What Heartbleed Taught Us

The year 2014 has been dubbed “The Year of the Cyberattacks” before it even reached the halfway point, with aftershocks fromHeartbleed still being felt weeks later. But did you know that attacks and bugs like Heartbleed are often 100 percent preventable? Simply put, best IT practices can create red flags before damage can be done. But, when humans are involved, laziness and shortcuts can lead to missed security steps. Technology, of course, is programmed and designed by humans, so the possibility forhuman error in technology is everywhere.

And it is not just human fault here, but also the technology. This is a two-pronged fork. According to security expert Richard Kenner, programs should never read from the same place in memory where they were written. That is security safety 101, but that is exactly what happened with Heartbleed. It has already been estimated that millions of dollars are being paid out by enterprises affected by Heartbleed, but what lessons can be learned from this?

Technology: Not as cutting edge as you think
Kenner points out that the programming language involved in Heartbleed is more than 40 years old; and even though new languages have been developed (and are arguably safer), that doesn’t mean they have been adopted. In addition to keeping up with languages and improving upon them, best practices simply were not followed in order to stop Heartbleed. There is technology available that ensures programs meet key properties (like that pesky reading from memory writing issue), but most companies fail to utilize it.

“The program that contained the Heartbleed bug did exactly that and an attempt to prove that it didn’t would have quickly found the bug, as would the use of certain tools that also detect this type of error,” says Kenner.

There are also other best practices, such as ensuring that security services do not transmit private information like passwords, usernames or identifiers. That sounds like a given, but it is (unfortunately) common practice.

Moving forward
Lessons to be learned from Heartbleed include: Creating safer passwords, changing them regularly and only using one password per web site. Additionally, web sites need to make better use of one-time passwords, which can be annoying but can prevent information from being hacked.

I advise using client certificates, even if they are a bother to acquire, because they are proof that you really are who you say you are. Many of these precautions can take a little extra time, and time is notoriously what many professionals do not have.

Perhaps the biggest flaw that led to the Heartbleed outbreak is that only a small handful of executives, far from experts in technology and security, were put in charge. They had full plates, they did not understand what was at stake, and they too easily put this task on the back burner.

When a small group of people assumes someone else is taking care of things that open up a world of vulnerability. It all comes back to proper management at every level and better communication between IT and the rest of the staff to make sure everyone is on the same page.

Larry Alton
Business consultant

[Source: ISACA]