CyberWisdom Commentary and Exploit Summarized:
Has either Meltdown or Spectre been exploited yet?
No, says Bill Nelson, president and CEO of the FS-ISAC.
“These vulnerabilities are a big deal, but there is a balance of probability and exploitability to consider,” he said. “This hasn’t been exploited yet.”
on the other hand…
Steve Grobman, chief technology officer at McAfee, is less sure.
“Part of the challenge with this type of vulnerability is it’s difficult to detect,” Grobman said. “We are not aware of any known exploitation in the wild. At the same time, it may be that the existing set of capabilities that would usually detect a threat is not able to detect this type of attack yet, and that’s why we don’t see them.”
Either way, he expects to see such attacks in the future.
Frederik Mennes, senior manager, market and security strategy for the Security Competence Center at Vasco Data Security, points out that “proof of concept” code is available to implement to exploit these vulnerabilities.
“It might be possible that hackers are exploiting this,” Mennes said. “It’s not a straightforward attack to implement on a large scale, in my opinion. It may be used to target specific users at very specific companies. But I don’t think it will be exploited on a large scale.”
Are banks prime targets?
Yes. Banks are always a high-profile target for cybercrime.
“This is a valuable tool in the tool chest of the attacker,” Grobman said. “When an attacker has an objective of getting information from a financial institution, they’re going to look at the architecture of the data center or the cloud environment, they’re going to look to understand what people run the organization: Can they convince the administrators to either run malware or provide access to information that they wouldn’t otherwise have?”
Banks with older servers and systems are especially vulnerable.
“In some cases, you may have applications that are running on legacy operating systems for which there are no patches,” Grobman said.
“That said, in general financial institutions have a higher level of discipline than other vertical sectors, and making sure all their hardware and software apply patches that mitigate this risk and other known vulnerabilities is a critical part of their cyber-hygiene.”
What should banks be doing about this?
Anything that can be patched and updated should be, Grobman said, acknowledging that there will be mission-critical systems for which there are no patches.
There are three levels of patches, Mennes said.
One is the microprocessor level — these are not available yet, but Intel said they will become available this week.
Second is the operating system level; some vendors including Microsoft have begun issuing patches. and
The third is the application level, for browsers and apps. Google has issued a patch for Chrome (malware doesn’t have to be installed on a PC, it can attack from a webpage). All should be installed as soon as possible, he said.
The FS-ISAC has made all these available to its members, Nelson said. “These patches appear to solidly fix the problem,” he said. “All banks are working to identify and install patches on their systems that can be affected by vulnerabilities.”
Read the rest of the article for more information.
As has been the case all too often in recent months, yet another major computer security vulnerability has emerged — and, once again, it is something bankers have no choice but to treat as a direct threat. The discovery of techniques nicknamed Meltdown and Spectre that could be used to compromise most computer chips demands bankers’ immediate attention. Hackers could use them to read sensitive information stored in a computer’s memory, including passwords, account numbers and such. The good news is, though these vulnerabilities have existed for 20 years, no exploits have ever been reported. Moreover, taking advantage of Meltdown and Spectre would be difficult for cybercriminals. It requires writing software that directs malware to not only execute the technique but then do something specific like find and obtain a password. There are many simpler ways to obtain sensitive data like passwords such as keylogging, phishing and social engineering. On the other hand, this type of attack is difficult to detect, so the fact that it hasn’t been reported doesn’t necessarily mean it’s not happening. And the widespread nature of this threat, the publicity around it and the fact that banks are always a top target for cybersecurity exploits mean… Engaging post, Read More…
thumbnail courtesy of americanbanker.com.
More article on what you need to know..
Hackers will try to exploit Spectre and Meltdown bugs. What you need to know
If you like to receive more of these curated news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Commentaries.