How to prevent new cyberthreats with continuous patching
Rogue In-Flight Data Load (RIDL), ZombieLoad and Fallout are among the new supervillains of cybersecurity. More widely known as Microarchitectural Data Sampling (MDS) attacks, they compromise Intel processors at the microarchitecture level and skim sensitive data from users.
Understandably, the ramifications are enormous because Intel is the largest semiconductor company in the world and these side-channel attacks affect every chip made since 2011. One more piece of bad news: These supervillains can also compromise public clouds. Information leaks like passwords and credit card numbers from individual users of public clouds may have already happened with no trace of the security lapse.
Intel, Apple, Google, Amazon and others have pushed out operating system patches to counteract MDS attacks, but the only guaranteed way to prevent an MDS attack is to disable Intel’s Hyper-Threading Technology, which could result in a 25 to 35% drop in performance. While Google preemptively shut down hyper-threading on its Chromebooks, most other companies’ patches only upgraded their security parameters. Cyber threats like MDS attacks – which could result in massive data breaches of public clouds, where networked computers transfer and share data between millions of users — will become increasingly prevalent as hackers develop more sophisticated tools to tap into a richer tapestry of data.
One viable long-term solution is to use continuous, near real-time patches and microcode updates to combat this ever-evolving threat. Although continuous patching requires sustained effort and can frustrate end users who don’t want to have to reboot their computers, these barriers pale in significance when considered alongside the likelihood of a data breach that can cost millions and degrade customer confidence.
To achieve near real-time patching, organizations will need to take a different approach to updates. Developing a unique approach to systems, audit and support will enable greater agility and time-to-market for releases.
Design to tolerate outages
While designing systems and platforms for failure may strike IT folks as risky, it is far less risky than the consequences of a breach. Near real-time patching can be well managed with today’s centralized management and monitoring tools. As with a ship taking on water, it’s essential to seal off the compromised sections while plugging the leak. When systems and platforms are designed in such a way that outages are compartmentalized, they can continue to operate optimally when an outage happens. Solutions designed in this way enable automatic updates at a much higher frequency. It’s still possible to utilize a more traditional approach to testing updates, but it gets moved to a subset of the production infrastructure, and any issues are resolved before a wider rollout of patching.
Keep your eye on the ball
Successful implementation of continuous patching requires appropriate levels of observation. Consider the following minimum areas of coverage before automating patch rollout:
- Service availability: Measure of a system’s performance to deliver when demanded
- Application functionality: The set of functions or capabilities associated with computer software
- System and application errors: Occurs when an operating system halts, because it can’t operate safely
- Application performance: The performance and availability of software applications
By establishing baselines for each of these areas and creating an infrastructure that will sound the alarm when a given parameter exceeds its threshold, updates and other changes can be implemented more rapidly and with a reduced risk of issues.
Up-level your IT support
IT departments need regular processes to identify and manage the risk of new vulnerabilities. My cybersecurity team evaluates Common Vulnerabilities and Exposures (CVEs) for our operating systems, network devices, application software and embedded devices daily. With processes in place to escalate issues that impact the environments, we ensure awareness and timely response. Thanks to automated patching, we’ve reduced the number of escalations required by more than 90%.
Consider future risks
While public and private clouds often steal the limelight when it comes to MDS attacks, don’t overlook the impact on Internet of Things (IoT) devices. Intel chips power many smart devices and shutting down their hyper-threading to prevent an MDS attack isn’t an option. The 25 to 35% hit to performance isn’t feasible for IoT systems that are already running on modest computing power due to cost considerations and power requirements. With 75 billion IoT devices expected to be on the market by 2025, the next big hack could come via your Roomba or integrated manufacturing plant. Remaining vigilant with near real-time patching and microcode updates will need to be the norm to prevent actual harm.
Article originally appeared at CISO Magazine.
Learn more about our expertise in Automation and Operations.