meltdown and spectreUnless you never listen to nerd-speak you have to have heard the discussion about Meltdown and Spectre over the last few weeks. It is a perfect time to talk about what patch management really means in your cybersecurity protections.  We try our best to discuss it with less geek speak and more English.   Unfortunately, this one is really nerdy.

 

HIPAA For MSPs by J. David Sims Meltdown - Patch Baby Patch
00:00:00 00:00:00

There is a lot of information out there concerning the issues we are discussing today.  Here are several links to articles and notices that we reviewed and use for our own reference.

The research papers that explain what the researchers found.

Important: Windows security updates released January 3, 2018, and antivirus software

Malware Bytes Blog: Meltdown and Spectre: what you need to know

Malware Bytes: Meltdown and Spectre Vulnerabilities – what you should do to protect your computer

Krebs on Security: Scary Chip Flaws Raise Spectre of Meltdown

Notice from HHS: Report on Recently Publicized Widespread Processor Vulnerabilities

What is Meltdown about, in English, please?

Actually, there are two problems out there one is called Meltdown and the other Spectre.  They are similar though.  To keep things simple for this discussion we will just reference them both by saying Meltdown.

So the story is all about how these researchers found a way that it would be possible to have one program that is running on your computer be able to spy on the information being stored and used by another program running at the same time.  This is a pretty big deal but fortunately not a vulnerability that criminals seem to have started to use against us. Yet.

Almost any device that has a computer chip in it will likely need to have a security patch loaded to put a temporary fix on the problem.  The issue itself is way deep in the computer’s guts.  For now, they have just found a way to stop it from being used by the software.  The problem still exists and likely will exist for years to come.

What do I need to do to protect my systems from Meltdown, in English, please?

Load the security patches that the vendors for just about everything you use will be releasing.  But, keep in mind some Antivirus programs may cause a major issue when you patch.  Also, there are cases reported where these updates caused computers to stop working.

This is a perfect example of why we always recommend businesses have professional IT support contracts.  Fixing this problem and all the potential problems that may come along with it isn’t for the faint-hearted.  Granted, it is much easier now to perform these updates than it used to be however when something goes wrong it is still very bad.  You have to know what needs to be done to protect you without locking your computer into a useless mode for a while.

HHS released guidance via the Healthcare Cybersecurity and Communications Integration Center (HCCIC)

HHS recommends that Healthcare and Public Health entities consider installing operating system patches to Mac, Linux, and Microsoft systems in order to mitigate the risks of this widespread processor vulnerability. Organizations should exercise appropriate caution and test patches carefully before implementation on high-value assets including systems which handle PHI, PII, and should contact device vendors before deploying patches to medical technologies that are directly involved in patient treatment and/or clinical imaging due to the potential for software conflicts or performance impacts. These patches should be applied as soon as business use-case allow.

This report was prepared by the Healthcare Cybersecurity and Communications Integration Center (HCCIC) and coordinated with the HHS Computer Security Incident Response Center (CSIRC). This is a preliminary analysis of potential vulnerabilities that continue to be researched and analyzed. It is based on the latest available information as of the date at the top of the report. Readers are advised to search for the latest authoritative information and exercise professional judgment before taking actions related to these potential vulnerabilities.

Patch management matters for everything

  • Desktops and laptops
  • Servers
  • Tablets
  • Smartphones
  • WiFi Access Points
  • Firewalls and UTMs

Every device is not just equipment but also software.  The software comes in many layers.  Each of those layers could have security issues that would let attackers use against you.

Patch management must be something you review and discuss with your tech staff on a regular basis.  If you are the tech staff you should have a plan and be proactive in reporting to your leadership how you plan to address these Meltdown and Spectre issues. Your management team needs to understand where you are vulnerable in your organization and how it can be protected.