This is because Spectre can be used to attack almost any type of processor while Meltdown is a vulnerability that’s specific to Intel processors. For Spectre, in particular, this vulnerability poses a potential danger of exposing secured memory belonging to a process that can provide bad actors with sensitive personally identifiable information (like usernames and passwords) and can be launched quickly from the browser using a script.
Meltdown, on the other hand, requires an actual malicious process to run on the system to interact and break down the barriers between the operating system (OS) kernel and the applications that are running on it. In this scenario, malware can use this technique to read application memory and the OS to access sensitive data like encryption keys and passwords.
Although these vulnerabilities have existed for more than two decades, no one has ever reported a breach, but that doesn’t mean that it isn’t already happening.
For financial institutions, the widespread nature of this threat and the publicity surrounding it make it a serious problem that requires immediate attention.
So what should financial services firm know about this threat? Let’s take a look.
Older Servers and Systems are Especially Vulnerable
While all computer hardware is vulnerable to Spectre and Meltdown, banks and other financial institutions running applications on older legacy OSs without patches are especially at risk. This makes it critical for the industry to apply all available software and hardware patches immediately to mitigate risks and other known vulnerabilities.
As both Spectre and Meltdown are hardware vulnerabilities, so just adopting safer surfing habits and deploying security programs will do very little to effectively protect against a potential attack.
However, there are already several patches available for the Meltdown variant on macOS, Linux, and all supported versions of Windows. Anything that can be patched should be patched immediately on a microprocessor level, OS level, and the application level.
Banks and financial services institutions should engage in testing to ensure that patches don’t come into conflict with other software like antivirus programs. At the same time, you might also need to upgrade your firmware, and this can lead to additional complexities and costs.
Performance and Security Tradeoff
However, these updates will take a performance hit on Intel products slowing down the system by about 5% to 30% (depending on the processor model and the task). If the machines are equipped with more recent Intel chips with features like PCID, performance issues can be reduced (but not eliminated).
This security flaw has a far-reaching impact beyond desktop computers and laptops as cloud servers will also be affected. So financial institutions will have to accept slower performance for better security.
Amazon has already updated its AWS Linux kernels to protect against Meltdown and Google has recommended cloud users to apply all necessary patches before rebooting their virtual machines. Microsoft has also deployed fixes on Azure, so if you’re using a public cloud provider to support some of your internal infrastructure, make sure that you contact them about security updates.
Once these vulnerabilities came to light, we at DataComm took steps immediately by preparing to support our client-base in patching and upgrading the firmware as needed. We also stayed in regular contact with vendors to better prepare for testing and deployment in our environment.
If you’re in the financial services industry and haven’t already responded to Spectre and Meltdown, contact your cloud service providers (especially if you’re using public clouds) to ensure that patches and updates have been deployed to stay compliant.
You should also contact your virtualization providers to ensure that the firmware and OS have been tested to safely migrate your existing environment. Testing is critical here as you will need to ensure that there isn’t any significant downtime that can have an impact on productivity and your bottom line.
To learn more about how you can protect your financial institution from the potential threat of Spectre and Meltdown vulnerabilities, call DataComm at call 1-800-544-4627, or Contact Us.