Connect with us

Cyber Security

Processor Vulnerabilites Put Virtual Workloads at Risk




Meltdown, Spectre exploits will likely lead to customers making tradeoffs between performance and security of applications, especially virtual and cloud-based apps

Back in January 2018, a consortium of security researchers from organizations including Google, Cyberus Technology and several universities disclosed two ominously-named vulnerabilities found in nearly all modern computer processors. These vulnerabilities broke open the floodgates for research into flaws in some of the most fundamental security protections found in computer processors. Meltdown, Spectre, and the other related vulnerabilities are significantly more dangerous and useful to an attacker in a virtual environment versus a non-virtual server or desktop. In response, I expect to see Intel and AMD eventually create separate processor lines to protect cloud applications from this threat.  

The Processor Speed Race
Modern processors handle dozens if not hundreds of applications simultaneously. Billions of transistors packed into multiple cores allow them to seamlessly and automatically switch between execution threads as needed. They typically enforce a set of rules on this dance of applications, including one very big one: The processor should prevent applications from accessing data from other running applications. Meltdown and Spectre allow malicious applications to break this rule.

Processing power continues to increase each year, but no longer at the same rates that we used to see when Moore’s Law still held true. Processor manufacturers have to use clever “cheats” to squeeze more performance from their devices as they run into limits of transistor technology. One of these cheats is an optimization technique called speculative execution 

Speculative Execution: Faster but Flawed
In a nutshell, application execution paths often contain many forks, or branches, where they may go down one of multiple code paths depending on the result of a calculation. The processor doesn’t know what branch the application will follow until it completes the calculation, but it can save time by guessing the outcome and continuing execution down that path while it waits for the calculation result. If it guessed correctly, it already has a head start and saves a few microseconds. If it guessed incorrectly, it simply discards the work it started and continues down the correct path.

Meltdown and Spectre both abuse speculative execution, though in slightly different ways. While the technical explanation could take a full article in itself, the short story is that they use speculative execution to load restricted memory into the processor’s memory cache and then use a few tricks to accurately identify the contents of that memory even after the process recognizes they shouldn’t be able to read it directly. The restricted memory could include anything from an administrative password to sensitive cryptographic keys on a Web server.

Spectre and Meltdown in the Cloud
While expanding the potential impact of malware on a desktop or non-virtualized server is never good, Meltdown and Spectre become much more dangerous in the cloud and virtual environments. An attacker with code execution on a physical desktop or server usually has much easier ways to elevate their privileges and access sensitive data from other applications. Using Meltdown or Spectre would be excessive.

But in a virtual environment, a single piece of hardware (for example, an EC2 instance in an AWS data center) can house multiple different tenants, each of which expects their applications and services to be completely isolated from the other tenants with which they share the resources. Usually, the hypervisor (the management software that handles virtualizing a single piece of hardware into multiple virtual servers) has strict security controls to enforce tenant isolation. 

But Spectre and Meltdown completely bypass these software protections by targeting the hardware itself. An attacker with access to one application on a cloud server could steal data from all the other applications using a shared resource on the same physical hardware, no matter how good the security of those other applications is!

Since Meltdown and Spectre’s disclosure, researchers have found several variants and other vulnerabilities that abuse speculative execution to access restricted memory. Intel and AMD, the two largest processor manufacturers, have been playing a cat-and-mouse game of patching these flaws, usually at the cost of processor performance. The performance loss has been up to 30% in extreme cases. This has led many desktop users, who are less impacted by Spectre, Meltdown, and the like, to disable the security options to retain more processing power. 

How to Solve the Problem
Mitigating this type of vulnerability in a cloud environment where security is paramount ranges from difficult to impossible. Patching these vulnerabilities requires difficult microcode updates to the processor itself. Because of these challenges, we’re likely heading towards a future where Intel and AMD manufacture different classes of processors that focus on either security or speed.

Cyber security is all about risk trade-offs. Desktop computers and non-virtualized servers have less to lose from an attacker successfully exploiting a Meltdown-like vulnerability than virtual environments, where an exploit could be a disaster. Since their risk is substantially lower, they could benefit from remaining vulnerable in return for significantly better processor performance. Processors used in virtual environments would likely swing the other way: prioritize security over speed by removing speculative execution entirely (or possibly something slightly less drastic). This could lead to different processor lines, one focused on security with slightly degraded performance and another focused on pure execution speed that risks falling victim to speculative execution attacks.

Researchers have already opened Pandora’s box for processor security vulnerabilities and the days are clearly numbered for speculative execution in its current form. Since the original Meltdown and Spectre disclosures, researchers have discovered additional serious flaws nearly every other month. At this rate, something will have to change to keep cloud applications safe. Whether that will be a fundamental re-architecture on all processors or a split into different security and performance-focused lines remains to be seen.

Related Content:

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and … View Full Bio

More Insights


Continue Reading

Cyber Security

Pipeline Update: Biden Executive Order, DarkSide Detailed and Gas Bags




The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading

Cyber Security

8 Cyber Security Practices Every Organization Adopt




Computer internet cyber security background. Cyber crime vector illustration. digital
Computer internet cyber security background. Cyber crime vector illustration. digital

Cyber security is such a pressing matter among companies, especially for large enterprises. Since there’s a lot to get from hacking large companies, they’re bound to experience cyber threats such as Trojans, malware, phishing, and ransomware regularly. But remember that there have been cases of cyberattacks on businesses with 100 or fewer employees, so small- and medium-sized companies are not exempt from this issue.

Regardless of the size of your company, consider strengthening your cyber security. There’s no better way to do that than by increasing the number of your security controls.

Security controls are countermeasures that prevent cyberattacks and minimize security risks on information, physical property, and, most importantly, your computer systems. For more information, you can read the article of Beryllium regarding security controls.

If you plan to establish newer security controls for your computer systems, you might want to consider looking into the following cyber security practices:

Table of Contents

Invest In Antivirus Software

A long time ago, you only had to worry about viruses, but that’s no longer the case. Today, there are all kinds of cyberthreats such as Trojan horses, worms, spyware, ransomware, and malware. If you want to be protected against these kinds of threats, you should consider investing in antivirus software. Antivirus software refers to any program designed to detect and eliminate various threats to a system, including those mentioned earlier.

Establish A Firewall

Antivirus software focuses on threats that may corrupt the programs inside a computer system. However, it doesn’t cover external threats; for those, you need a firewall. A firewall is a form of security control that helps keep external threats from breaching a computer system in the first place. You can think of it as the first line of defense against cyber threats. A firewall partnered with antivirus software can provide extremely powerful protection for any organization.

Utilize Multifactor Authentication

Usually, when logging into a computer system, you need to input your username and an authentication code, which is the password. But as previously said, cyberthreats have already evolved. It’s no longer enough to use a single authentication code, and that’s what multifactor authentication (MFA) is all about.

Basically, multifactor authentication is the process of requiring more than two codes from the user. So instead of a password alone, the system may also ask for a fingerprint, one-time passwords (OTPs), and more. This reduces the chances of hackers getting into the system.

Encourage Safe And Secure Passwords

Although you can use MFA, passwords are still the hardest authentication codes to crack. Hackers can steal OTPs with special software or even fake fingerprints. However, passwords are difficult to predict, perhaps due to their randomness.

If you’re going to implement MFA, you might as well make sure your employees have safe and secure passwords. You can start by giving them a few pointers, such as the following:

    • Use a password generator for the sake of randomness.
    • Avoid common characters.
    • Use a mix of characters.
    • Lengthen your password.

Monitor Third Parties’ Access To Data

Certain companies outsource some of their operations to third-party agencies. In doing so, they’re giving those firms access to confidential information.

If you’re currently in partnership with an outsourcing agency, you might want to consider monitoring them and limiting their access to data as well. After all, you can’t strengthen their cyber security even if you want to. If you do suffer from security breaches due to their negligence, your company would be on the losing side, so it’s better to be safe than sorry.

Check For Security Patches And Updates

Operating systems roll out security patches and updates every now and then. Your job is to apply those patches as soon as possible. Even if you leave your computer system outdated only for a few hours, there can be severe consequences.

Back Up All Data

Regardless of how secure your system is, there’s no guarantee that a hacker won’t get past your security controls. To minimize the damage from security breaches, companies must have a backup of all their data on a device not connected to the computer system. That way, if ever the computer system’s corrupted, you don’t have to worry about your data getting lost.

Educate Your Employees

Making mistakes is what makes one human. Some errors have minor consequences, but some can lead to huge problems. If your employees have access to the company’s system, the only thing hackers need to do is to take advantage of inexperienced employees. They can do this through phishing and other social engineering techniques.

If you don’t want your employees to bear all the blame for a security breach, try raising their awareness through training that teaches them about cyber security threats. Granted, it won’t guarantee 100% security, but it will reduce the chances for a cyberattack nonetheless.

Wrapping Up

Take note that every security control has a weakness. Your job is to ensure that those weaknesses are taken care of by other security controls. Take antivirus software and firewall, for example. Antivirus software deals with internal threats, while a firewall deals with external threats. If you want to strengthen your cyber security, you need to know how cyber security practices interact with each other, and this guide should have everything you need in that regard.

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading

Cyber Security

How to Become a Cybersecurity Specialist





In the modern age, a cybersecurity expert acts as a watchdog. Cybersecurity experts work with businesses and organisations to keep networks and data safe.

One of a cybersecurity specialist’s main duties is to keep track of their company’s systems and report any problems to management. They are also in charge of foreseeing potential threats and providing advice about how to deal with them.

Table of Contents

What is a cybersecurity specialist?

Depending on the size and shape of his or her company or organisation, a cybersecurity specialist can wear a variety of hats.

Cybersecurity experts, as the job description suggests, are supposed to provide a certain degree of experience and knowledge that enables them to provide guidance and training on the most up-to-date digital best practises.

Cybersecurity experts may have in-depth knowledge of a specific vendor’s product (such as CISCO Systems, which manufactures networking and IT products), or they may have experience with other domains such as computer operating systems or mobile applications.

A cybersecurity specialist can be thought of as someone who monitors a company’s or organization’s security while also assisting other employees and teammates in staying current on best practises.

This position is crucial because data breaches are often caused by employees, either deliberately or unintentionally.

Four key steps to becoming a cybersecurity specialist

1. Education: Most cybersecurity specialist positions, like the majority of other cybersecurity jobs, require some sort of formal education. However, since cybersecurity specialist positions cover such a broad range of job descriptions and duties, a specialist job can be obtained after completing many levels of cybersecurity education.

In other words, people with a cybersecurity associate’s degree, bachelor’s degree, or master’s degree will work as cybersecurity specialists. Furthermore, several cybersecurity specialists found jobs after completing a similar degree (such as computer science, engineering, or mathematics) and/or gaining relevant work experience.

2. Industry certifications and clearances: Obtaining the required industry certifications and/or clearances is a vital phase in job planning, as it is in many other cybersecurity career paths.

It’s a good idea to start thinking about what certifications an employer may need, or what certifications make job applicants more competitive in their profession.

Here are a few examples of the different types of cybersecurity certifications available:

Security+ is a CompTIA qualification that is widely recognised by cybersecurity practitioners as a foundational credential. The topics of risk management and threat evaluation are included.

CompTIA offers Network + as well. This credential focuses on networking technology and operations, as the name suggests. It is regarded as a basic qualification.

A more specialised qualification, the Certified Information Systems Security Professional (CISSP), is reserved for cybersecurity practitioners with at least five years of experience. Architecture, engineering, and management are among the subjects covered by the credential.

Since it normally allows candidates to have several years of work experience, the Certified Ethical Hacker (CEH) credential is often considered a more advanced cert. The aim of an ethical hacker credential is to develop threat assessment and mitigation skills by understanding how cyber attacks unfold.

These are just a few of the many cybersecurity certifications that are accessible. When looking for cybersecurity work openings, it’s a good idea to keep track of the certifications that employers are looking for.

When applying for cybersecurity specialist jobs, it’s also a good idea to inquire about professional development programmes, such as certifications that an employer will pay for.

3. Experience: Another important aspect of obtaining a job as a cybersecurity specialist is demonstrating relevant experience.

This can be in the form of a structured internship or other formal hands-on learning, or it can be in the form of other similar work experience.

4. Network: Looking for opportunities to grow a professional network is always a good idea.

There are a variety of specialist cybersecurity associations and groups with a network-oriented approach that are explicitly structured to notify members about job openings and professional development opportunities.

A good place to start is Digital Guardian’s list of the top 50 cybersecurity networking groups and professional organisations.

What do cybersecurity specialists do?

Security evaluations of computer hardware and software systems are created and implemented by cybersecurity experts. They ensure that the systems work as they should and are secure from attack.

A cybersecurity specialist’s work can be very routine at times. They are in charge of ensuring that networks and operating systems are up to date and free of software bugs.

Furthermore, security specialists are responsible for ensuring that other coworkers are kept up to date on security best practises, which could require them to serve as a trainer or counsellor.

Designing firewalls and other protection mechanisms to ensure that information and proprietary networks are compatible with the most current security requirements is another part of a cybersecurity specialist’s task.

Cybersecurity experts are also in charge of continuously monitoring security systems and networks for irregularities and documenting and reporting on their findings.

Skills for specialists

Cybersecurity professionals play an interesting role in the businesses and institutions where they work. People in this role are often hired for their social skills as well as their technical abilities.

Cybersecurity experts must be able to interact effectively and work well in groups. Coaching and advising coworkers on security best practises is a common part of the job.

In addition, cybersecurity experts are often called upon in times of crisis or disaster, as well as when networks or data structures are malfunctioning. As a result, the ability to survive in “emergency” situations is critical.

Finally, becoming a security specialist can entail assisting coworkers in adopting new technologies and security software as it evolves. However, most people are averse to change, especially if it necessitates learning a new operating procedure or work-flow. As a result, the ability to express the rationale for the transition, as well as the ability to appeal to the desires and objections of coworkers, is crucial.

Cybersecurity experts must be at ease in a continuously changing and shifting environment. New digital attack vectors and mechanisms emerge on a regular basis, and a cybersecurity expert is charged with determining what skills and expertise are needed to defend against these new threats.

This frequently necessitates continued education, both in the form of formal, industry-recognized certifications and informal learning and monitoring of industry developments.

A cybersecurity expert should be like a Swiss Army knife of the digital world in terms of expertise, experience, and general attitude. This role requires multi-disciplinary skills and the ability to adapt to a wide range of circumstances.

Outlook for cybersecurity specialists

According to a new PayScale survey, the majority of workers with the job title cybersecurity specialists are satisfied with their employment.

According to Payscale, cybersecurity professionals are paid differently based on their expertise, roles, and place. A specialist’s salary varies from $45,644 to $115,841. The average salary is $74,140 a year.

Employment prospects for cybersecurity specialists are expected to rise 36 percent by 2024, far faster than other careers, indicating an increasing demand for cybersecurity expertise in all fields and career levels.

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading

Cyber Security

How Digital Transformation Influences Cyber Security in Banking




Banks’ first priority is the protection of their clients’ assets. That’s why ensuring cyber security in banking is crucial. As a rule, financial institutions are attacked 300 times more often than other companies. Giants in the market, such as Mastercard, deal with about half a million intrusion attempts daily. We’ll tell you about the challenges that 

next-generation banks face today and the factors that influence cyber security in financial institutions. 

The increasing risk of threats

People are gradually moving away from paper money, choosing online banking over it. To meet customer expectations, financial companies develop user-friendly websites and mobile apps. By doing so, they put their cyber security at risk.  

No app is perfect. The research company Accenture has proved that with its study of 30 core banking systems – all of them had security vulnerabilities, such as insecure data storage, insecure authentication, code forgery, and so on. Another similar study revealed that 85% of programs have weaknesses. 

One minor vulnerability might be enough for malefactors to get what they want: personal user data, access to bank accounts, CEOs’ or managers’ data, etc. Cyber crime costs financial institutions $18.5 million per year, and the losses are projected to grow up to $6 trillion per year. Quite an impressive growth, right? 

In light of all the above, cyber security assurance becomes vitally important. What threats does the banking industry face? 

New types of cyber attacks

As security systems are upgraded, more sophisticated ways of stealing data appear.  

For example, fileless malware penetrates the random-access memory of a device through licensed programs directly, without being saved on the hard drive. Every month, the number of such attacks increases. These attacks are hard to spot and prevent, and they pose a serious threat even to advanced security systems.

Spoofing is a new type of threat and another cyber security challenge. Fraudsters make fake websites, the URLs and designs of which resemble a web app of the real bank. When accessing the system, a user enters personal data into the form, thus unconsciously sending it to hackers. 

Fortunately, cutting-edge technology based on AI and ML and skilled cyber security professionals can keep the banks safe from that kind of incident.

Digitalization challenges

The banking industry is one of the first to respond to the digital requests of society. Today, customers contact banks via laptops, tablets, smartphones, and smartwatches. IoT devices, in turn, help banks obtain more information about the preferences, needs, and habits of their clients. 

New opportunities pose new challenges for banks. For example, financial institutions might find it difficult to decide on user authentication methods, places for storing bank details, or they might have problems with unauthorized data access, and so on. Since most of the information in the banking sector is secret and data breaches lead to huge losses, cyber security turns into one of the important development thrusts in banking.  

Banks are willing to invest in cyber security. They will account for almost 30% of all the spending on threat protection by 2023, which amounts to approximately $151.2 billion. 

What data breaches lead to

Сyber security costs prove its value. For example, JPMorgan Chase & Co. spends about $600 million yearly to secure its data and employs about three thousand cyber security experts!

Banks have to take such steps – otherwise, they might find themselves in a situation similar to that of CapitalOne who didn’t manage to protect data in the cloud. As a result, one hundred million people in America and about six million in Canada suffered from hacking. Up to 140,000 Social Security numbers and about 80,000 bank account numbers were stolen. The bank itself was charged a penalty of $80 million, and its reputation was shattered.  

Financial institutions need cyber security tools to protect their customers. As a survey by Ponemon Institute showed, it is better to put effort into threat prevention than deal with the consequences afterward. 

Remote working and cyber security

Most specialists (75%) surveyed by McKinsey prefer to work remotely and are not going to return to their offices. The remote working trend will surely continue in the coming years. In the case of bank officers, this contributes to the attitude towards cyber security – data protection concern is ever more topical.

There is a reason for that. In April of 2020 alone, Google recorded around 18 million malicious and phishing emails. In this context, banks had to change their security policies several times, conduct specialized information campaigns among their employees, and train them on anti-phishing tests. 

Penalties for non-compliance with security requirements

Compliance with cyber security requirements is controlled by the law – therefore, banks are concerned with conforming to legislation. None of them wants to be charged with penalties by, say, the Federal Deposit Insurance Corporation due to security requirement violation or poor protection of client rights.

If a banking institution can’t follow data protection regulations, there will be a huge monetary penalty – just as it happened to the New York Apple Bank for Savings that was charged a penalty of $12.5 million for an alleged violation of the Bank Secrecy Act. 

A few more words about cyber security

Cyber security investment became especially relevant when the UK and Europe began the transition to open banking. Data flows are opening between different financial companies, and it is becoming extremely important to ensure data protection when transmitting or storing it in the сloud. 

However, research by Deloitte showed that many financial companies can’t keep pace with digital transformation. The founder of Cybersecurity Ventures Steve Morgan says that the business sector is undergoing the natural evolution of cyber crime, as it was with street and other types of crime that developed as the population grew. In addition, cyber-attack methods are improving, hence the traditional ways to deal with them are becoming outdated.     

Although it may be hard to eliminate all the threats and fully protect one’s resources from vulnerabilities, a bank can be kept safe from drastic consequences by limiting the area of attack and preventing it from spreading. That is why financial institutions must be flexible in terms of cyber security and employ specialists with relevant knowledge. After all, investors prefer those financial companies that have secure systems, generate profits, lead the market, and grow. 


Continue Reading
Nano Technology19 mins ago

Polarization-sensitive photodetection using 2D/3D perovskite heterostructure crystal

Nano Technology19 mins ago

With a zap of light, system switches objects’ colors and patterns: “Programmable matter” technique could enable product designers to churn out prototypes with ease

Nano Technology20 mins ago

Graphene key for novel hardware security

Nano Technology20 mins ago

180 Degree Capital Corp. Reports +14.2% Growth in Q1 2021, $10.60 Net Asset Value Per Share as of March 31, 2021, and Developments From Q2 2021

Nano Technology21 mins ago

Tiny, Wireless, Injectable Chips Use Ultrasound to Monitor Body Processes

CNBC32 mins ago

Colonial Pipeline hack was ‘wakeup call’ on U.S. cyber vulnerability, Buttigieg says

Nano Technology39 mins ago

Polarization-sensitive photodetection using 2D/3D perovskite heterostructure crystal

Nano Technology39 mins ago

With a zap of light, system switches objects’ colors and patterns: “Programmable matter” technique could enable product designers to churn out prototypes with ease

Nano Technology40 mins ago

180 Degree Capital Corp. Reports +14.2% Growth in Q1 2021, $10.60 Net Asset Value Per Share as of March 31, 2021, and Developments From Q2 2021

Esports42 mins ago

Discord tests monetized audio events, introduces ‘Discovery’ feature

CNBC44 mins ago

Former coal mines in Britain are being tested to see if they can become a geothermal energy plant

CNBC44 mins ago

Why everyone from Elon Musk to Janet Yellen is worried about bitcoin’s energy usage

Esports52 mins ago

5 Things We Want in Genshin Impact 1.6

Techcrunch52 mins ago

Short seller says Lemonade website bug exposed insurance customers’ account data

Techcrunch54 mins ago

Sylvera grabs seed backing from Index to help close the accountability gap around carbon offsetting

Business Insider57 mins ago

Touchstone Bank Adds to the Richmond-MSA Team

Energy58 mins ago

Global Industrial Rubber Products Market to Reach $136.5 Billion by 2026

Business Insider58 mins ago

Global Industrial Rubber Products Market to Reach $136.5 Billion by 2026

Esports59 mins ago

Qualifiers for FunSpark ULTI Asia Regional Series 2 announced

Esports1 hour ago

Here are the 10 teams competing at VCT Stage 2: Masters Reykjavík

Techcrunch1 hour ago

The fulfilling world of warehouse robotics

AR/VR1 hour ago

A Rogue Escape Surfaces in June for PC VR

Energy1 hour ago

Oglethorpe Power First Quarter 2021 Investor Briefing Call To Be Held May 18

Esports1 hour ago

P3NGU1N on Parabellum being the first majority-Canadian team at SI: ‘It’s a nice F you to everyone who doubted the Canadians’

Techcrunch1 hour ago

Framework’s repairable laptop is up for preorder, starting at $999

Startups1 hour ago

SpecTrust raises millions to fight cybercrime with its no-code platform

CNBC1 hour ago

Framework’s modular DIY laptop is available to pre-order

Aviation1 hour ago

What Happened To Flyglobespan?

Energy1 hour ago

Aviation Fuel Market Procurement Intelligence Report with COVID-19 Impact Updates | SpendEdge

Energy1 hour ago

KinerjaPay Corp. Received Payment from Its First Shipment of Steam Coal