Every vulnerability is a security lesson that will either be repeated or used to improve the organization. Lessons from Heartbleed is no different. IMHO “The Matter of Heartbleed” is a mandatory paper for all security professionals! It points out the dynamics of a critical Internet vulnerability and how organizations respond. As a minimum, read the conclusion. Some items to note:
This work focused on web sites. There are a lot of embedded devices that are NOT getting patched. That means your organization is most likely vulnerable through “side doors” into the network via Hearbleed.
Most organization are not patching unless there is a “press release!” As noted, “It would appear that aspects of the disclosure and publicity of Heartbleed did indeed help with motivating patching …” Back in 2002, Sean Donelan came up with the 40/40/20 observation:
- 40% of the customers care and will proactively patch. These are the organizations who do not need “press release vulnerability notification” to take action.
- 40% of the customers may some day care and fix/patch/delouse their machines. These organizations need the press release, 1:1 notification illustrated by “The Matter of Heartbleed” authors, and other means of “nudging” people to action.
- 20% of the customers just do not care and have never responded to any effort to fix them. These organizations are ideal for miscreants to break in and use.
What the authors have illustrated is that “nudging” does and will work. It gets the 80/20 to cover a large part of the network.
Question: Which one of these does your organization fall into? Is your organization part of the “long tail” that never gets the patch – remaining vulnerable and ripe for breaking? The authors of “The Matter of Hearbleed” pointed out something that is well known in the Operational Security community – Miscreants start scanning hours after a vulnerability is announced.
What can you do to change your organization?
Face the reality that there will always be new vulnerabilities and there will always be systems in your organization which is vulnerability and need to be patched. The #1 most productive and effective defense is NOT special tools, services or “patch management” solutions. The #1 most effective defense are two habits that need to be ingrain in individuals and the organization.
- Habit for the Individual Security, Network, and System Professional – Check the vulnerability notifications daily and weekly. It does not matter how many “full disclosure” mailing list you are subscribed. It does not matter how many vulnerability scanning tools you purchase. What matters is the daily habit of checking the daily “Vulnerability SITREP.” The daily habit should take no longer than 10 minutes. Those 10 minutes are a critical time that would spot and trigger action within a network that would mitigate millions of dollars of loss.
- Habit for the Organization – Quarterly Software Reviews, Bug Scrubs, and Vulnerability Assessments. Vulnerabilities will be missed. Devices on the network will be missed. Creating a process within the organization to track and review all software is necessary and becoming more difficult (the age of M2M). A quarterly review meeting along with processes/tools to match code version to vulnerability assessments is a way to catch items the slip through the cracks. One common theme on data breaches, ATP, and other penetration attacks is the “forgotten” device that was not patched and used a well-known vulnerability to get into the network. Don’t wait until the break-in is reported in the news.
Next Step: Download and Read the Paper: The Matter of Heartbleed
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at firstname.lastname@example.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the mean time, stay connected to the Senki Community to get updates on new empowerment and security insights.