The ZombieLoad Bug: Estimating Your Organization’s Risk

May 28, 2019  Jeff B. Copeland

ZombieLoad joins Meltdown and Spectre in the parade of ominous (and ominously named) processor execution bugs, grabbing headlines and generating anxious queries from the board room and the C-suite asking how much risk the organization faces.

Yes, Intel rushed out a patch but, as RiskLens Risk Science Director Jack Freund writes in the FAIR Institute blog (RiskLens is technical adviser to the Institute) that poses a classic cyber risk problem that’s only answerable with quantitative cyber risk analysis.

Read Jack’s post ZombieLoad at the Gates - FAIR on Defense

Patching requires turning off some processor features that will result in up to 40% reduction in processor speeds. “This vulnerability presents quite a conundrum for information security professionals,” Jack writes. “Do we sacrifice availability for confidentiality?”

Based on what Intel has revealed about the path of attack, Jack lays out four scenarios that a cybersecurity risk team might analyze, from full remediation of affected servers to partial to no remediation.  Analysts should prioritize scenarios based on the business needs of the organization, then look to quantitative cyber risk analysis to show the financial impact of each.

“When you have zombies at your door, FAIR gives you the support you need for a rational plan of action,” Jack concludes.