Risk and Exploits - Dealing with Meltdown and Spectre
Notes Ripped from the headlines: Part of Randy and Don's week was dealing with Meltdown and Spectre vulnerabilities. What is a CTO or technical manager supposed to do when big-name vulnerabilities hit the press? Try not to be the smartest person you know or you're doomed to have all problems brought to you. Start with research! Good and bad sources for information. A CTO must be able explain the technical details at a business level to stakeholders. Randy mentions that these problems were being worked on months ago. If you have a laptop on your desk with Windows, you've outsourced a level of security to a big provider. It's ok to admit you don't have all the information right this minute. You should tell people to avoid new websites, downloads, and updates on your own, until later. There are security consultants that can take a big load of work off firms, for a price. A tactic for reducing anxiety: A crib sheet of all technologies (and contact numbers) used by the firm in the event of issues. Randy wants a Meltdown and Spectre bobblehead. Don promises to get him one. Links Official Meltdown and Spectre Websites: https://meltdownattack.com Amazon Web Services: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Ars Technica: https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/ Apple: https://support.apple.com/en-us/HT208394 Rendition Infosec: https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/ Security Folks @troyhunt @briankrebs @hacks4pancakes - Lesley Carhart Security Alerts Ruby Security Google Group Rails Security Google Group Snyk – Subscription may be required Gemnasium – Subscription may be required auditjs Other Links CVE National Vulnerability Database CVE Details Focal Point - company that provides security audits for Don Google Chrome: Security on Chrome ClosingThanks for listening to the CTO Think Podcast. If you liked what you heard, please share a link to the podcast with your friends.Reviews on iTunes are always appreciated and help us spread the word about the podcast.Show music is Dumpster Dive by Marc Walloch, licensed by PremiumBeat.comShownotes and previous episodes can be found on our website at www.ctothink.comFor questions, comments, or things you'd like to hear on future shows, please email us at hello@ctothink.comFor notifications of future episodes, please sign up to the CTO Think newsletter on www.ctothink.comWe'll keep talking next week!
