CPU flaws that affected many of the computers we live and work with every day. It appears 2018 has started with a bang! Since I’m not an expert on reptiles or pumping gas, let’s recap the week that went haywire:
We Collectively Sighed When Another Bug Website Popped Up
But wow . . . if any bugs deserve a name and website, these two do!!! Plenty has been written about the specific details about the CPU flaws, including the research I co-authored for Forrester clients, located here, so we’ll skip a deep dive here to focus on some of the interesting details and implications of this attack:
- Google’s Project Zero team keeps making the world more secure. Google deserves a nod of appreciation for its willingness to sponsor a team of top-notch security researchers, then share the work of those researchers with industry and users. Google itself certainly receives benefits from this team, by helping secure their products and services, along with the media attention and PR, but processors and applications are safer today than they were last week.
- Coordinating this release was almost perfect, but it did fall short. These issues remained outside of public scrutiny for months while processor manufacturers, operating system vendors, cloud service providers, and open source contributors developed mitigations. That’s a cross-industry, global group with competing interests, which almost managed to avoid sending customers and users into panic mode. It’s quite difficult to state how challenging that is, so every participant deserves credit. If you’ve spent the last three days explaining CPU architectures and hypervisor escapes to various stakeholders, you probably aren’t feeling too positive about “good enough” and “almost perfect” though.
- Expect this one to linger for a long time. Prior to Intel’s release of microcode fixes for existing CPUs vulnerable to this issue, it appeared that the only fixes were software-based workarounds at compile time or CPU replacements. Thankfully, microcode fixes are available, but those fixes are being distributed by hardware manufacturers. That is a challenge; although enterprise organizations with support contracts can overcome it, for end-user systems it is a nightmare. The development, distribution, and installation of these patches will never end. On systems that don’t get patched, it means that information is at risk. Since most devices are used for work and personal purposes, personal and corporate information is put at risk for a long, long time.
- Some new heroes were revealed: OS vendors! Operating systems often find themselves the target of attackers and spend time developing patches for security flaws present in their own technologies. This time, in the case of MELTDOWN, operating system vendors like Microsoft and Apple became heroes, releasing software updates to help mitigate issues caused by the underlying processor.
So What’s Next?
Well, this one was bad, but there will be more. The digital transformation, ubiquitous connectivity, personalization, systems of engagement, and systems of insight will continue to become – and define – the ways we interact with each other. Those systems ride on top of hardware, run software, and collect and use more data than any other time in human history. Security wasn’t always a priority when much of the hardware and software we depend on was developed. If these flaws teach us nothing else, they should teach us the ramifications of ignoring security when we design, build, and release hardware and software.
This isn’t the end, or the beginning, of the cybersecurity crises that businesses, consumers, and governments will face in 2018 and beyond. As we become increasingly more connected and engaged via technology, expect more frequent, more severe, and more damaging cybersecurity events.