icetray - Fotolia

Patch systems against Meltdown and Spectre, urges ICO

UK’s data protection watchdog is calling for organisations to apply security updates to mitigate against exploits of microprocessor flaws as soon as possible to safeguard personal data

Failure to apply operating system software updates to mitigate against the microprocessor exploits dubbed Meltdown and Spectre could put personal data at risk, the Information Commissioner’s Office (ICO) has warned.

Although no live attacks using these vulnerabilities have been reported, malware writers and hackers will be hard at work determining how to make the best use of the vulnerabilities, and checking whether systems are vulnerable, according to Nigel Houlden, head of technology policy at the ICO.

“We strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency,” he wrote in a blog post.

Houlden warned that the ICO would take the failure to patch known vulnerabilities into account when determining whether an organisation has breached data protection laws.

The 7th principle of the UK’s Data Protection Act requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

After the compliance deadline for the EU’s General Data Protection Regulation (GDPR) on 25 May 2018, organisations could be liable for a breach of security for failing to take necessary measures to protect personal data.

Houlden said the vulnerabilities provide ways for an attacker to extract information from privileged memory locations that should be inaccessible and secure. One variant of the Spectre exploit potentially allows an administrative user in a guest virtual machine to read the host server’s kernel memory, which could include the memory assigned to other guest virtual machines.

The implications for data controllers are clear, wrote Houlden. “If these vulnerabilities are exploited on a system that is processing personal data, then that personal data could be compromised,” he said. “Alternatively, an attacker could steal credentials or encryption keys that would allow them to access personal data stored elsewhere.”

Read more about Spectre and Meltdown

The ICO “strongly recommends” that organisations determine which of their systems are vulnerable, and test and apply the patches.

Organisations that use cloud service providers should obtain assurances from the provider that these vulnerabilities have been patched, the ICO said.

Noting that some initial benchmarking has indicated that some workloads may suffer performance hits after the Meltdown patches are applied, Houlden said organisations will have to make their own decisions about whether to patch. “But if they choose not to, we would expect significant mitigations to be in place and well understood,” he said.

Having an effective layered security system will help to mitigate any attack, said Houlden, adding that organisations should be looking at their data flows, understanding how their data moves across and beyond the organisation, and evaluating the impact of a data breach.

“Data should be secure in rest as well as when in transit,” he said. “Even if a hacker gets the data, they shouldn’t be able to read it.

“A well-designed system will ensure that the network infrastructure is protected and should incorporate firewalls, access control lists and VLANs [virtual local area networks], as well as non-technological preventative measures such as CCTV, fences and security personnel, if needed.”

Houlden said it is important for organisations to know who has access to what data and for senior management to support security plans to ensure the enforcement of policies and procedures. “The more layered approach you take, the less likely a vulnerability like Meltdown or Spectre could be exploited,” he said.

Read more on Privacy and data protection

Data Center
Data Management