Pub. 7 2018 Issue 2

19 s u mm e r | 2018 Technical As- pects of the Vulnerabilities The vulnerabilities are classified as speculative execution vulnerabilities and if exploited, both vulnerabilities allow un- authorized access to pro- tected areas of memory. This unauthorized access could allow an attacker to collect sensitive informa- tion such as passwords and nonpublic customer information. • Meltdown allows unauthorized access to mem- ory, including protected kernel memory. The vul- nerability affects almost all Intel processors manu- factured since 1995 and some ARM processors. • Spectre allows unauthor- ized access to memory used by other computer processes. The vulnerability affects almost all processors. It has been verified on Intel, AMD, and ARM processors. Additional informa- tion provided by the researchers who discov- ered both vulnerabilities can be found at https:// meltdownattack.com/. Mitigation Over the past few months, a process of mitigation has emerged. Initially, incompatibilities with updates occurred which could render sys- tems unusable. It was and continues to be of utmost importance that you verify and test updates before installation. Pru- dently pursue and ensure the following security processes are effectively implemented within your organization: • Installation of security software updates (e.g., an- tivirus software, endpoint security software, etc.) • Installation of operating system (OS) updates (e.g., Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.) • Installation of web browser updates (e.g., Microsoft Edge/ Internet Explorer, Google Chrome, Mozilla Firefox, etc.) • Installation of firmware updates for microproces- sors (e.g., BIOS updates issued by computer system manufac- turers, such as Dell, Lenovo, HP, Apple, etc.) • Prevention of malicious code execution (e.g., website blocking, website ad-block- ing, phishing detection, secu- rity awareness training for users, etc.) Back to Basics Did you notice the mitigation items listed are the core elements of strong security cultures? Even though the vulner- abilities were recently discovered and the ex- ploits breached protected memory as never before, basic security standards remain the first line of defense. As it became apparent the sky was not fall- ing, the vulnerabilities reminded us of the im- portant fundamentals of security. No matter how far reaching an exploit may be, the potential of your organization being impacted is significantly lessened if: B A N K B Y T E S coastal-capital.com A fully customized turnkey solution to better serve your customers, communities, and stakeholders. Visit our website to find out how we can help. Customized, Empathetic Financial and Retirement Planning For Community Banks and Their Customers • The vulnerability doesn’t have access to your systems. • Operating system or application weaknesses needed by the exploit are patched. • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer). Make it So The Meltdown and Spectre vulnerabilities serve as an important reminder to establish and maintain security best practices in your bank: • Monitor availability for operating systems and application updates. • Test updates to ensure compatibility. • Apply updates and patches on a regular schedule. • Install and maintain security software (e.g., antivirus soft- ware, endpoint security software, etc.). • Prevent malicious code execution (e.g., Internet filtering, phishing detection, security awareness training over how to identify malicious emails and not click links in emails, etc.) There will continue to be emergencies to address, policies to tweak, and fires to put out, but if you lay a good security foundation, the sky will not fall. Carl Cope is the Chief Operations Officer for CoNetrix. CoNetrix is a provider of information technology consulting, IT/GLBA audits and security testing, Aspire IT hosting, and the developer of Tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit CoNetrix at www.CoNetrix.com.