On April 14 Intel disclosed their architectural vulnerability to a new group of side channel attacks collectively called MDS (Microarchitectural Data Sampling). Intel have provided microcode updates to their manufacturing partners for firmware updates, as well as to Microsoft, Linux and other OS developers for integration in future software patches.
If you remember back to last January’s disclosure of Spectre, this sounds very much like the same thing all over again. Spectre was the first time we’d seen an architectural vulnerability like this, and the security industry predicted it was only the beginning. That’s proved prescient, as since then we’ve seen a number of additional architectural exploits such as Foreshadow and Spoiler, the latter of which has no software or hardware mitigation, and isn’t likely to for several years due to the tremendous memory performance impact that would result from attempting to simply mitigate these issues while retaining other current design principles.
Intel don’t classify the new MDS group of vulnerabilities as particularly critical, because of the extraordinary technical difficulty of developing a successful exploit as well as the level of access required to execute it (ie the computer itself would already need to be compromised through some other means). Some security researchers familiar with MDS disagree with Intel’s rationale, but Intel’s statements are factual – if we are to see a malicious exploit leveraging these side-channel vulnerabilities it will be extremely sophisticated and part of a much larger suite of attacks. But that doesn’t mean it won’t happen.
So where does that leave us – what is our ‘take home’ strategy? What should we as decision makers do in response the the fact that Intel hardware is potentially vulnerable to numerous forms of attack, some of which cannot be mitigated, and with more flaws likely to discovered in the future?
You can make an immediate decision about your hardware systems – replacing them with AMD Ryzen (and servers with EPYC) architectures will immediately mitigate this current slew of issues (and solve the ongoing problems posed by Intel Management Engine (ME) vulnerabilities). But replacing your entire client/server infrastructure is a very expensive scorched earth strategy, which doesn’t guarantee immunity from hardware vulnerabilities indefinitely – just the ones we already know about.
A more resilient solution involves reevaluation of your business processes and the tools and platforms you operate on, with a view to improving your security posture to minimise potential exposure as much as possible. One part of that reevaluation is hinted at in that sentence – you’ll note that I didn’t write ‘mitigate’, I wrote ‘minimise’ – that’s because it’s essential that we face up to the fact that compromise is inevitable, it’s just a matter of time – there are far to many potential attack vectors and we see time and time again that the very best organisations on the planet can be compromised, so what chance do SMBs have of remaining immune?
In about 2010 the security industry, large enterprise and governments recognised that it was unrealistic to think that networks and infrastructure could remain impenetrable – instead we needed to proactively monitor our systems and networks to detect and respond to successful compromises as rapidly as possible. That requires sophisticated tools and technology, as well as skilled security experts. It also requires enterprise-wide monitoring and logging, so we can go back and see what was accessed, stolen or damaged, and recover any data that may have been affected.
SMBs simply don’t have the budget to perform extensive network monitoring and analysis, so we need to make smart, efficient decisions. First of all, the disaster recovery strategy – if all else fails, how confident can you be that your data can be restored, how quickly, and what are the protocols for this? Secondly, how much risk are you exposed to with your current infrastructure, and can you reduce this? For example, instead of running PCs and laptops with Windows and Office, can you move to VDI and thin clients, or GSuite and PixelBooks? Can you shift your data warehouse to BigQuery and save yourself a ton of money while performing analytics and reporting at 10 orders of magnitude faster? Can you introduce new security protocols such as One-Time-Passwords (OTP) and multi-factor authentication that make credential theft impossible? (hint: the answer is yes)
But before you dismiss this as the hysterical wailing of disconnected security boffins who don’t live in the real world, where the impact on productivity and annoyance will be felt by inconvenienced staff just trying to get on with their jobs, take a minute to consider that in 2016 43% of all cyber attacks targeted small businesses, while 60% of small businesses that suffer a data breach or cyber attack are out of business within 6 months. The average cost of a malware attack is US$2.4 million. In companies with over 50,000 compromised records the average cost of a data breach is US$6.3 million. In 2017 ransomware attacks grew by 350%, while spear-phishing emails were the most widely used infection vector, employed by 71% of attackers. The Internet is saturated with malicious bots probing your networks constantly to try to find vulnerabilities while cyber-criminals will take the time to craft custom attacks against high-value targets.
When it comes to your business IT operations, you have to choose between three core competing priorities: convenience, cost and security – pick two. And remember – you only get to make a mistake about your organisation’s security once.
Could your IT security strategy do with a review?