Microprocessors Represent a Dangerous 'Spectre' of a Security Threat
While it is possible to protect against the recently discovered “Meltdown” microprocessor vulnerability, the “Spectre” threat may prove far more trouble for companies to address.
January 10, 2018 at 12:43 PM
5 minute read
|
The discovery of two security vulnerabilities in potentially all microprocessors and some graphics cards used in today's computers has led to legal trouble for computer hardware companies like Intel Corp. But while some seek legal action, the discovery has left others scratching their heads on how to protect themselves from this new and far-reaching cyber threat.
For most companies, such protections are possible, but they're not entirely easy. Indeed, while closing one vulnerability may be a simple fix, the other may require ongoing attention and potentially expensive IT investments to mitigate.
Devon Ackerman, associate managing director with Kroll's cybersecurity and investigations practice, explained that both vulnerabilities, named “Meltdown” and “Spectre,” take advantage of microprocessors' inherent job of “logically or accurately guessing how a computation will unfold in a program.”
Ackerman likened this to the work a person does when determining “the best way to get from point A to point B.” In predicting how certain computations will unfold, a microprocessor stores data it believes it will need in its computer's memory, much like a person will access data on traffic patterns before heading out.
While microprocessors are usually restricted in what data they can store in the computer's memory, cyberattackers exploiting the Meltdown and Spectre security flaws can essentially hijack the microprocessor, circumvent these restrictions, and tap into all of a computer's data.
Meltdown and Spectre, however, are different from one another in some fundamental ways. The Meltdown vulnerability, which according to Vox is only known to affect Intel microprocessors, is “fixable because it is a software fix,” Ackerman said.
He noted that operating system providers like Microsoft, Apple Inc. and the Linux Foundation are implementing patches to their programs to close the vulnerability. Likewise, for outside enterprises, “patches and maintaining up-to-date systems is going to be one of the best defenses,” he said.
But Spectre is a different story. It may affect most microprocessors on the market, and more troubling, “it requires a hardware-related fix,” Ackerman said. “We physically have to change the way processors are engineered on a manufacturer-level to fully fix the issue around Spectre.”
Still, this doesn't necessarily mean that companies will be unprotected until they can buy and install the next generation of secure microprocessors. Ackerman noted that microprocessor manufacturers believe they will be able to come out with hardware patches to fix the vulnerability in the current technology. But, he added, “I think time will tell if this is a problem that can really be fixed by patching at that level.”
Companies and their IT and legal teams can rely on cybersecurity best practices to mitigate the threat in the meantime. Actively monitoring networks, for instance, is an essential way businesses can make sure cyberattackers haven't comprised their systems through these microprocessor vulnerabilities.
But that is only part of the solution. “A bad actor still can take advantage of these vulnerabilities from outside the network” through the use of malicious websites, Ackerman said.
“Yet in that type of a threat, disabling JavaScript or enabling a sort of site isolation in the browser can help prevent” the vulnerability from being exploited, he added.
Essentially then, a company needs to make sure all the access points into its network, as well as its network itself, is kept airtight from cyberattackers. For Ackerman, it comes down to “the IT tech team having an understanding of the software running” on its system and closing known openings.
Of course, one can also make sure that no sensitive data, such as passwords or personally identifiable information (PII), can be stored in a computer's memory for its microprocessor to access. But in today's modern IT environment, that is far easier said than done.
“Computer memory is designed to aid a computer in its quick execution of software requests and to hold data that a program is going to need on a regularly basis,” Ackerman explained. “If we didn't use memory, then we'd be reliant on a hard drive or another piece of data storage that is much slower.”
So while some companies may be able to mitigate the Spectre threat through cybersecurity practices and changing their IT environments, there will be others that seek to address the threat by investing in new microprocessors entirely. “I imagine there will be choices made to update infrastructure that has been identified as vulnerable,” Ackerman said.
But, he added, “it can require a large IT budget to replace existing hardware,” and some enterprises, such as local municipalities, government agencies or smaller businesses might not have the resources to make this viable option.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Houston Judge Exonerated on Appeal, Public Reprimand Vacated
- 2Bar Report - Dec. 30
- 3Employment Law Developments to Expect From the Second Trump Administration
- 4How I Made Law Firm Leadership: 'It’s Imperative That You Never Stop Learning,' Says Ian Ribald of Ballard Spahr
- 5People in the News—Dec. 30, 2024—Pond Lehocky, Buchanan Ingersoll
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
