Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

CybersecurityFeaturesTechnology Media and TelecomCybersecurity Law & Strategy

How Law Firms and Legal Departments Can Protect Against Meltdown and Spectre

By Adam Schlagman
March 01, 2018

In January, news of the Meltdown and Spectre vulnerabilities rocked the cybersecurity world. And even a few months later, the news is still reverberating, due to several patches that are significantly slowing down device and system performance.

To learn more about these vulnerabilities and how law firms and legal departments can protect against them now and in in the future, I sat down with Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint. In this role, Dana is responsible for AvePoint's privacy, data protection and security programs, while managing a global team of subject matter experts that provide executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts and solutions for risk management and compliance.

Can you discuss the significance of Meltdown and Spectre, and why these vulnerabilities are so damaging to Windows systems?

Meltdown and Spectre are hardware vulnerabilities that hackers could use to steal information from computer memory. A very serious exploit could result in a compromise or theft of sensitive personal data, such as passwords or banking information. Not only is Meltdown and Spectre having a widespread impact on many systems and devices, the “fixes” for the devices will impact the speed and productivity of the machines themselves. Therefore, the “cure” for Meltdown and Spectre may be difficult to implement. Unfortunately, Microsoft has also stated that if a computer is using older Intel processors (e.g., Windows 8), end users will likely notice a decrease in system performance after installing the patch.

What are the most important steps law firms and legal departments can take to protect themselves from these vulnerabilities?

Despite reservations about the difficult cure, it is critical that legal departments and law firms follow the recommended steps to address both Meltdown and Spectre across their affected devices and systems. To accomplish this, organizations must use their most rigorous efforts to follow advice and guidance as it becomes available from their technology vendors. Unfortunately, this advice is currently quite limited, and is still changing rapidly.

That said, some immediate actions that organizations can take to help shore up their systems are to make sure that their operating systems and browsers have the latest updates, and to look for guidance from vendors with BIOS updates for their motherboards.

Though it can be time consuming and expensive to uncover which vulnerabilities exist, the risk of losing sensitive proprietary and client data is so high — making it critical that all devices and systems be appropriately protected. Specifically, be sure to read the guidance from your firm, company or department's various vendors. For example, Microsoft provides guidance with its latest Windows Server updates, so make sure to update your anti-virus software before applying the patch to your device.

Whose responsibility is it to ensure the company's hardware, devices and software programs are protected from vulnerabilities like Meltdown and Spectre?

It is the IT department's responsibility to ensure the company's hardware, devices and software programs are all protected and have the appropriate patches applied. The security team should also provide guidance. As an IT professional, it's important to ensure your organization is constantly monitoring for notices and bulletins of vulnerabilities through systems like the NIST's National Vulnerabilities Database.

Is there any way for companies to completely prevent Meltdown and Spectre from affecting their Windows systems?

The short answer, unfortunately, is no. It appears that all systems with affected hardware could be vulnerable to Meltdown and Spectre. That said, if you apply the appropriate patches to all devices and systems, you may be able to protect your data, albeit with potential performance issues.

If one of these vulnerabilities is discovered in a company's system, what actions should be taken, both short- and long-term?

At its core, Meltdown allows hackers to gain access to unpatched systems. If you assume that the attacker is already inside (which is best practice for a strong security program regardless), you may be able to reduce significant damages through vigilant monitoring of unauthorized privilege elevation of your IT systems. Vulnerabilities such as Meltdown will enable attackers, but they are only a means to an end. Your goal should be to minimize the attacker's time within your network, which reduces the time they can spend searching for valuable, private data and information.

What are a few cybersecurity best practices to protect systems and prevent instances like these vulnerabilities from having a widespread impact on them?

Always assume that the attacker is already inside of your devices or systems. Don't waste time waiting for evidence that they are there — assume they already have access, and instead, spend your time ensuring you have a constant program in place to manage and monitor for unexpected behaviors. At the same time, make sure that your users have the least privilege possible that is required for them to do their jobs, and monitor and recertify this regularly. Don't just patch your systems on a scheduled basis; adjust your habits regularly to ensure that attackers won't be able to anticipate your patch plans and work around you. Finally, don't protect your systems against only headline news grabbing vulnerabilities, such as Meltdown and Spectre. Security patching should always be a top priority — no matter what's going on in the news.

*****
 Adam Schlagman is the Editor-in-Chief of Cybersecurity Law & Strategy.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.