Last month, Valentine’s Day had me reflecting on matters of the heart (even security officers can be sentimental now and then) and I took some time to think about love, relationships and heartbreak. Heartbreak is hard. It can make us feel used and question how we could have let ourselves become vulnerable to such pain. After heartbreak happens, we find ourselves patching up the places where our heart was exposed and revaluating ourselves to figure out how we can prevent it from ever happening again.
When you think about it, a security bug is a lot like a heartbreak. Security bugs are software bugs that can be exploited to gain unauthorized access to a computer system. They create vulnerabilities in otherwise secure systems that could potentially expose information. The potential for widespread damage is serious and makes security officers like me more critical of my own security environment. It is fitting, then, that what many consider to be the worst security bug in the history of the internet is affectionately called Heartbleed.
In April 2014, a team of security engineers discovered the Heartbleed bug in the OpenSSL cryptographic software library. OpenSSL is an open source toolkit used to create an encrypted link between a web server and a browser to protect sensitive data. When Heartbleed was discovered, nearly two-thirds of all web servers were using OpenSSL, including Apache and Nginx, exposing millions of websites to vulnerabilities.
Dear Heartbleed:
It’s hard to believe it’s already been two years since you were exposed as the terrible bug you are. Before you, I had never been so vulnerable and weak. But you managed to creep your way into my heart and expose my secrets in a way that hurt not only me, but two-thirds of all web servers who trusted me to protect their most sensitive information…
The bug received the name Heartbleed because it was a result of a programming error in the implementation of the TLS extension Heartbeat. When exploited, the bug caused memory contents from web servers to leak, or bleed. The bug made it possible for hackers to recover the private encryption key at the heart of digital certificates used to authenticate internet servers and protect data. What’s more, the nature of Heartbleed’s long exposure potentially enabled hackers to steal information without leaving a trace of an attack. Literally, Heartbleed permitted hackers to gain access to a secure web server, steal the keys to its heart and leave without a trace.
I was so embarrassed that a programming mistake like you could cause such serious damage. However, I’m writing to tell you that I’ve learned to move on…
When we experience major security vulnerabilities, as with any serious heartbreak, we must learn how to put our systems back together, make ourselves stronger and move on. Heartbleed taught the security community some valuable lessons about security threats.
Heartbleed: Lessons Learned
Understand the Systems and Software in Your Environment
I took some time for self-reflection and really got to know myself…
Healthcare organizations rely on software systems to perform various aspects of their daily operations. How many systems exist in your environment? Do you know how they all work? Understanding the systems and software you have running in your environment will enable you to detect security threats sooner and develop an effective recovery plan.
It is important to note that Heartbleed was the result of a human error. As we discussed last month, human error is an ever-present security threat that is very difficult to protect against. If you know how your systems are implemented and maintained, you will have a better understanding of when human interference occurs and where the greatest potential for human error exists.
To best understand your security environment, make sure you read all documentation supplied by your systems vendors and understand components, such as OpenSSL, that they might embed. This will allow you to know the products and services your organization uses, how they work and where they are most vulnerable.
Compliance Alone Will Not Protect You
I’ve patched up the places where you left holes and created new versions of myself…
Less than 24 hours after Heartbleed was disclosed, hackers used the bug to break into a major corporation’s private network to steal confidential information. Cyber attackers act quickly, so it is critical to monitor your systems and ensure you are maintaining the highest levels of compliance and security. When vulnerabilities are exposed, organizations should apply security patches as soon as possible to protect systems that could be compromised.
We’ve talked before about the important difference between compliance and security. It is possible for an organization to meet all compliance requirements and not be completely secure. Here’s an excellent example of that. According to PCI-DSS requirements:
“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”
If you apply a security patch to vulnerable systems within 30 days, your organization will be PCI compliant, but you will not necessarily be secure. Hackers won’t wait until the end of a 30-day window to attack, so don’t rely on compliance alone to protect you. Always take the necessary security measures to stay ahead of potential threats.
Simplify Your Environment
I’ve decluttered my life and learned I don’t need to rely on so many others to be strong…
The more systems in your environment, the more prone you are to security threats. You can reduce your risks by simplifying the number of vendors you use. Choose solutions that perform multiple functions on one platform. Then be sure to do your due-diligence and ask your third-party vendors how often they do vulnerability scans and where you can see their security and compliance certifications.
Now I’m stronger than I was before and I’ve learned a valuable lesson: we’re all vulnerable to crimes of the heart. It’s how we recover that defines who we are.
Sincerely,
OpenSSL
Heartbleed rattled the security community, but it also presented an opportunity to improve our security systems and better prepare for the next major bug. It also reminded us of the dangers of human error, and that we should always keep an eye out for potential threats. As the late Steve Jobs said, “If you haven’t found it yet, keep looking…as with all matters of the heart, you’ll know when you find it.” Heartbleed resided in OpenSSL for two years before it was discovered. By knowing our systems and always staying alert for potential threats, we can better identify lurking dangers and protect ourselves from the pain of another Heartbleed.