Just when you were done being afraid of the cloud, it turns out the real threat comes from the folks making your processors. In about one day, your computer’s brain became the biggest computer security threat, likely ever.
Unless you’re in hibernation for the winter, you know all about the Meltdown and Spectre CPU vulnerabilities that affect every processor made in the last 15 years from, well, everyone. Now hold on, don’t roll your eyes. I’m not going to regurgitate the same old news about what’s affected, what mitigations are available, or what you need to patch. That’s boring and I’ve already read enough of those articles to make my own eyes glaze over.
Instead let’s talk about is the overall approach to security in your own environments. Maybe that’s your datacenter, your client machines spread across the world, your Amazon, Azure or Google Cloud services, it doesn’t matter. When a threat affects everyone, from your grandmom in Ohio that only uses Facebook to the largest organizations on the planet, we should all take a step back and evaluate ourselves.
There probably isn’t a single person reading this blog, who doesn’t have a comprehensive security structure in place for their organization. From access controls, to IDS/IPS, to patch and change management, we all have it covered. But what I’ve learned over time is that those of us that wave the organization security banner often become complacent. Once we’ve checked all the important security boxes, we checkout of the process. We let the tools and people do the work and pull away from what got us here: constant planning, strategy, and revision. Change is your ally, not your enemy, and this is especially true for security in Information Technology.
Meltdown and Spectre reminded us, yet again, that the next HUGE threat will probably be the most unlikely and frankly, insane, thing you’ve ever heard. If I told you six months ago that almost every computer processor on Earth was a ticking time bomb, you would have called me a crazy person(okay, some of you STILL call me that, but I digress). It doesn’t sound so funny now that it’s true.
Our goal as security professionals and IT management shouldn’t be to check off a box on an assessment form, but to continue to evolve. Truly evaluate what systems, processes and policies are in place now and figure out how they get to that next level. How do you make a good thing even better? There’s always a way. “Take a look at yourself and then make the change. You gotta get it right, while you got the time.” – Michael Jackson