Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Lessons learned from Heartbleed

By Russ Spitler

Without question, Heartbleed is one of the most catastrophic events from an Internet security standpoint over the past ten years, arguably ever. It had IT and security teams frantic to fix the vulnerability and the media frenzied. As the dust settles after the initial Heartbleed crisis response, what lessons are starting to emerge?

A quick recap

Heartbleed is a vulnerability in OpenSSL that permits attackers to access random blocks of memory from servers running OpenSSL. OpenSSL is used to establish encrypted communication channels between different places, and therefore the servers running this software hold some significant secrets: explicitly the encryption keys. Simply explained, the process used for setting up OpenSSL encryption uses a key-pair: a private key and a public key. These two keys are bound and you cannot replace one without also modifying the other. Then money is paid, fancy algorithms are applied and an SSL Certificate is obtained which is used to affirm identities when establishing a secure connection.

The shortfalls

What was astonishing was the number of websites that were affected by Heartbleed whose owners regenerated their certificates with the same private key. The fact that some companies neglected to take the appropriate actions to mitigate the Heartbleed vulnerability puts the spotlight on the information security industry's failures: the majority of those who responded did so in a way that indicated that the industry didn’t manage to sufficiently educate server owners as to what the actual issue was. The prospective impact of the Heartbleed bug was that a private key used during the initial SSL/TLS interaction could be compromised. The advice provided to rectify the issue was to replace the server’s certificate. This is exactly what many people did, but they still used the same private key. This only results in them being just as exposed as before making that effort. Lack of education is clearly the failing point here. It is the responsibility of those of us who have a deep technical understanding to fully explain the impact of major issues, such as this one, with explicitly concise and clear instructions in order to assist those who are new to the game. The security industry failed to do so as proven by the unfortunate people who wasted their time by replacing their certificates but not generating a new private key.

In this case, replacing the certificate without generating a new private key makes the effort completely wasted. The people who have done this just failed to understand why they were doing what they were doing; and those who instructed them to do it assumed that they were being clear enough. Those who understood the vulnerability were successful in convincing the world of its impact and the need to address it; but unfortunately those who understood completely failed at explaining what steps needed to be taken. There was an education gap between the two that still needs to be addressed.

To make it absolutely clear, here is the cheat sheet for what needs to be done for OpenSSL:

1. Generate a new private key (2048 bits)
openssl genrsa -des3 -out privkey.pem 2048

2. Create a certificate signing request
openssl req -new -key privkey.pem -out cert.csr

Furthermore, there is also an argument that in this situation some scrutiny on the certificate authorities' parts should also be given. If a customer is resubmitting for a new certificate due to compromise, but using the same private key, the request should be rejected.

The upshot

Heartbleed has been an incredible event from different angles; the extent of the exposure, but also the swiftness and range of the response. This reaction could be a fluke, or maybe it’s the sheer quantity of headlines that have been seen regarding breaches over the past several months, but people heard about this issue and then they actually reacted. This is amazing; even if it’s taken people a few hours or even days, they rushed to attend to the problem in an impressive way. This was definitely an accomplishment on behalf of those who were publicising the problem and for those accountable for the vulnerable hosts out there on the Internet.

Moving on

The good news is that there has been major progress! An issue was discovered, the industry reacted and the world took action. What needs to be injected into the process for the future is some more education to close the gap. The information security industry is fantastic at indicating where things go wrong and where there are existing vulnerabilities, but one area that needs definite improvement is the education and sharing of that knowledge in an easily palatable way. It's a trait of a lot of security professionals to ‘blind with science’, meaning they like to get down to the nitty gritty technical details and simply don't realise that the one thing that is glaringly obvious to them, as experts, is not always the case for the general public or less skilled IT personnel.

It’s also key to remember that the smaller sized businesses are the ones who may be most susceptible as well as organizations that simply don't have the specialist resources to deal with the issue. Security is a problem that everyone faces and therefore it is the security industry's duty to arm the public with the essential basic knowledge to combat threats like Heartbleed when they hit, especially considering the catastrophic nature of this vulnerability. If history can teach us anything, it's that there’s absolutely no doubt this won't be the last major security flaw, so let's all be determined to keep these principles in mind. Ultimately, it will make our jobs a lot easier in the long term.

The author
Russ Spitler is VP of product strategy at AlienVault.

•Date: 19th June 2014 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here