MineralTree Statement on the Meltdown and Spectre Security Flaws
Meltdown and Spectre Security Flaws
At the beginning of 2018 two newly detected security flaws dubbed Meltdown and Spectre were reported by a number of news outlets. We have no evidence that MineralTree’s systems have been impacted, but, we do want to inform you what steps we have taken to mitigate the risks from these flaws.
- Almost all computer system in use are vulnerable.
- The security flaws are unusual in that they were both reported to occur at the hardware level. In one case, Meltdown, affects Intel processors, and the other, Spectre, the flaw is in the design of microprocessors that affects all chip manufacturers.
- The security flaws went undetected for an unusually long time: nearly two decades.
- The exposure caused by the vulnerability is severe. Successful exploitation of this flaw would enable an attacker to gain access to anything stored on that system.
MineralTree operations are housed in the cloud at Amazon Web Services (AWS), and AWS is taking all the necessary precautions to safeguard information hosted on their environments: they have worked with Operating System developers to quickly respond to the risks. Patches have already been deployed to all of Amazon’s 11 cloud regions with 28 data centers each with 50,000 to 80,000 servers across the world.
Additional information on how AWS is handling the security flaws can be found here:
Processor Speculative Execution Research Disclosure
Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
How MineralTree Responded to Protect You and Your Information
MineralTree maintains a robust security program that actively reviews risk and mitigation strategies. Policies and procedures are maintained, including incident response. While MineralTree utilizes the capabilities of AWS for security, MineralTree’s security program extends beyond AWS. It is a “Defense in Depth” strategy that anticipates the failure of any one security system with overlapping security measures. Some of the technical measures include:
- Network Segmentation
- Encryption at Rest
- Host and Network Intrusion Detection Systems
- Centralized Server Configuration Management
- Routine patching
- Data Loss Prevention
As such, our program mitigates the risk and limits the opportunity for “bad actors” to exploit this vulnerability. Nevertheless, following guidance from AWS and our own security program, MineralTree has patched our systems with the latest upgrades and security measures and will continue to make system updates on a regular basis. Safeguarding your information is our top priority.
Meltdown and Spectre CPU Vulnerabilities: What You Need to Know, Welivesecurity← Back to Invoice-to-Blog