Overall you and l are painfully aware of cybersecurity threats; however, business implications are sometimes blurry. That’s why I’d like to address the business impact of the Spectre and Meltdown attack in a bit more detail from the business point of view.
But first things first, the basic problem is that the cache of almost any CPU is vulnerable. It’s like if you have a huge office campus (the CPU) and all programs work in different offices, programs would hop on the same bus to get to work, and that’s what’s the cache is. While all programs use the same bus, not everybody is sitting in it all the time; however, whoever is sitting on the bus is vulnerable to the exploit.
The exploit that is happening on the bus is that the isolation between the programs is broken down. In other words, if there is one corrupted program sitting on the bus, it can take a good look at all the files the other programs have in their backpack. Not really nice, huh?
Having made the principle clear, I don’t want to spend too much time discussing the technical details behind the attacks (a good read in that regard can be found here). Still, I’d like to reflect on the business implications for digital businesses dependent on their web applications.
Remember the bus? Good. Let’s take a look at the webpage of the fictional HR Start-Up “RockstarTalentING.” Let’s assume the Business case matches top-notch engineers with musical talent to Fortune 500 companies.
RockstartTalentING has a web application where applicants are asked to upload videos for their gigs, and companies and other applicants are asked to rate and comment on their gigs. The ratings and buzz get matched with their other assessment scores and used for matchmaking.
RockstarTalentING has the following key assets:
- Database of Customers (Fortune 500 Companies) including personal information of the related HR manager and ranges of salaries
- Database of Talent (engineers with musical talent) personal information
- Business Processes and Tools and Data
If the vulnerability targeted by Spectre and Meltdown (remember the bus?) gets exploited, the attacker could gain access not only to the assets of RockstarTalentING but also to the cache of the visitors and, therefore, the customers and the talent visiting RockstarTalentING. As a result, web applications have become the number one entry point for hackers when not launching the attack from within the organization.
So, what could happen to the business of our HR Start-Up RockstarTalentING?
1.Reputational damage — who would want to work with a site that gets visitors infected once the word spreads out? Just think of Yahoo, Experian, Target…
2.Regulatory & legal impacts — In Europe, we have the EUDSGV with the firm of 4% of revenue in case of data breaches
3.Company value impact — public breaches like Yahoo, Target, and Talk Talk impacted the company’s evaluation of the stock market. Ask your investors about what they would think of the impact of a data breach on their evaluation — put on your thick skin when it comes to due diligence…
While I think it is important to line out that the infrastructure is out of your direct control, and you only have the option to audit your suppliers on their cybersecurity measures to minimize your risk. There are other actions you can take to mitigate those business risks:
The focus should clearly start with what’s in your control.
Your web application is basically also relying on the cache to work, implying that you are pretty much on the save side by ensuring that the cache stays clear of any malicious code.
This is how you can do it:
Address the challenge of cybersecurity for your web application regularly.
Getting reliable insights on vulnerabilities and their severity should be the first step—preferable use of automated vulnerability scans that are well managed and maintained.
Integrating a trusted, reliable security assessment in your agile development of web applications should keep you on the safe side as long as you follow up on the vulnerability mitigation.
We at Crashtest Security offer a free-of-charge basic vulnerability scanner. In addition, we provide a SecDevOps ready security suite to automate your vulnerability scans with each iteration of your agile software development.
If you like to continue reading, I recommend: “Spectre Attacks: Exploiting Speculative Execution.”