Most of us take for granted many activities in our daily lives, such as how water flows into the pipes that reach our bathrooms or how the wires in the street run the electricity into our homes to turn on the lights. It is with this ridiculously oversimplified notion of critical infrastructure, that we set a context for reviewing the recent Heartbleed Open SSL vulnerability and why it remains so important to both businesses and consumers even as other breaches fade away.
The media frenzy over the April 2014 Heartbleed vulnerability was significant for a number of reasons.
Despite an endless stream of warnings about potentially related cyber security issues (such as data breaches and the need to patch various web browsers) and an outbreak of increasingly sophisticated malware, the Heartbleed incident will likely emerge as being of tremendous symbolic and tangible importance to both information security professionals and to the mainstream public because of how it changed many of our perceptions about computing.
Even now, as the second Heartbleed-related vulnerability was discovered in early June, the initial incident still remains the focus of specific sectors like tech and information security and their respective energies, discussions, and concerns about the future of computing infrastructure, mobile applications, and personal data protection.
To understand why anyone would still care about this particular bug, it's important to first understand the five specific reasons why Heartbleed made such an impact in the first place:
Open Source Finally Funded
Without Heartbleed, the recently announced and rapidly-pulled-together Core Infrastructure Initiative (CII), which funds open source projects that are in the critical path for core computing functions, would probably never have succeeded, or at least it would have gone unnoticed.
At a minimum, it might have happened without much fanfare and – more importantly – without a key ingredient: funding.
But powerhouses like Adobe, Amazon, Cisco, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Rackspace, VMWare, and others came together to financially support key open source initiatives and triage the those initiatives most in need of support and assistance. We are now (hopefully) at the dawn of a new age in which large technology firms are supporting critical pieces of open source infrastructure.
This is certainly a good thing for the development of future global computing infrastructure. Alongside the three initial projects that CII will be supporting (Network Time Protocol, OpenSSH, and OpenSSL), it's also heartening to see that other key projects such as the Open Crypto Audit Project will also soon benefit from this focus on cooperation, analysis, and technical support and on helping "evaluate open source projects that are essential to global computing infrastructure."
Practically overnight, we also saw Heartbleed and OpenSSL become mainstream topics, even recognised by those who are not experts in information security.
Security awareness up and down the ranks of management is a good thing. That said, other incidents that followed, such as problems recently uncovered in the GnuTLS cryptographic library would probably never have even made the press, been discussed, and then been remediated in a reasonable manner if Heartbleed hadn't blazed a trail for security awareness.
This level of focus and interest is a good thing for our collective security and for the broader integrity of the computing landscape upon which we rely so heavily.
As the Heartbleed OpenSSL incident became more widely known, the digital certificate-issuing authorities around the world also found themselves challenged to support the massive and sudden demand that appeared overnight at their collective doorstep.
Although not a lot has been written about what is essentially a supply chain issue having to do with equipping the relevant parties with enough new digital certificates in time, industry experts agree that this delay points to broader fundamental issues that are worthy of being addressed in the near future from a supply chain and infrastructure viewpoint.
The fact that people are discussing this relatively esoteric and detailed topic is in and of itself a positive step and lends credence to the notion that awareness is a force multiplier when it comes to providing the mainstream public with an understanding of these rather technical issues. Remember the confusion it created around changing your passwords – or not to change them.
To get a real sense of this, type in April 1, 2014 – May 1, 2014 at https://isc.sans.edu/crls.html and you will see a graphical representation of exactly how significant of an impact this has been.
More than just websites
Despite the initial focus on remediating vulnerable websites, there followed the subsequent realisation that the OpenSSL vulnerability impacted not only websites and online services, but also software packages such as virtualisation products, firewalls, remote access tools, database design tools as well as numerous versions of router firmware, GNU/Linux distributions, and some versions of mobile operating systems.
Even the information security cognoscenti recognised just how much we'd all come to rely on an open source project that was being run on a shoestring budget by a handful of extremely committed programmers. And with the clout to bring business to its knees.
A 2014 KPMG Audit Committee Institute report indicated that nearly 45% of those polled "believe the audit committee (or board) doesn't devote sufficient time to cyber security."
Moreover, Richard Clarke, former White House special advisor to the president for cyber security, pointed out in early 2014, even before Heartbleed, that "many boards struggle with how to effectively execute their duties to the company in the area of cyber risk management." These data points are just some of the evidence of the fact that, while nowhere near perfect, boards are now recognising the importance of understanding, monitoring, and protecting their people, their information, and their processes from cyber threats, in whatever form they may come.
At least they've started to seriously address the impact these issues could have to their future business health.
"Worst vulnerability found"
Joseph Steinberg, the cyber security columnist for Forbes Magazine, wrote "Some might argue that it (Heartbleed) is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet" and with the two months of hindsight that we now have, he probably wasn't exaggerating.
That being said, every cloud has its silver lining. And in this case, the Heartbleed vulnerability actually has multiple silver linings that we should examine to appreciate how potentially powerful its effect has been as an awareness and remediation tool that could prevent significantly worse information security incidents form occurring in the future.
Will our bank accounts be safer or will the flow of money more secure, or will our personal information less vulnerable to being listened in on thanks to Heartbleed?
Such predictions are indeed hard to foresee and only time will tell. But mainstream users are well on the path to absorbing the lessons of this intense experience that was managed primarily by chief technology officers and their teams. By unintentionally increasing visibility into this niche – yet critical – topic in our infrastructure, broader industry cooperation and knowledge sharing could lead to relatively rapid and tangible changes to the underlying computer infrastructure that we all rely on so heavily – and take for granted.
The route to solving these problems may be hard to endure, and the end is not yet near, but the progress made in the last several months alone has been impressive and should be recognised for the impact it will have on our ability to strengthen our underlying computing infrastructure, avoid significant data losses, and protect our privacy.
While it isn't water flowing through our pipes or electricity in our wiring, a seamless digital experience that we don't have to worry about is something we should all be striving towards.
Joram Borenstein is vice president of marketing at fraud prevention experts NICE Actimize.