Cyber Criminals are developing new ways to attack and make money. Like all industries they want to make more money this year too. We have to learn to inoculate our computers so that we have as low a chance as possible to get infected.
We have to find ways to make this goal of theirs as difficult as possible.
This year I will lose 5 pounds –
This year we will make more money with plan ABC.
Funny thing about our aspirations, they seem to be hampered by our past decisions(I should not have eaten that extra piece of cake).
Or in Cybersecurity:
I know we did not patch these 5 computers, but the risk is low so we did not make the effort.
And lo and behold a new Intel Processor bug or flaw has been found(today 1/3/2018) that unfortunately is present in all Intel processors since 1995. Ars-Technica has a good explanation of this complex bug that ultimately needs to be patched by all Operating Systems. So look for this in the next patch update in your operating system patches.
There is a database in CERT that uncatalogued vulnerabilities:
At US-CERT number VU#584653 and the CPU bug has bene called ‘Meltdown’ and ‘Spectre’
New update — Google’s Project Zero found this bug last year sometime and disclosed it to manufacturers(Intel, AMD, and ARM). It seems AMD also has a variant of this bug.
This is a typical issue, as the computer manufacturers, and their peripherals are constantly running into old bugs. and racing to fix the bugs with patch updates. So there is a constant Bug -> Patch Update process that leaves us always marginally secure even if we update on a regular basis.
In this particular case of the Intel bug, there is no patch from Microsoft yet (Day30 in my image below) it should come in 2nd week Tuesday January 9th. And likely the hackers have not developed malware yet. But for everyone that does not patch in the future (there are at least 20% of computers that do not patch on time) they will get hacked.
So as we discussed in the past in “From Vulnerability Found to Patched Safe”
The issue is to patch on a regular basis even though one has to reboot and lose capability(in this new patch resulting from Intel bug the system will run slower). In security one may want to have several different computer types even though that does not make it a “standard setup”.
To reduce Cyber Risk one may not be doing efficient actions, but it is an age old problem of more security == less function.
You can’t just walk out the door, you have to stop and use some time to find your key and lock the door.
In computers we have to patch computers and sometimes the patches are old patches that have been around for ages, and if you do not patch a hacker will use a trick to hack you, use your computers for their needs.
Contact us to develop a process for you that will ensure your systems are patched properly.
January 4th: Added Google Project Zero information.