It’s been a couple of months since news of the Heartbleed vulnerability first spawned global near-hysteria. The bug, which sat virtually unnoticed on approximately two-thirds of the world’s web servers for about two years before it grabbed global headlines, was a weakness in the widely used OpenSSL security code for authenticating users which made it dead-simple-easy for hackers to exploit affected systems and obtain usernames, passwords and other confidential data — all without leaving a trace that they had been there in the first place.
It was hardly the first such vulnerability to be discovered — and it will certainly not be the last. Just days after Heartbleed entered the public consciousness, a Zero Day exploit rendered multiple versions of Microsoft’s Internet Explorer browser vulnerable to malicious code injection attacks. This was quickly followed by BlackShades, a particularly nasty piece of malware that allowed hackers to remotely take over webcams. It wasn’t the first troika of branded technological malevolence in history, but it was easily the first one that made non-techies stand up and take notice.
Unlike anything that had come before it, Heartbleed, along with its IE Zero Day and BlackShades companions, freaked out an already nervous public and struck a nerve that catapulted it well beyond the usual audience of IT security folks. When my mother called me well past her bedtime to ask if she needed to pay attention to "this Heartbleed thing," I knew we had crossed the line into mainstream concern.
The gift that keeps on giving
Like all security-related stories, it flared big for a few days before fading back into obscurity. Web admins around the world patched their servers and reissued security certificates. IT departments worked with end-users to ensure passwords were updated, and password management protocols were understood and enforced. To avoid being caught in future, companies updated their security-centric training and, satisfied they had closed the latest in a long series of security gaps, returned to the everyday business of everyday business.
Unfortunately, the very idea of "everyday business" is something of a pipedream in this era of elevated security consciousness because even after all that scurrying, Heartbleed didn’t go away. In early June, barely two months after the last Heartbleed-related headline faded from view, it was back in the news. The OpenSSL project announced the discovery of six new vulnerabilities that, if left unpatched, could make it easy for hackers to carry out a range of attacks, including denial of service, remote code execution, and information disclosure. Separately, a Portuguese researcher published findings that suggested Heartbleed could be refocused via Wi-Fi toward vulnerable routers and Android devices. Whatever the source, it was and is clear that the problem is persistent, and we may not want to let our guard down anytime soon.
Finding the opportunity in crisis
I admit feeling more than a little ambivalent about Heartbleed and its impact. On the one hand, it bothers me that near-universal use of a common chunk of security code can cause so much disruption within the web-based economy. While I’m certain web admins the world over had entirely valid reasons for including OpenSSL authentication in their overall technology mix, it’s more than a little frightening to think that a simple oversight in the design of that fundamental building block could go unnoticed for so long.
At the same time, there’s an upside to Heartbleed’s explosion into mainstream thought. If anything, the experience has raised the profile of security-related vulnerabilities and challenged us to finally take the issue of online security more seriously than we have in the past. As big a news story as it was, outside of the Canada Revenue Agency’s revelation that details belonging to 900 taxpayers were compromised, there were no other reported data breaches. For all the noise the story generated, there were relatively few victims.
In other words, we dodged a bullet and learned our lesson in the process. Hopefully, that is.
All of this is a timely reminder that companies of all sizes need to rethink their approach to security. Going forward, Heartbleed has taught us that we must:
- Increase security spending. Heartbleed is a warning sign that we — individuals, companies, governments, society in general — aren't spending enough on security, and we haven't made it a priority. Events like Heartbleed happen in the first place because we don’t invest enough in preventative technologies, training, and processes. As long as this passive-first culture prevails, we'll continue to be behind the curve, and unnecessarily vulnerable as a result.
- Hire more experts. The industry needs more researchers, IT experts and security specialists to proactively hunt for weaknesses and figure out ways to protect our systems — and us — before they can do significant damage. We need to give them more and better tools to get the job done, and re-order our spending priorities to make it easier to justify security-related spending, even if it doesn’t directly drive revenue. Ultimately, more secure systems, because they can prevent catastrophic breach-related losses, are more critical to the bottom line than perhaps any other form of IT investment.
- View online security as a form of insurance. It isn't sexy — we'd rather spend our money on shiny gadgets than intangible security infrastructure and support — but the direct and indirect costs will only skyrocket the longer we push them off.
- Become password-savvy. Heartbleed wouldn’t have been as big a threat had companies and their end-users been more diligent about maintaining safe password procedures. Instead of using the same, easy-to-guess passwords for multiple systems, we need to choose unique passwords that have nothing to do with our favourite pet. We need to change them often, and we should be installing password management apps like Dashlane or LastPass on corporate mobile devices and deploying remote management tools to ensure compliance.
- Learn from our municipal experience. Society has done a poor job maintaining our sewers, roads, bridges and other critical services and because of it, we now face massive bills to rebuild everything. The so-called Infrastructure Gap is the price we pay for decades of ignoring basic maintenance of the easily ignored utilities and services that are absolutely essential to daily life. The same problem afflicts security infrastructure, and the gap here is no less threatening to our online future. We need a massive cultural shift to close the gap and reduce our exposure to so-called surprise vulnerabilities. Indeed, nothing of this scale should ever be a surprise.
With these lessons firmly in mind, we now find ourselves at a critical inflection point in terms of business perceptions of online security. The Heartbleed vulnerability, followed closely by the Internet Explorer Zero Day exploit and the BlackShades malware outbreak, reinforced the fact that not-quite-100%-security is our new normal. It also confirmed, once and for all, that businesses of all stripes have been security slackers for too long, focusing too much on shiny, sexy new hardware and not enough on the relatively boring and invisible security products that will keep all that hardware — and end-users — safe.