What happens when the horse has already left the barn and the barn door is still open?
By Shawn Allaway, CEO
Well, one of the insidious vulnerabilities exposed to date is the Heartbleed bug. They should have dubbed it the vampire bug because it sucks up 64KB of the exposed client’s memory which is more than enough to snag pins, passwords, encryption keys and other valuable data and is virtually undetectable (for a technical explanation, check out this article). Obviously, patches are being worked on, but this could be especially detrimental to smaller business who have little or no IT support and won’t proactively patch their servers. Supposedly, this bug affects less than 20% of trusted HTTPS websites, so now you know the odds.
I guess it could be worse. Wait! It is. Hackers could have been exploiting this vulnerability for a very long time since it has existed since December 2011. It makes one wonder how many other unknown holes like this exist. Oh yeah, smartphones are affected too! Scary thought indeed.
A blow to OpenSSL for sure, but it mainly just blows. How does something like this happen? Well, humans write software and humans are prone to making mistakes. This, combined with an unhealthy measure of hubris, plus a lack of vendor transparency, and you have a recipe for vulnerability.
What can you do as an individual to protect yourself (assuming you have already swallowed your nitroglycerin pill and donned your tinfoil hat)?
Let’s assume you cannot simply stop using the Internet since just unplugging from the World Wide Web is a surefire way to eliminate the threat. As you might suspect, there is no elegant answer. Personal accountability and vigilance – for example, change your passwords frequently on sites that store credit card information. If you are like most people, change all your passwords on any website frequently because you use the same password for multiple sites (and you know that’s true!!). Check your credit card and bank statements frequently, along with your credit rating. Sign up for a credit monitoring service, if you want a little extra peace of mind.
Obviously, we will continue to cry foul and cause a ruckus on social media for those vendors who have not been as prudent with our data as we would have liked them to be. Those are just a few things we can do as consumers.
For businesses, especially small ones, resist the urge just to ignore it or assume vendors will just take care of the problem. Unfortunately, since the Heartbleed bug has been around for a while, hackers could have already pilfered your data, stolen IP, customer information, employee records, etc. Small businesses have just as big of a target on them as a large entities. I know, just another thing to keep a small business owner up at night. When you wake up from your Ambien-induced slumber, just remember to make sure you are doing everything you can to protect your company.
Continue to invest time and money ensuring your security defenses are up to par with the relative risk associated with the information you are trying to protect. Do not assume mundane data is not valuable. Think worst case scenario and work back from there as far as balancing the cost of security versus the cost of data exfiltration. Since absolute prevention is not absolutely possible at this time, we need to be reasonable in addressing the cost of data protection. That balance will be different for every company.
I have plenty of antacid. I needed some just to write this. Now, off to change my passwords.