By all means patch, but take a risk-based approach
By: Barry Hensley
Cybersecurity continues to make headlines in the New Year, including public disclosure on January 3rd of two new vulnerabilities that affect most modern computer processors. Spectre and Meltdown represent a new class of vulnerability that takes advantage of performance optimizations used by modern computer processors to access protected memory. Successful exploitation of these vulnerabilities could allow threat actors to access data that would otherwise be considered secure. Protecting platforms at risk – including servers, desktops, laptops, mobile devices, and hypervisors – will require deployment of software updates.
Patching is certainly the priority at this time, but as we regularly caution our clients, patching also introduces risk in two forms: 1. performance impact to systems and 2. conflicts that may occur with end-point security solutions such as anti-virus. To manage that risk, you should take a methodical and measured approach to patching that includes thorough testing against representative systems in different environments within your organization.
Six Steps for Remediation
Organizations should follow a risk-based approach to update impacted systems without causing undue disruption to business operations. To update impacted systems within your environment we provide the following process outline. Please note that customizations may be required for your environment based on your operations and risk appetite:
- Identify impacted systems within your extended environment (including cloud infrastructure, cloud services and mobile devices).
- Identify relevant vendors and contact vendors for their latest patching or vulnerability mitigation advice.
- Develop a patching plan.
- Consider cloud infrastructure and systems that are used to access the web as a priority.
- Consider security solutions that process arbitrary code (i.e. malware sandboxes) as potentially higher risk (although currently no in the wild exploitation has been observed).
- Consider the existing workload of systems, particularly those close to your core operations. Patching may incur a performance impact.
- Consider host based security controls that may cause conflicts following patching until updates for those host based controls are available that take into account the new operating system patches.
- Understand the vendor recommended order for applying updates to systems i.e. Microsoft suggest updating Anti-Virus first, then applying operating system updates, then applying any BIOS or microcode updates.
- Ensure you have a back-out plan in case of unforeseen impact resulting from applying updates.
- Communicate with key business stakeholders regarding the patching plan, the need to patch and where they can report any potential impact of the patching if they experience issues.
- Test patches on a representative sample of systems, under normal workloads, accounting for any peak workloads that are normally experienced.
- There is a risk that performance will be degraded following patching. Systems currently under heavy load may be particularly vulnerable.
- Deploy patches using a phased approach with monitoring periods between blocks of update activity.
- Monitor for unforeseen impact.
At the time of publication, the disclosure of the Spectre and Meltdown vulnerabilities is serious, but Secureworks believes there is no immediate business impact beyond the need to patch affected systems.
Secureworks does recommend continued vigilance, however. While there have been no reports of threat actors exploiting Spectre and Meltdown, proof-of-concept code has been publicly released to illustrate the vulnerabilities. Those demonstrations, while harmless themselves, could act as a catalyst for threat actors to create malicious exploits and capitalize on the opportunity. Strong security hygiene should be paramount to help mitigate the risks of a breach.