Fragmented security patches prevailing issue for CIOs

The Spectre and Meltdown hardware vulnerabilities sent industry into a frenzy and researchers expected the refresh rate of processors to accelerate.

It didn't.

The vulnerabilities were a governance crisis and threatened to expose decades' worth of chip memory.

CIOs had to know what microcode was vulnerable and what processor it was in. Companies had to track down every asset to patch: every laptop, every data center.

With the burden on companies to understand infrastructure status, patching falls under infrastructure management. In most organizations, the CIO and not the CISO owns this task. During coronavirus outbreak, when remote work could dramatically increase, companies need an accurate measure of what devices could be at risk.

The flaws forced inventory management and security to meet at a crossroads. Inventory management is the foundation for maintaining security hygiene and without it, companies could prolong risk.

The Center for Internet Security (CIS) lists inventory control of hardware and software as its top-two security protocols. If companies don't have "an overarching management system, it becomes an island and that's where it becomes problematic," Alan Priestley, research VP at Gartner, told CIO Dive.

A flaw by any other name

For Spectre and Meltdown, researchers determined the processor pipelines were too shallow to facilitate exploiting memory more than 10 years old. But in late 2019, other researchers published findings regarding a "new speculation-based vulnerability" in Intel CPUs and other "MDS-related issues, according to the TSX Asynchronous Abort (TAA) disclosure from Vrije Universiteit Amsterdam (VUSec). TAA is a rogue in-flight data load (RIDL) variant.

VUSec prefaced its research by saying there's technically no new vulnerability, as its TAA findings were sent to Intel with a RIDL submission in September 2018. For various reasons, Intel missed the proof of concept, resulting in May's MDS mitigations only "partially" addressing RIDL.

The silver lining? VUSec's research is a proof of concept. But it revisits current inventory management processes — or lack thereof.

Widely-used tech vendors such as Intel are more susceptible to exploitations, Chris Kennedy, CISO at AttackIQ, told CIO Dive. Microsoft had a bad track record for its operating system 10 years ago, which is why Apple's Macs have long been considered safer, much like Linux.

The reality is, there were more attackers targeting Microsoft because of its massive industry footprint.

"What makes [processor flaws] so interesting is that this vulnerability is pervasive throughout anything with a computer, virtualization platform, data center," said Kennedy. It's "hard to fix [because] you got to fix everything."

"These vulnerabilities are finding ways to insert themselves due to this hyper threading functionality," said Kennedy. Now, the information shared between chips' subcomponents, can be extracted by the vulnerabilities.

The IT organization should know what it has installed and its status. Hardware vulnerabilities, software and application updates are the responsibilities of IT.

"Which service could someone physically get access to and run the software on, or run this attack on?" asked Priestley. It further begs the question, "why can someone get access to your server in the first place?"

If bad actors can access servers, it "can be a bigger problem than someone attacking you with this type of vulnerability. There are a lot easier ways to get data than using these attacks," according to Priestly.

What's in an update

"If you keep adding systems into your infrastructure, and you're not in control of what's happening, you don't know what you're adding and you don't know the status of those things," said Priestly. Companies will inevitably use different tools or systems with fragmented updates and patches.

Having a living inventory record sets the foundation for security hygiene. But security patches come at a price; a tradeoff between protection and performance. Intel repeatedly delayed patches after customers complained of more frequent system reboots.

Prior to the Spectre and Meltdown disclosures, Intel introduced server processors in 2017 and then another in 2019, which means 70% to 80% of server processors supersede those refreshes. "It's the oldest stuff that's out there that's at risk," said Priestley.

The latest generation, Intel integrated the vulnerabilities into the microcode and the platform design from scratch — the first time Intel introduced a design in a post-Spectre and Meltdown world.

Intel's remediation software routinely "clears the buffer" when information is passed among chips' subcomponents, said Kennedy. This inhibits the ability to see that traffic. But "the performance you used to get out of your Intel chip is not what it used to be."

Patches have the potential of breaking existing operations. The additional security feature impacted operations to the point servers have to be updated too.

There were two ways to mitigate risk, according to Priestley:

The "quick and dirty way," which is software patches.
Microcode update to the processor, which is embedded into the processor itself, which is not part of the operating system; it's owned by Intel.