What Heartbleed can teach businesses about information security
Reflection on crucial lessons that every business must recover from the ashes of the Heartbleed fallout
There can be very few comparisons between historically global IT security incidents and vulnerabilities that come anywhere near to the shadowy, anxiety-provoking spotlight that is now shining firmly on the arena of information security. The impact of the OpenSSL bug known as Heartbleed – made became public on the 7th April 2014 and officially documented as bug CVE-2014-0160 – has reached far and wide since it went public on 7th April 2014. One of the most fundamental backbones of security on the Internet has been dealt a severe confidence blow.
Trusting the Internet
Due to this crucial transport layer vulnerability that causes memory content to leak when exploited, an insurmountable amount of private keys have been exposed. While IT security teams worldwide scramble to analyse their systems and patch this bug by upgrading to OpenSSL 1.0.1g or higher, the true impact of the potential risks from retrospective exploitation that Heartbleed has presented may never fully be realised.
Confirmation of documented exploitation of the Heartbleed bug has already been made public, and even though only 64 kilobytes of data can be gained at a time, there is a very real risk that secure data can – and indeed has in many cases – been compromised.
However there are a number of crucial lessons which must be learned from Heartbleed, and these are not only relevant to the security professionals. Failing to learn these lessons can have grave implications for the image and reputation of the company as a whole.
Layered Encryption Mechanisms
By the reliance on OpenSSL as the sole encryption method in how IT departments consider their security topology, a critical lesson has been learned that must ensure that the benefits of multi-layered encryption are fully considered in all areas. This include on digital media devices such as in hard disk RAID environments.
There will always be certain arenas where this is not possible, namely with e-commerce and also the fact that SSL certificates must be revoked and re-issued, even after patching. Such actions are taking place by vendors keen to identify if they were at risk of exploitation by Heatbleed, even if for only a limited period of time.
But proactive auditing of security mechanisms used at each part of the private and public facing network will allow due consideration to be given to using multiple layers. While it is an accepted principal that the notion of being ‘completely secure’ is a somewhat utopian goal, treating information security like a constantly moving spotlight must be a pre-requisite to achieving confidence.
Auditing and Destruction
One of the most concerning facts revealed through the Heartbleed vulnerability is that it is impossible to detect if a particular service has been attached or exploited. The lack of logs and signs of this intrusion means there is no way of knowing if confidential data has indeed been leaked.
Analysis of the reliance on largely trusted security mechanisms that provide such potential risk to personal data if exposed must be considered, including identification of whether certain data should really only be protected by one layer of security in the first place. While in the case of Heartbleed there is no way of knowing first-hand whether critical data was leaked, responsibility must be in place to ensure proper auditing of personal data.
When it comes to the retiring of legacy digital media devices, proper destruction of devices such as hard drives can only be achieved through following Shred-it’s information security best practices. But in learning the lessons of the Heartbleed fallout, the data destruction should be an authenticated and provable event since as full disclosure when this possible increases confidence levels.
The collective concern of businesses worldwide about never knowing whether their client’s data leaked should foster determination of hardening areas that can be hardened with multiple layers of encryption mechanisms, wherever possible.
While many would argue that the world has yet to reach the epicentre of the Heatbleed fiasco, the American philosopher John Dewey’s words ring with particular resonance: “We do not learn from experience, we learn from reflecting on experience.”
Reflection must begin with a complete audit of how businesses secure their data, and time will reflect just what lessons – if any – are learned in the world of IT and business.