As has been the case all too often in recent months, yet another major computer security vulnerability has emerged — and, once again, it is something bankers have no choice but to treat as a direct threat.
The good news is, though these vulnerabilities have existed for 20 years, no exploits have ever been reported.
Moreover, taking advantage of Meltdown and Spectre would be difficult for cybercriminals. It requires writing software that directs malware to not only execute the technique but then do something specific like find and obtain a password. There are many simpler ways to obtain sensitive data like passwords such as keylogging, phishing and social engineering.
On the other hand, this type of attack is difficult to detect, so the fact that it hasn’t been reported doesn’t necessarily mean it’s not happening.
And the widespread nature of this threat, the publicity around it and the fact that banks are always a top target for cybersecurity exploits mean bank security and information-technology pros should implement all applicable security patches as soon as possible.
Here are more details about what bankers need to know.
What are Meltdown and Spectre?
Meltdown breaks down the barriers between an operating system kernel and the applications that run on it. Malware can use the technique to read operating system and application memory and potentially get access to passwords, encryption keys, credit card details and documents among other sensitive data.
Meltdown affects desktops, laptops, cloud servers and smartphones running on Intel chips released since 2010 and one ARM processor.
Some patches for Meltdown have been issued, and more are on the way.
Spectre is a type of attack that could be executed on almost every computer, and some researchers argue there’s no patch for it, nor is there likely to be one for two years when new, re-architected hardware will be available that isn’t susceptible to it.
Like Meltdown, Spectre breaks the memory isolation between different applications, allowing malware to access application memory. Most Intel, ARM and AMD processors are subject to it.
Greg Temm, chief information risk officer of the Financial Services Information Sharing and Analysis Center, pointed out that these vulnerabilities are read-only and can only be run on a local computer, not a network.
Has either Meltdown or Spectre been exploited yet?
No, says Bill Nelson, president and CEO of the FS-ISAC.
“These vulnerabilities are a big deal, but there is a balance of probability and exploitability to consider,” he said. “This hasn’t been exploited yet.”
Steve Grobman, chief technology officer at McAfee, is less sure.
“Part of the challenge with this type of vulnerability is it’s difficult to detect,” Grobman said. “We are not aware of any known exploitation in the wild. At the same time, it may be that the existing set of capabilities that would usually detect a threat is not able to detect this type of attack yet, and that’s why we don’t see them.”
Either way, he expects to see such attacks in the future.
Frederik Mennes, senior manager, market and security strategy for the Security Competence Center at Vasco Data Security, points out that “proof of concept” code is available to implement to exploit these vulnerabilities.
“It might be possible that hackers are exploiting this,” Mennes said. “It’s not a straightforward attack to implement on a large scale, in my opinion. It may be used to target specific users at very specific companies. But I don’t think it will be exploited on a large scale.”
Are banks prime targets?
Yes. Banks are always a high-profile target for cybercrime.
“This is a valuable tool in the tool chest of the attacker,” Grobman said. “When an attacker has an objective of getting information from a financial institution, they’re going to look at the architecture of the data center or the cloud environment, they’re going to look to understand what people run the organization: Can they convince the administrators to either run malware or provide access to information that they wouldn’t otherwise have?”
Banks with older servers and systems are especially vulnerable.
“In some cases, you may have applications that are running on legacy operating systems for which there are no patches,” Grobman said.
“That said, in general financial institutions have a higher level of discipline than other vertical sectors, and making sure all their hardware and software apply patches that mitigate this risk and other known vulnerabilities is a critical part of their cyber-hygiene.”
What should banks be doing about this?
Anything that can be patched and updated should be, Grobman said, acknowledging that there will be mission-critical systems for which there are no patches.
There are three levels of patches, Mennes said. One is the microprocessor level — these are not available yet, but Intel said they will become available this week. Second is the operating system level; some vendors including Microsoft have begun issuing patches. Third is the application level, for browsers and apps. Google has issued a patch for Chrome (malware doesn’t have to be installed on a PC, it can attack from a webpage). All should be installed as soon as possible, he said.
The FS-ISAC has made all these available to its members, Nelson said. “These patches appear to solidly fix the problem,” he said. “All banks are working to identify and install patches on their systems that can be affected by vulnerabilities.”
If they don’t patch, bankers could be targets in the future, Nelson said.
“They have to have a really good inventories of their systems and devices,” he said. “If you have one device you don’t patch, that could lead to the compromise down the road. We’ve seen that happen time and time again.”
Banks with older servers and systems are especially vulnerable.
With the pervasiveness of Intel chips, managing patches across the organization will be a heavy lift for chief information security officers, Temm noted. However, he also observed that most large financial institutions have robust systems for automated patching.
Banks also need to think about how they set up their overall enterprise architecture to limit access to systems that could potentially be exploited, Grobman said. “You can’t exploit something you can’t access. Having a principle of least privilege, meaning that individuals and applications only have access to things they should have access to, is a key part of a bank’s cybersecurity defense strategy.”
Bankers can educate consumers and businesses about keeping their systems patched, Nelson said. “And they should remind consumers they’re protected by Reg E and credit card rules if there’s fraudulent activity.”
And of course, because Spectre and Meltdown create exposure to potential malware attacks, banks need to make every effort to keep malicious code out of their systems. This includes running a raft of special programs — including anti-malware, anti-keylogger and data-loss-prevention software as well as behavior-monitoring software to detect suspicious activity that might indicate the presence of malware. Defenses against phishing, such as
Could all these fixes slow down banks’ processing of transactions?
Intel says that once implemented, patches that prevent Meltdown could cause computer slowdowns of 5% to 30%, and experts are debating how much that could interfere with banking systems.
Banks are concerned given the high volumes of transactions they conduct every day, but the impact will be subdued because banks have built-in buffers for overages and surges, Temm said.
Patches that prevent the Meltdown vulnerability could cause computer slowdowns of 5% to 30%, Intel says.
Mennes said the performance degradation will depend on the processor and on other characteristics of a machine, like the amount of memory it has and the types of peripherals it works with.
“There could be a significant slowdown on critical servers processing financial transactions,” he said. “That could have an impact on the business of the bank.”
Is cloud computing at risk?
Nicole Perlroth of The New York Times
Amazon, for one, says it has taken all the necessary steps to block that kind of theft from happening, though it did not provide any details. The issue is a matter of debate among experts.
“This vulnerability could allow one cloud customer to access data of other cloud customers,” Mennes said. “And that’s a very bad thing. If I had an account on Amazon and was able to access servers of my bank and able to get access to bank accounts of other people, that’s significant.”
Grobman pointed out that the large public cloud providers have already patched and rebooted millions of machines within their cloud environments, and that this should mitigate much of the risk.
“Security threats that allow one tenant to get access to data living in other tenant’s machines are something we need to think a lot about,” he said. “The next few weeks will be telling to determine whether we need to think about our overall cloud strategy differently or [if] the patches that are coming out will be sufficient.”
On a scale of 1 to 10, how alarmed should a bank be about Meltdown and Spectre?
“It’s a 7 to an 8,” Grobman said. “It’s a serious development in the field of cybersecurity, and we’re in the early days to see how this plays out, and we need to take it seriously.”
Editor at Large Penny Crosman welcomes feedback at