Crashtest Security Blog

Take the cache to get to work — What cyber security flaws like Spectre mean to web applications from non-techy viewpoint

Jan 26, 2018 3:14:00 PM / by Thaddäus Schwab

Overall you and l are painfully aware of cyber security threats however business implications are sometimes a bit blurry and that’s why I’d like to address the business impact of the Spectre and Meltdown attack in a bit more detail from the business point of view.

 

But first things first, the basic problem is that the cache of almost any CPU is vulnerable. It’s like if you have a huge office campus (the CPU) and all programs work in different offices, however programs would hop on the same bus to get to work and that’s what’s the cache is. Now while all programs are using the same bus not everybody is sitting in it all the time however whoever is sitting in the bus is vulnerable to the exploit.

 

The exploit that is happening in in the bus is that the isolation between the programs is broken down. In other words if there is one corrupted program sitting on the bus it can take a good look at all the files the other programs have in their back pack. Not really nice, huh?

 

Now having made the principle clear, I don’t want to spend too much time discussing the technical details behind the attacks (a good read in that regard can be found here), but I’d like to reflect on the business implications in particular for digital businesses that are dependent on their web applications.

RockstarTalentING

 

Remember the bus? Good. Let’s take a look at the webpage of the fictional HR Start Up “RockstarTalentING”. Let’s assume the Business case is to match top notch engineers with musical talent to Fortune 500 companies.

 

RockstartTalentING has a web application where applicants are asked to upload videos for their gigs and companies and other applicants are asked to rate and comment on their gigs. The ratings and buzz get matched with their other assessment scores and used for the matchmaking.

RockstarTalentING has the following key assets:

• Database of Customers (Fortune 500 Companies) including personal information of the related HR manager and ranges of salaries

• Database of Talent (engineers with musical talent) personal information

• Business Processes and Tools and Data

 

If the vulnerability targeted by Spectre and Meltdown (remember the bus?) gets exploited the attacker could gain access not only to the assets of RockstarTalentING but also to the cache of the visitors and therefore the customers and the talent visiting RockstarTalentING. Web applications have become the number one entry point for hackers, when not already launching the attack from within the organization.

 

So, what could happen to the business of our HR Start Up RockstarTalentING?

1.Reputational damage — who would want to work with a site that gets visitors infected once the word spreads out? Just think of Yahoo, Experian, Target…

2.Regulatory & legal impacts — In Europe we have the EUDSGV with firm of 4% of revenue in case of data breaches

3.Company value impact — public breaches like Yahoo, Target and Talk Talk had quite an impact on the evaluation of the company on the stock market. Ask your investors about what they would think of the impact of a data breach on their evaluation — put on your thick skin when it comes to due diligence…

 

While I think it is important to line out that the infrastructure, is out of your direct control and you are only having the option to audit your suppliers on their cyber security measures to minimize your risk. There are other actions you can take to mitigate those business risks:

The focus should clearly start with what’s in your control.

Your web application is basically also relying on the cache to work, implying that by ensuring that the cache stays clear of any malicious code you are pretty much on the save side.

This is how you can do it:

 

Address the challenge of cyber security for your web application regularly.

Getting reliable insights on vulnerabilities and their severity should be the first step. Preferable use automated vulnerability scans that are well managed and maintained.

Integrating a trusted, reliable security assessment in your agile development of web applications should keep you on the safe side as long as you follow up on the vulnerability mitigation.

We at Crashtest Security offer a free of charge basic vulnerability scanner and do provide a SecDevOps ready security suite to automate your vulnerability scans with each iteration of your agile software development.

 

If you like to continue your reading I recommend: “Spectre Attacks: Exploiting Speculative Execution”.

Topics: SecurityManagement

Thaddäus Schwab

Written by Thaddäus Schwab