Unbreak my Heartbleed

heartlock.jpg

The Heartbleed bug has broken the Internet’s heart. At the bedrock of the web’s security, we have SSL—the trusted padlock in the browser. It has been the Holy Trinity of trust across the Internet for years, and now the day has arrived when the ultimate blasphemy has occurred: SSL has been cracked and it has broken the Internet’s heart.

 

This is a scary thought, as this brings into stark light the relative fragility of IT. From a security perspective it reinforces the simple premise of “trust no one.” This is a massive quake to the online world, the ripples of which are being felt across the globe.

 

There are conspiracies suggesting that certain three-letter government agencies have known about this for a while and have been using it to gather data on us all. Honestly, I think this is a credit to them if they have been for having found this gap. Regardless of whether they did or didn’t know, it is now in the wild and those with a lack of moral integrity now have the master key to our online existence.

 

Heart surgery

As a user, this is a nightmare. We all have to change our passwords. What we need to do is change them all immediately. Then, when our online service providers patch their systems, we need to change them all again to be sure. This is onerous and tedious and fraught with opportunity for error.

 

For businesses, it is much more complex. Not only must businesses execute this password two-step flawlessly, but they must also do the patching bit too!

 

Patching introduces change. Change in turn introduces risk. Risk is mitigated through remediation and testing. Testing is time-consuming, so we have to get moving fast. I was reading a well-known satirical blog that characterized the Heartbleed exploit as failing to carry out a correct bounds-checking. When exploited, this can allow unauthorized access to memory contents containing user credentials. This may be incredibly oversimplified—to the point it is somewhat inaccurate—but it suggests that, by using the latest generation web application firewalls and intrusion prevention systems such as HP TippingPoint, we can at least start to implement some form of perimeter defences. We can offer some protection whilst we start to address the colossal task ahead of us in changing out a widespread component to our infrastructure. Bear mind the time-consuming part of a change is quite often the required approvals and processes surrounding the change rather than the change itself.

 

Companies like HP are frantically closing the hole to protect our customers, and we are assessing and remediating gaps wherever possible. We are starting to see published lists of unaffected software the likes of which we haven’t seen since Y2K.

 

In response to this, I think we need to take a measured approach to addressing the problem, which I believe boils down to six key steps:

 

  1. Secure the perimeter. There is a storm coming, so it’s time to get the sandbags piled at the door; perimeter defences need to be implemented as quickly and effectively as possible.
  2. Understand what systems are affected. This can be done using existing asset discovery tools and analytics.
  3. Establish the fix and remediation processes, and get them tested using functional and performance testing toolsets.
  4. Implement change controls through service management systems and disciplines.
  5. Test the fix. Miss this step at your peril.
  6. Automate the roll out.

We have the technology. I see it in action every day.

 

Act fast

In short, we need to act—and act fast. I believe we can fix this and fix it fast; never before have we been better equipped to deal with a mass exploit like this, and we should take confidence in our capabilities.

 

Now all we have to do is get on with the task at hand. Good luck, everyone!

 

For more insightful articles about critical trends in enterprise software, subscribe to the Discover Performance newsletter.

 

O'Hagan.jpgKen O'Hagan is director of software presales at UK&I at Hewlett-Packard. Before coming to HP, Ken amassed close to 10 years of technical experience, working for companies such as Perot Systems and The Bank of Ireland. During his time at the latter, he was responsible for architecture definition/validation, hardware specification, technical design, and implementation and was a key part of the team that successfully implemented the five largest programs ever delivered for Bank of Ireland.

Labels: security
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
This account is for guest bloggers. The blog post will identify the blogger.


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation