Change control and change management are often-overlooked security controls
The latest vulnerability revelation about the chips used in Intel processors is one that affects nearly every laptop, desktop and server in operation today. It is yet another wakeup call that nothing is as secure as it seems.
Over the past 12 months the alarm clock seems to get louder and louder each time, and yet we still hit the snooze button.
WannaCry and NotPetya affected nearly every Windows Operating System; KRACK affected every system using WPA2 Security (the gold standard in WiFi Security) such as PC’s, Cell Phones and Wireless POS Systems, in short almost everything. Now we have been alerted to Specter and Meltdown.
What makes this wakeup call even louder is that nearly every processor produced over the past two decades is affected – yes, even all those Unix Servers that comprise the Cloud to which everyone has been migrating to for “security” and “ease of management.” Because of the complexities related to these vulnerabilities, and the possibility that any patch will cause the whole systems to crash, Intel still does not have an effective fix that does not significantly reduce performance or create an unstable environment.
All currently released patches and firmware updates are very risky because one mistake may render the computer/system inoperable. The patch and firmware updates will need to encompass all the software and hardware installed on the motherboard, anything that might be plugged in and any drivers or software relying on those drivers.
All the imaginable combinations is a difficult grasp. What will work for one generation of chip many cause system instabilities in others, and in the case of ‘Specter’ still does not fix the underlying vulnerability.
The good news, for now:
- There are no verified observations of either ‘Specter’ or ‘Meltdown’ being exploited in the wild.
- Intel and AMD are devoting an enormous amount of resources to resolving these vulnerabilities.
- Everyone involved from Microsoft and Apple to Intel and AMD are cooperating to remediate or mitigate these vulnerabilities.
This should not stop any organization with a holistic patch management program from moving forward with regular patching. A comprehensive patch management program will maintain a process and procedure requiring Change Control Board approval.
This approval should only be granted after the proposed change undergoes several phases of testing in both physical and virtual environments. The process and procedure should also clearly define recovery point objectives and include backup and restore procedures should something go awry when deployed into the operational environment. Many information security assessments typically include an evaluation of the organization’s change management programs, as this directly relates to their security management program.
Change control and change management are key security controls that are overlooked or under emphasized in many security management programs. This is where the wakeup call should be focused. The challenges around patching or mitigating ‘Specter’ and ‘Meltdown’ should open the eyes of security professionals running security or cybersecurity programs.