Microprocessors

 

The discovery of two security vulnerabilities in potentially all microprocessors and some graphics cards used in today's computers has led to legal trouble for computer hardware companies like Intel Corp. But while some seek legal action, the discovery has left others scratching their heads on how to protect themselves from this new and far-reaching cyber threat.

For most companies, such protections are possible, but they're not entirely easy. Indeed, while closing one vulnerability may be a simple fix, the other may require ongoing attention and potentially expensive IT investments to mitigate.

Devon Ackerman, associate managing director with Kroll's cybersecurity and investigations practice, explained that both vulnerabilities, named “Meltdown” and “Spectre,” take advantage of microprocessors' inherent job of “logically or accurately guessing how a computation will unfold in a program.”

Ackerman likened this to the work a person does when determining “the best way to get from point A to point B.” In predicting how certain computations will unfold, a microprocessor stores data it believes it will need in its computer's memory, much like a person will access data on traffic patterns before heading out.

While microprocessors are usually restricted in what data they can store in the computer's memory, cyberattackers exploiting the Meltdown and Spectre security flaws can essentially hijack the microprocessor, circumvent these restrictions, and tap into all of a computer's data.

Meltdown and Spectre, however, are different from one another in some fundamental ways. The Meltdown vulnerability, which according to Vox is only known to affect Intel microprocessors, is “fixable because it is a software fix,” Ackerman said.

He noted that operating system providers like Microsoft, Apple Inc. and the Linux Foundation are implementing patches to their programs to close the vulnerability. Likewise, for outside enterprises, “patches and maintaining up-to-date systems is going to be one of the best defenses,” he said.

But Spectre is a different story. It may affect most microprocessors on the market, and more troubling, “it requires a hardware-related fix,” Ackerman said. “We physically have to change the way processors are engineered on a manufacturer-level to fully fix the issue around Spectre.”

Still, this doesn't necessarily mean that companies will be unprotected until they can buy and install the next generation of secure microprocessors. Ackerman noted that microprocessor manufacturers believe they will be able to come out with hardware patches to fix the vulnerability in the current technology. But, he added, “I think time will tell if this is a problem that can really be fixed by patching at that level.”

Companies and their IT and legal teams can rely on cybersecurity best practices to mitigate the threat in the meantime. Actively monitoring networks, for instance, is an essential way businesses can make sure cyberattackers haven't comprised their systems through these microprocessor vulnerabilities.

But that is only part of the solution. “A bad actor still can take advantage of these vulnerabilities from outside the network” through the use of malicious websites, Ackerman said.

“Yet in that type of a threat, disabling JavaScript or enabling a sort of site isolation in the browser can help prevent” the vulnerability from being exploited, he added.

Essentially then, a company needs to make sure all the access points into its network, as well as its network itself, is kept airtight from cyberattackers. For Ackerman, it comes down to “the IT tech team having an understanding of the software running” on its system and closing known openings.

Of course, one can also make sure that no sensitive data, such as passwords or personally identifiable information (PII), can be stored in a computer's memory for its microprocessor to access. But in today's modern IT environment, that is far easier said than done.

“Computer memory is designed to aid a computer in its quick execution of software requests and to hold data that a program is going to need on a regularly basis,” Ackerman explained. “If we didn't use memory, then we'd be reliant on a hard drive or another piece of data storage that is much slower.”

So while some companies may be able to mitigate the Spectre threat through cybersecurity practices and changing their IT environments, there will be others that seek to address the threat by investing in new microprocessors entirely. “I imagine there will be choices made to update infrastructure that has been identified as vulnerable,” Ackerman said.

But, he added, “it can require a large IT budget to replace existing hardware,” and some enterprises, such as local municipalities, government agencies or smaller businesses might not have the resources to make this viable option.