Businesses need a risk-based approach to tackle vulnerabilities like Meltdown
The recent Spectre and Meltdown vulnerabilities have been well documented, but for businesses it can be difficult to know which fixes to prioritize.
Software management and security specialist Flexera is announcing a set of recommendations to provide a standardized, risk-based approach to managing this type of vulnerability.
While these vulnerabilities are pervasive and potentially harmful, to truly assess risk CIO's need deeper vulnerability intelligence (beyond a basic CVE score). This deeper intelligence should provide product context that takes into account attack vectors and possible security impact, allowing security teams to look beyond threats commonly hyped by the media.
To date, Secunia Research at Flexera has issued more than 35 vulnerability intelligence advisories linked to Spectre and Meltdown, and most were scored below 'Moderately Critical' (criticality scores of one to three out of a possible five). This would suggest that while Spectre/Meltdown vulnerabilities are important, other more critical unpatched vulnerabilities could present a more immediate threat.
"There's no doubt companies should be concerned about Spectre and Meltdown. But since these vulnerabilities came to light on January 3, Secunia Research at Flexera has published dozens of advisories on unrelated, highly critical vulnerabilities. If weaponized, exploitation of these vulnerabilities could have a devastating impact on organizations," says Kasper Lindgaard, director of research and security at Flexera. "With more than 17,000 vulnerabilities disclosed within the past year -- how do organizations know where to allocate scarce IT sources to minimize risk? They need access to verified vulnerability intelligence and must take a common-sense, risk-based approach to applying patches. Otherwise they'll be forever chasing shadows from one sensational news cycle to the next."
Flexera advises determining actual Spectre/Meltdown risk criticality using verified vulnerability intelligence, prioritizing remediation of known vulnerabilities based on criticality, and applying patches with an emphasis on testing in controlled environments.
"Patching is essential to reduce the attack surface, but it must be done prudently and with an understanding ahead of time of potential impacts on system performance and stability," adds Lindgaard. "Mitigation should happen carefully and conservatively, with a focus on risk-based models."
You can read more about prioritizing threats in Flexera's Vulnerability Review available from the company’s website.