OK, 2018 has just started and it has totally borked all networks in the whole world. That's a fine mess we're in to start off the year. :-)
Meltdown and Spectre are CPU hardware design flaws that we techies understand. In a nutshell, Meltdown breaks the isolation between the user app and the OS, so the app can do a memory dump and steal any data in it. Spectre goes further. It breaks the isolation between apps. It's harder to exploit but harder to mitigate.
However, how to explain this to your C-level and end-users is another story.
First thing to understand is that the vulnerable machine has to have malware running to exploit this vulnerability. And who are the most prone to let bad guys into their machine to start with? Right... users.
Another excellent reason to step them through new-school security awareness training immediately, because Meltdown and Spectre are going to be with us for a while.
We have just released our brand-new 2018 flagship 45-minute training module and a whole new batch of new videos from a new publisher.
I strongly recommend to not waste this crisis and require all staff to start the new year with a refresher awareness course, pretty much right away.
So now, how to explain this to everyone in your organization?
I suggest you send the following to your C-level execs and employees. You're welcome to copy, paste, and/or edit:
"Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It's really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.
This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.
So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.
So, What Are We Doing About This?
We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.
In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.
[OPTIONAL] To help you stay safe online in the office and also at the house, please step through this new security awareness training module which will take you 45 minutes. Consider it an urgent "lunch & learn" because of this hardware bug." (Thanks, Mr. Intel...)
Here is a good site with an FAQ and videos about this SNAFU, that you can refer people to if they want to know more. For instance, antivirus does not protect against this vulnerability.
Let's stay safe out there.
Stu Sjouwerman, Founder and CEO, KnowBe4, Inc.