Meltdown, Spectre, and Compliance: The Bell Doesn’t Toll for Thee

Written by
meltdown spectre and compliance

In the spaces where Meltdown, Spectre, and compliance overlap, organizations may be able to find some peace of mind to keep the death knell from ringing over information security.

What Are Meltdown and Spectre?


Meltdown and Spectre are fundamental flaws in your computer’s processing chips. Unlike software vulnerabilities, hardware exploits pose a nearly unfixable problem. Since most computers and mobile devices use these processing chips, almost every technological item is compromised. Each of these presents a slightly different problem so understanding what those issues are can help you protect yourself and organization as much as possible.


Password managers in browsers and running programs normally have functionality protecting stored data. For example, most internet security protocols incorporate antivirus software and network firewalls. These focus on hackers being able to get through software vulnerabilities. Hardware vulnerabilities engage different computer hacking skills and lead to different IT security issues.



Spectre impacts more types of processing chips than Meltdown making it harder to combat, but it is also more complex an exploit making it less likely to occur.


Imagine a really complex maze. When you start to solve the puzzle, there are many different options for you. Your computer’s memory is similar. In order to speed up information flow, processors make different levels, or branches, of data similar to the branches in a maze. Your computer then guesses, based on the information you’ve accessed in the past the branch of memory where the data you need to access is stored.


Spectre uses these branches of the memory maze to guess the location of your passwords and private data. Just like in a maze where one branch is blocked from another, your computer segregates your private and program information from one another. Spectre takes educated guesses as to which branch of the data maze your login information lives and when wrong, backtracks and tries again.




Meltdown acts differently. Computer security functions predominantly by separating information within the operating system. Think about it as editing a video. First, you take the original video. Then, you use a video editor to splice out the stuff you don’t want. Then you have a final video edit. This totally makes sense in a linear fashion.


Computers work similarly. Your password information, like your original video, gets saved in one place as a foundation. However, when your programs talk back and forth, they create temporary files that are then cached and later cleaned out, like what happens during an autosave as you work on splicing. When you finish the splicing, a bunch of temporary information gets deleted. This is the cached temporary files. The information you might want to keep then goes into your final video edit.


If you skip this order, then your information gets confused. Meltdown uses what’s called an “out-of-order” command. This basically scrambles small bits of information that make sense to your computer but changes the order in which the information is moved around. Think as though someone takes two milliseconds of the end of your video and moves it to the middle. Now, assume that as part of that two milliseconds they also embed a subliminal message. It would be just enough to scramble the information flow but not enough to ruin the audience experience. However, it also co-opts the message you were trying to send in your video.


Meltdown does something similar. By creating the “out-of-order” command, it moves information in a sneaky way that interrupts your computer’s information sharing routine but not even for it to shutdown the device. Then it changes the message which coopts the data.


How are the Meltdown and Spectre Vulnerabilities Different from a Computer Virus?

Unlike malware, which infects your computer using the internet, Meltdown and Spectre require physical access to the impacted devices which usually means a USB hack.


Traditional software exploits target internet security meaning that your network security, such as firewall software, help protect your organization. In this case, however, traditional antivirus software may not work, even if you do the patches required. With Meltdown and Spectre, the IT security protection requires ensuring that the registries impacted are included in the patch update.


Securing the physical environment rather than the electronic environment is more important to protect against these threats. Organizations may want to focus on authorizations and password management to protect devices.


What are the Cybersecurity Implications of Meltdown and Spectre?

The long term cybersecurity implications of Meltdown and Spectre will mean replacing hardware slowly over time as the core processors fix the inherent problem. Experts currently assume this can take at least a software generation, maybe two, so the ongoing issues will need to be monitored.


While the release of these papers indicates a significant issue, the c-suite can rest a bit easier recognizing that none of these exploits are entirely new. An August 2017 CSO Online article shared an NSA hack to disable the Intel Management Engine interface. As recently as November 2017, Intel created a patch for its Intel Management Engine flaws. Additionally, several companies were focusing on selling computers wherein the Intel Management Engine had been disabled.


Experts have recognized these vulnerabilities for a while and been concerned. The Spectre and Meltdown papers simply qualify and quantify these risks which will force front end production changes in the long term.


Where Do Meltdown, Spectre, and Compliance Overlap?

Protecting against Meltdown and Spectre requires constant vigilance over your IT environment. This means being up to date with critical software updates as well as password management protocols.


In addition, vendor management policies and contractual privacy agreements require even greater due diligence. Understanding who has access to your physical equipment is just as important as how your data cloud is controlled.


Moreover, since this impacts processing chips used by large cloud service providers, you need to make sure that you follow their updates as well to ensure your own data protection. If you use Google or AWS, you want to monitor their updates to their own hardware and software.

How Can Automating Compliance Help Protect Against Meltdown and Spectre?


Using audit management software for your compliance program protects against these new threats by monitoring your IT landscape continuously.


Continuous monitoring and software updates has never been more important than it is right now. Automated SaaS platforms like ZenGRC help organizations review risk and manage compliance by seeing what critical changes need to be made.


Compliance is not security, but it is due diligence. With ZenGRC’s comprehensive risk dashboard, you can manage color coded alerts that show your greatest risk responsiblities and the most recent updated critical patches.


Setting reminders for quarterly and annual reviews helps ensure that you and your compliance staff are tracking employee authorizations regularly. Understanding updates to password safety also requires ongoing education and monitoring. With a SaaS compliance tool, you can increase the frequency of reviews if you suspect problems within your organization’s privacy and safety protocols.


While Meltdown and Spectre will continue to plague the tech industry for a long time, while the bell tolls, compliance may keep it from tolling for thee.


To schedule a demo or make an appointment to speak with a GRC expert about how ZenGRC can help protect you from Meltdown and Spectre by strengthening your compliance program, click here.