Cyber Threats

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

Meltdown and Spectre Overview On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The vulnerabilities reported in January take advantage of speculative execution and trick the processor to leak data returned from other applications under certain circumstances. The [...]

Cyber Intelligence Leads to Resiliency

Security by Compliance Within this blur of a technology driven society, time and time again we see companies that have designed a security operations center to meet their compliance needs, and yet still appear on the evening news as being a victim of a cyber attack.  Security’s goal, protecting the digital assets of an organization from attacks, differs from that of compliance, which is ensuring that the organization meets regulatory requirements. For examples of how an organization may be compliant with [...]

Preventing a Meltdown: Recommendations for the Meltdown / Spectre Vulnerabilities

Meltdown and Spectre Overview Meltdown and Spectre are kernel vulnerabilities that can result in the loss of system confidentiality through access to unauthorized memory locations on the local system. Meltdown (CVE-2017-5754) affects Intel chips – mostly impacting PCs. Spectre is broader and is based on two separate vulnerabilities (CVE-2017-5753 and CVE-2017-5715) and also impacts AMD and ARM chips, so most PCs, Apple devices, and smartphones are also impacted. Cloud and virtualized environments can also leak memory outside the running virtual [...]

Validating Security Controls and Countermeasures with Penetration Testing

It’s been a few weeks and the dust is starting to settle following the reported data breach in September 2017 at Equifax, one of the big three credit reporting agencies. While other major data breaches have been the result of advanced methods possibly utilizing leaked classified attack techniques, this attack was performed by exploiting a well-known vulnerability within a popular web application. Although this vulnerability had a corrective software patch available, it was not applied to the vulnerable servers. In [...]