It’s still early in 2018, and we’ve already been hit with one of the widest-reaching security flaws of all time. What makes the recent Spectre vulnerability a serious problem is the fact that it has been in place for 20 years and is the result of optimization for performance. While there are no known, documented attacks yet, the challenge here is that it affects all the major processor manufacturers – Intel, AMD and ARM.
We will see the most impact of fixes likely to occur on mobile, which will affect the performance of tablets, smartphones and connected devices. And because the vulnerability is in the underlying system architecture, it will make it exceptionally long-lived and especially problematic for older devices that may not get updates. This will give attackers a good amount of time to develop targeted attacks aimed at the hottest targets: mobile banking, payments and medical devices.
Since the exfiltration occurs via the registers or memory addresses of legitimate programs in use, cryptography-related items such as decryption keys and API credentials will be the likely first targets as they go across users of an application and can provide “keys to the kingdom” in industries including media/gaming, banking and connected medical devices. Additional targets may likely be the personal information of individual users managed by marquee applications, such as personally identifiable information (PII), health and diagnostic data or financial account numbers and user credentials.
The location of the vulnerability – the processor – makes it particularly hard to protect against because it’s the registers and memory that’s being attacked. This creates unique challenges for protection.
Some of the best ways to protect against loss from this attack include the following:
- Protecting encryption through techniques like white-box cryptography to remove the actual key material from an application so that keys are never “in memory.”
- Manipulating control flow of an application to make targeting the correct registries or memory addresses more challenging.
- Encrypting data within the application and maintaining the encrypted state until the moment it’s needed.
- Introducing entropy/reduce predictability by dynamically changing application behavior and/or choosing different execution paths that achieve the same results.
Here are four steps chief information security officers (CISOs) can take and implement right away to ensure their organization remains secure:
- Establish and implement good security practices on a continuous basis, including running only applications you trust from reputable businesses.
- Have users shut down applications they don’t need to have running, especially when accessing ones that manage sensitive data.
- Enable process isolation wherever possible, including browsers like Chrome (experimental feature #enable-site-per-process).
- Disable JavaScript (and really anything) where it’s not needed and use the browser’s whitelist to trust reputable sites. Caution against even reputable sites, however, where ads are present (consider an ad-blocker).
If there was one thing we learned from Wannacry and NotPetya last year, it’s that ransomware and hacking have gone mainstream. And if there’s anything we learned from the KRACK or Janus vulnerabilities, it’s that things will continue on this trajectory. Spectre is already miles bigger than other vulnerabilities we’ve seen. That said, maintaining best practices to prevent and deter attacks combined with a heightened focus on detection and visibility will go a long way to keeping businesses secure, and its assets and reputation protected.
About the author: As a technology leader and business innovator, Rusty Carter has been bringing successful products to market for almost two decades across cybersecurity, mobile, SaaS and payments technologies. As Vice President of Product Management at Arxan Technologies, Rusty has led the company to define, market and sell enterprise security products. Prior to Arxan, Rusty led product management at multiple cybersecurity companies including McAfee, Symantec, and Pulse Secure.