What Lesson Heartbleed Teaches Us

My job not only involves analyzing malware and vulnerabilities, or talking about the latest security threats, but a big part of it is to also try to explain and educate users on how to build security. When doing so, some of the major topics I try to emphasize are the need to backup, protect against malicious code, keep your systems up-to-date with the latest security patches and, of course, use encryption. I’m pretty sure that you have heard it all before right?

But what do we do when the security software we use becomes vulnerable and is the entry point for attackers?

lessons

This is a very hot discussion right now, especially with the recent OpenSSL Heartbleed attack that has been made public. I decided to make this post more personal because I’m sure that you can find tons of articles about SSL and the Heartbleed attack, but I wanted to share my thoughts on why these types of vulnerabilities are so critical.

Before I start talking about the Heartbleed attack, I think it’s important to mention that the mindset we have today when we look at security products and solutions is broken. The way we evaluate security products or solutions is by looking at functions and features, and if they comply with what we are trying to achieve, then we buy them.

The problem with this is that we tend to forget all the things that the security product or solutions won’t do for us. We need to understand that security products and solutions should compliment a secure mindset.

So why am I talking about this regarding the OpenSSL Heartbleed vulnerability? I think that we, in general, assume that the Internet is working and is a secure platform. We use the Internet for very personal things, dating, shopping, communicating, managing our finances and more. The problem with the Internet is that when something goes wrong, it can get very bad, very quickly.

One big problem with the Internet is that it’s extremely fragmented.  Some online resources have extreme security and very robust infrastructure, while other resources have been forgotten about and are extremely fragile and vulnerable. We also have sites we consider very secure and robust that tend to become vulnerable because of the extreme number of dependencies of systems. It is impossible to secure every single component in our IT systems.

When something goes wrong with Internet infrastructure, it can get very bad, very quickly

When using the Internet we need to assume the worst and take action accordingly. The problem is that we also use resources outside of the world of the Internet that we trust, like medical systems, governments and others; but they all use the Internet as well. So when something as major as the Heartbleed vulnerability happens, the impact is enormous.

It is quite difficult to say how widespread the Heartbleed attack is and what the impact will be when criminals start to exploit this vulnerability. But imagine that someone is able to copy keys to all the bank vaults in the entire world? At first glance it sounds really bad, but it all depends on what’s in the vaults.

I hope that we do not see any security vulnerability like this in the near future because we will be busy for some time with this one. But we need to remember that software is just software and there will always be vulnerabilities in it. We also need to start understanding that even though we backup, encrypt and protect against malicious code, we still have sensitive data, data that can leak. And if this data gets leaked, we need to do everything we can to make the data as useless as possible for the person who obtains it.

Send to Kindle