Most people take for granted many activities in their daily lives, such as how water flows into the pipes that reach their bathrooms or how the wires in the street run the electricity into their homes to turn on the lights.
It is this ridiculously oversimplified notion of critical infrastructure that sets a context for reviewing the recent Heartbleed Open SSL vulnerability, and why it remains so important to both businesses and consumers, even as other breaches fade away.
The media frenzy over the April 2014 Heartbleed vulnerability was significant for a number of reasons.
Despite an endless stream of warnings about potentially related cybersecurity issues (such as data breaches and the need to patch various web browsers) and an outbreak of increasingly sophisticated malware, the Heartbleed incident will likely emerge as being of tremendous symbolic and tangible importance to both information security professionals and the mainstream public because of how it changed perceptions about computing.
Even now, as the second Heartbleed-related vulnerability was discovered in early June, the initial incident still remains the focus of specific sectors like tech and information security and their respective energies, discussions, and concerns about the future of computing infrastructure, mobile applications, and personal data protection.
To understand why anyone would still care about this particular bug, it’s important to first understand the specific reasons why Heartbleed made such an impact in the first place.
Without Heartbleed, the recently announced and rapidly pulled-together Core Infrastructure Initiative (CII), which funds open-source projects that are in the critical path for core computing functions, would probably never have succeeded, or at least it would have gone unnoticed.
At a minimum, it might’ve happened without much fanfare and – more importantly – without a key ingredient: funding.
But powerhouses like Adobe, Amazon, Cisco, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Rackspace and VMWare came together to financially support key open-source initiatives and triage those initiatives most in need of support and assistance. This, seemingly, signals the dawn of a new age in which large technology firms are supporting critical pieces of open-source infrastructure.
This is certainly a good thing for the development of future global computing infrastructure. Alongside the three initial projects that CCI will be supporting (Network Time Protocol, OpenSSH, and OpenSSL), it’s also heartening to see that other key projects, such as the Open Crypto Audit Project, will also soon benefit from this focus on cooperation, analysis, and technical support and on helping “evaluate open source projects that are essential to global computing infrastructure”.
Practically overnight, Heartbleed and OpenSSL became mainstream topics, even recognised by those who are not experts in information security.
Security awareness up and down the ranks of management is a good thing. That said, other incidents that followed, such as problems recently uncovered in the GnuTLS cryptographic library, would probably never have even made the press, been discussed, and then remediated in a reasonable manner if Heartbleed hadn’t blazed a trail for security awareness.
This level of focus and interest is a good thing for businesses’ collective security and for the broader integrity of the computing landscape upon which they rely so heavily.
As the Heartbleed OpenSSL incident became more widely known, the digital certificate-issuing authorities around the world also found themselves challenged to support the massive and sudden demand that literally appeared overnight at their collective doorstep.
Although not a lot has been written about what is essentially a supply chain issue having to do with equipping the relevant parties with enough new digital certificates in time, industry experts agree that this delay points to broader fundamental issues that are worthy of being addressed in the near future from a supply chain and infrastructure viewpoint.
The fact that people are discussing this relatively esoteric and detailed topic is in and of itself a positive step, and lends credence to the notion that awareness is a force multiplier when it comes to providing the mainstream public with an understanding of these rather technical issues.
Remember the confusion it created around changing passwords – or not to change them. To get a real sense of this, type in ‘April 1, 2014 – May 1, 2014’ at https://isc.sans.edu/crls.html and you will see a graphical representation of exactly how significant of an impact this has been.
More than just websites
Despite the initial focus on remediating vulnerable websites, there followed the subsequent realisation that the OpenSSL vulnerability impacted not only websites and online services, but also software packages such as virtualisation products, firewalls, remote access tools and database design tools, as well as numerous versions of router firmware, GNU/Linux distributions, and some versions of mobile operating systems.
Even the information security cognoscenti recognised just how much we’d all come to rely on an open-source project that was being run on a shoestring budget by a handful of extremely committed programmers. And with the clout to bring business to its knees.
A 2014 KPMG Audit Committee Institute report indicated that nearly 45% of those polled “believe the audit committee (or board) doesn’t devote sufficient time to cyber security”.
Moreover, Richard Clarke, former White House special advisor to the president for cyber security, pointed out in early 2014, even before Heartbleed, that “many boards struggle with how to effectively execute their duties to the company in the area of cyber risk management”.
These data points are just some of the evidence of the fact that, while nowhere near perfect, boards are now recognising the importance of understanding, monitoring and protecting their people, information and processes from cyber threats, in whatever form they may come. At least they’ve started to seriously address the impact these issues could have to their future business health.
Joseph Steinberg, the cybersecurity columnist for Forbes Magazine, wrote: “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the internet.” With the three months of hindsight we now have, he probably wasn’t exaggerating.
That being said, every cloud has its silver lining. And in this case, the Heartbleed vulnerability actually has multiple silver linings that we should examine to appreciate how potentially powerful its effect has been as an awareness and remediation tool that could prevent significantly worse information security incidents form occurring in the future.
Will bank accounts be safer, flow of money more secure and personal information less vulnerable to being listened in on thanks to Heartbleed? Such predictions are indeed hard to foresee and only time will tell. But mainstream users are well on the path to absorbing the lessons of this intense experience that was managed primarily by chief technology officers and their teams.
By unintentionally increasing visibility into this niche – yet critical – topic in organisations’ infrastructure, broader industry cooperation and knowledge sharing could lead to relatively rapid and tangible changes to the underlying computer infrastructure that are rely on and taken for granted.
The route to solving these problems may be hard to endure, and the end is not yet near, but the progress made in the last several months alone has been impressive and should be recognised for the impact it will have on the ability to strengthen underlying computing infrastructure, avoid significant data losses and protect privacy.
While it isn’t water flowing through pipes or electricity in wiring, a seamless digital experience that users don’t have to worry about is something everyone should be striving towards.
Sourced from Joram Borenstein, NICE Actimize