Meltdown & Spectre Follow Up – Specific PCI DSS Action Items

Following up on our recent alert regarding the Meltdown and Spectre security flaws, RSI now provides subsequent information and recommendations to our clients and all organizations needing to adhere to PCI compliance requirements.

As patches have been deployed by Microsoft and Apple, along with firmware / bios updates released by your PC / CPU / motherboard vendor, it is important to install these critical patches ASAP and conduct a risk assessment given these significant security vulnerabilities.

Per PCI DSS Section 6 requirements, reactive vulnerability remediation processes — whereby organizations wait for communication and action plans from affected vendors — are no longer sufficient. The council now requires that organizations proactively identify vulnerabilities and plan out remediation efforts based on ALL available information, including third party news, industry groups, mailing lists, etc.

PCI compliant organizations should have these steps in place to address the Meltdown and Spectre flaws:

1. Vulnerability Identification: Scoping out the flaw, learning and understanding all you can from third-party sources that may not currently be known or resolved by the vendor.
2. Risk Ranking: Assessing the likelihood of an attacker exploiting the vulnerabilities exposed by the flaw, as well as the flaws potential impact on your organization.
3. Risk Remediation: Documented plans and processes to remediate the risks brought forth by the flaws

Lastly, stay alert to any updates or revisions to patches already issued by your software and hardware vendors. As frenetic as the Cybersecurity environment is normally, Meltdown and Spectre presented deeper, fundamental architectural issues, resulting in fluid remediation methods and ultimate outcomes.

Update: As of Jan 22, 2018

Intel just deployed fixes to its industry partners for Broadwell and Haswell platform systems, and it will make a final release available to the public once this testing has been completed. Because another update patch is pending, Intel has informed its OEMs, cloud service providers, system manufacturers, software vendors and end users to stop deployment of current versions of the fix.

Bottom line:Stay informed of daily computing news, and if you havent already updated your operating system and applied any updates from your computer maker, then do nothing until the new patch is released.

---

About the Author

Eric Haruki is a technology analyst with over 15 years of experience advising global category leaderssuch as Samsung, Panasonic, HP, & Ciscoonproduct and brand strategy, market competitiveness, and in areas of untapped product and distribution opportunity. He has produced both syndicated and project work, delivering forecasts, SWOT analyses, road maps, and panel survey insights to research customers around the globe. Eric has contributed to major print and television press outlets and has been a featured presenter at industry conferences. He isdriven to find insights through extensive market research and deliver concise and actionable solutions to vendors, leading ultimately to the development of valued downstream goods and services to end users.