Happy New Year to everyone! May 2018 provide you with interesting problems and the patience to solve them :)
On to the recent kerfuffle about the Intel processor bugs.
These vulnerabilities were identified in early January by Google
(original Google security post)
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
These vulnerabilities have been named "Spectre" and "Meltdown" and are causing a certain amount of anxiety in some environments.
IBM has produced an excellent write up of the vulnerabilities and includes information about the impacts and includes the CVE ratings:
https://exchange.xforce.ibmcloud.com/collection/c422fb7c4f08a679812cf1190db15441
Of course new vulnerabilities are bad, and often require work and remediation, but this should be part of your environment's standard vulnerability assessment and remediation program. It's not sufficient to just apply patches from a single vendor (e.g. Microsoft) on a monthly basis and consider the job "done".
You need to understand your environment's exposure to all vendors and technologies (hardware and software) and the monitor for new vulnerabilities, and have an internal process for reviewing and assessing the impact of these vulnerabilities. This assessment should then lead to validation via scanning or inventory, and then remediation (based on the risk level identified during the assessment and taking other controls and work arounds into consideration).
This all flows nicely into the recommended controls that you should have in place from the first five of the CIS Critical Controls V 6.1
https://www.cisecurity.org/controls/
If your organization is "freaked out" about these new vulnerabilities, you might want to consider developing a more standardized or formalized approach for these controls.
On to the recent kerfuffle about the Intel processor bugs.
These vulnerabilities were identified in early January by Google
(original Google security post)
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
These vulnerabilities have been named "Spectre" and "Meltdown" and are causing a certain amount of anxiety in some environments.
IBM has produced an excellent write up of the vulnerabilities and includes information about the impacts and includes the CVE ratings:
https://exchange.xforce.ibmcloud.com/collection/c422fb7c4f08a679812cf1190db15441
Of course new vulnerabilities are bad, and often require work and remediation, but this should be part of your environment's standard vulnerability assessment and remediation program. It's not sufficient to just apply patches from a single vendor (e.g. Microsoft) on a monthly basis and consider the job "done".
You need to understand your environment's exposure to all vendors and technologies (hardware and software) and the monitor for new vulnerabilities, and have an internal process for reviewing and assessing the impact of these vulnerabilities. This assessment should then lead to validation via scanning or inventory, and then remediation (based on the risk level identified during the assessment and taking other controls and work arounds into consideration).
This all flows nicely into the recommended controls that you should have in place from the first five of the CIS Critical Controls V 6.1
https://www.cisecurity.org/controls/
If your organization is "freaked out" about these new vulnerabilities, you might want to consider developing a more standardized or formalized approach for these controls.
Comments