Risk and Exploits - Dealing with Meltdown and Spectre
Randy and Don discuss an item ripped from the headlines: What should a technical manager do about the recent Meltdown and Spectre exploits? They move into the CTO modes of research, understanding, translation, preparation, upgrading, monitoring, and, most of all, not freaking out. Randy requests a bobblehead or plush toy of the Spectre logo.
- Ripped from the headlines: Part of Randy and Don's week was dealing with Meltdown and Spectre vulnerabilities.
- What is a CTO or technical manager supposed to do when big-name vulnerabilities hit the press?
- Try not to be the smartest person you know or you're doomed to have all problems brought to you.
- Start with research!
- Good and bad sources for information.
- A CTO must be able explain the technical details at a business level to stakeholders.
- Randy mentions that these problems were being worked on months ago.
- If you have a laptop on your desk with Windows, you've outsourced a level of security to a big provider.
- It's ok to admit you don't have all the information right this minute.
- You should tell people to avoid new websites, downloads, and updates on your own, until later.
- There are security consultants that can take a big load of work off firms, for a price.
- A tactic for reducing anxiety: A crib sheet of all technologies (and contact numbers) used by the firm in the event of issues.
- Randy wants a Meltdown and Spectre bobblehead. Don promises to get him one.
- Official Meltdown and Spectre Websites: https://meltdownattack.com
- Amazon Web Services: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
- Ars Technica: https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/
- Apple: https://support.apple.com/en-us/HT208394
- Rendition Infosec: https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/
- Ruby Security Google Group
- Rails Security Google Group
- Snyk – Subscription may be required
- Gemnasium – Subscription may be required
- National Vulnerability Database
- CVE Details
- Focal Point - company that provides security audits for Don
- Google Chrome: Security on Chrome
Join our newsletter
Check out our tech-focused podcast, This Old App.© 2017-2018 CTO Think. All Rights Reserved.