IT Due Diligence Guide

Make an informed technology company investment.

IT Due Diligence and the Meltdown and Spectre Processor Vulnerabilities

Background

In January 2018, a group of computer chip makers and software publishers alerted the world to the Meltdown and Spectre vulnerabilities.

Meltdown affects computing devices regardless of the operating system. It exploits an optimization feature in many Intel chips known as “out-of-order execution.” The outcome is that malware on a computer powered by an affected chip can read the physical and kernel memory of the device. This memory can, for example, contain unencrypted passwords that were recently used.

You can read a detailed, technical explanation of Meltdown here:

https://meltdownattack.com/meltdown.pdf

Spectre also affects processors from Intel, as well as AMD and ARM. Spectre exploits a chip concept called “speculative execution.” In order to improve performance, many chips guess the next operation to be performed and run it before being specifically instructed to. Spectre encourages the chip to run an incorrect “guess” and then reads memory from a cache that is not affected when the correct instruction is eventually run.

You can read a detailed, technical explanation of Spectre here:

https://spectreattack.com/spectre.pdf

Recent Activity

Since the January announcement:

  • Additional variants of both Meltdown and Spectre have been discovered.
  • Vendors have since made various microcode (updates to processors behavior and performance), BIOS and software patches available and continue to do so.
  • These updates have in some cases impacted computer performance to a noticeable degree.
  • Malware creators have attempted to exploit the vulnerabilities.
  • Some malware creators have decided that it is easier to exploit the concern around Meltdown and Spectre than the vulnerabilities themselves, and are circulating “patches” that actually distribute malware.

Meltdown, Spectre and IT Due Diligence

One of the most important things any organization can do to improve cybersecurity is to stay up to date with all relevant operating system and software patches. Many breaches and other cybersecurity incidents can occur only when known vulnerabilities are not patched.

When evaluating a company’s technology expertise during IT due diligence, a review of the process for monitoring and deploying patches is very enlightening. Many organizations are far too casual in their approach. This is not acceptable when it comes to Meltdown and Spectre.

Even though exploiting these chip vulnerabilities is difficult, the risk of exposing critically important information is too great to ignore. In all but the most exceptional cases, any performance penalty related to the patches should be an acceptable price to pay for the assurance of security.

During IT due diligence, ask the staff at the target company what they’ve done so far to mitigate Meltdown and Spectre. In the worst case scenario, they may not know what you’re talking about. If so, given the fact that this is one of the most well-publicized and potentially dangerous IT security risks ever, you should be concerned that other basic but less obvious security risks have not been addressed.

In a perfect world, the response you receive would be that the staff at the target company heard about the issue when it was announced, have been monitoring the latest developments with their relevant vendors and have implemented all patches that have been released. This should include chips, operating systems, and software such as browsers (which have been shown to be able to host a Spectre attack via JavaScript). Browsers may need certain configuration changes to provide protection.

Ideally, the target company would maintain written policies and procedures that describe the patching process. This should include how they are identified as necessary, how they are tested before being applied to production systems and how the current patch status of each device is tracked.

In addition, even though antivirus and antimalware software cannot detect Meltdown and Spectre attacks, they can protect against malware attempts to install software that can launch an attack. And it’s always a best practice to deploy up-to-date antimalware software.

If the target company is using cloud providers such as Amazon Web Services or Microsoft Azure, those vendors have announced that they have patched their systems against these vulnerabilities.
The best general source for Meltdown and Spectre information is https://meltdownattack.com/ which is maintained by Graz University in Austria, one of the discoverers of the two vulnerabilities. This site includes the latest updates, links to the original technical papers describing the exploits, a FAQ, and advisories from major vendors. This is a good resource to review during IT due diligence, once a target company’s major vendors have been identified.

Conclusion

Meltdown and Spectre are some of the most serious IT security risks ever identified. It will be many years before the processors that are impacted have been replaced by more secure versions. A target company’s reaction to Meltdown and Spectre provides a good opportunity to evaluate the overall technical proficiency on the organization during IT due diligence.

Learn More About the IT Due Diligence Guide

Learn how to properly conduct an IT due diligence project with the IT Due Diligence Guide.

The book provides a detailed explanation of each question on the IT due diligence checklist – why it’s important and what the potential answers can tell you about your acquisition target.

Even more importantly, it explains the right follow-up questions to ask to get the detailed information you need. It also includes questions not on the checklist that should be asked only in person – these can be vital.

It also includes an IT due diligence report template to help you create a due diligence report in a format that will be useful to financial executives, and an IT implementation plan template to get you started on the post-due diligence phase of the deal.

You can see a sample chapter and other supporting content, or click here to purchase the IT Due Diligence Guide.

Learn More About the Book