Breach is a Heartbeat Away
April 22, 2014
OpenSSL, the vehicle through which the Secure Sockets Layer protocol protects most websites that encrypt data, has reminded us again of both the vulnerability and security of open source development. The Heartbleed bug, an accidental code addition about two years ago, exploits the heartbeat option within OpenSSL, a mechanism that allows fluid connectivity between user and server via small, hidden signals or pings. Hackers breach the system by sending false signals that fool a website’s server into releasing sensitive information. Hence the vulnerability.
Heartbleed, though, also demonstrates the security of open source development. While its revelation created initial fear and chaos, the Heartbleed bug was fixed within about four days, largely because lots of eyes were on the prize, each pair of which had a vested interest in the elimination of the Heartbleed threat. Imagine if the SSL vehicle had been proprietary, owned by a quiet company with no taste for conflict or liability. Now that’s a hot mess.
Visit heartbleed.com for more information about how your business might have been affected by this particular bug. As this situation has largely been resolved, though, our interests might be better served by facing forward.
How Can We Take Action?
Peel back the onion with me. This breach affected servers with big brands and big corporate budgets attached to them, and it drew blood from an encrypted stone. These folks were already taking every precaution while still trying to provide the seamless user interface that characterizes modern connectivity. Secure, encrypted, and still vulnerable? Where’s the conservative business model in that? How can we learn from Heartbleed and improve our odds?
Paths to Secure General Operations
Begin with an audit and assessment of your security program. An outside, objective opinion on your procedures and controls will help determine your organization’s vulnerability.
Next, review your existing plan or establish a new disaster recovery plan that encompasses every facet of your growing business and ensures your operations will return to planned levels of service regardless of the type of interruption.
Finally, perform a code review within your applications to reveal issues and potential weaknesses. This might include a review of those web applications most commonly used by your team. Vulnerability there brings trouble to your doorstep.
More Specific Answers
A vulnerability assessment of your entire network infrastructure, again with fresh eyes, might uncover hidden weaknesses. Given the pace with which networks, staff, and threats expand and evolve, this type of exam should be considered at regular intervals and anytime a potential breach is suspected.
Penetration Testing takes the guesswork out of vulnerability assessment. Our certified ethical hackers put your internal and external systems to the test to uncover weakness and determine potential outcome of system breach.
Network Design and Planning is the most proactive step to ensure network health, especially when the design is informed by the steps above. As your business grows, you have network architecture in place to exceed the expectations of today and tomorrow.
How to Begin?
As you might have guessed, the services above and countless more like them are available through our team of professionals, and we’d like to earn your business by making your IT more secure. Even if you’re not committed to taking immediate action, let us offer some fresh ideas at your table. Sometimes the best technology is simple conversation.