Heartbleed: What Have We Learned?

In Common ByAngus Batey / 30th July 2014

Here at the Acumin Blog we always try to tread carefully. We realise this means we’re not like a lot of other blogs, and it also means we won’t be your first port of call for breaking infosec news (though we trust you’re keeping a close eye on the news feed over at the main Acumin site, of course). We’re OK with that: we’d rather make sure we were offering information and opinion that as informed and carefully weighed, even if it means we miss out on click-throughs in the white heat of the moment when a topic is trending on social media. Call us old-fashioned, but we just feel more comfortable this way.

But time waits for no blogger, and we really are a bit overdue a post about Heartbleed. By now you’ve all read enough about the problem, have scanned the horizon for the four horsemen of the cyber-security apocalypse, and breathed a sigh of relief that the digital sky hasn’t fallen down (yet). You might even have changed some passwords, then realised you didn’t have to after all – probably not, you’re all IA pros around these parts and you’re not likely to have been panicked by the early mainstream media reports that advised everyone on the internet to do just that. And you’ll maybe have enjoyed a quiet, private chuckle at the backtracking that followed a day or two later when it emerged that anyone who’d rushed to act before the OpenSSL hole was fixed had merely thrown new passwords after bad old ones, and would have to do it all again, once the vulnerability was patched.

It’s easy to be wise after the event, of course, and that turns out to be one of the lessons the Heartbleed episode might yet engrain ever more deeply on the information-assurance industry’s psyche. “No security person responsible for their organisation could have seen Heartbleed coming,” Duncan Brown, cyber security and research programme director at Pierre Audoin Consultants, told us when we were talking to him for our RANT Forum preview post last week. “It’s very, very hard to predict or to protect against that sort of problem. You can be the best-protected organisation, but if a key element of the internet infrastructure fails then we’re all exposed. You can build a strong house, but if the foundations start crumbling underneath then there’s no security system or burglar alarm that’s going to help you.”

The Heartbleed episode also appears to raise questions about the use of open-source code in otherwise bespoke or custom security systems. It’s unlikely the average security software engineer is going to start writing their own code instead of relying on open-source applications they’ve been using safely and securely for years, but those in the enterprise who have to manage the organisation’s exposure to risk are certainly going to have to spend a bit more time making sure that they understand the potential for Hearbleed-like problems in the future.

“I bet that many, many organisations had no idea that they were using Open SSL, or any open-source piece of equipment,” Brown argues. “Many organisations run websites and they have got no idea that they’re based on a Linux platform, for example. Perhaps at the top end, they will have an asset register, they’ll have well-run and well-managed audit trails for what they’re using: but many, many organisations have not a clue about the infrastructure that their business is running on. And they’re absolutely exposed to this kind of thing. If they were breached as a result, and if they were forced to declare a breach – as new regulations would mandate – then they could suffer pretty severe reputational damage, even though actually they had done everything that they could feasibly have done. It draws a whole new set of questions to the debate.”

Another element of the story Brown feels has been missed is that if Heartbleed shows us anything, it’s how limited and problematic passwords have become.

“I don’t know how many passwords you have,” he says, “but I’ve got dozens – a number of which I use on an annual basis, if that. So changing them all wasn’t a practical reality for me, or for many other people. What this draws attention to is the vulnerability of the password as a model for protecting data and user identity. On my professional biography I have the words: ‘I hate passwords’. I’m not trying to be grumpy about it – it’s just a shorthand way of saying, ‘This is a broken model, and it’s been broken for many years.’ So if Heartbleed draws attention to that kind of issue then, you know, terrific!”

Ultimately, the episode will only serve to highlight arguably the biggest problem business faces in today’s wired world: the desperate shortage of skilled digital-security staff. As Acumin’s Salary Index showed recently, the year-on-year increases in rates paid to IA professionals – whether as full-time staff in end-user companies, as freelance consultants, or within specialist security service suppliers – continue to roll over. Security professionals can command ever higher salaries because the demand for their expertise is increasing at a faster rate than new entrants to the jobs market are arriving out of training courses and universities.

“The main challenge at the moment is the lack of availability of expertise,” Brown agrees. “It’s no surprise that the fastest-growing area in cyber security, in terms of market size, is the services area: and this is because organisations are trying to ramp up their capabilities and understanding of cyber security without access to the right people. They’re having to buy those people in from services organisations, and that is a direct consequence of the skills shortage. So on the one hand, yes, organisations want to understand their security estate much better, and understand the implications of that. But on the other, they are finding it really difficult to tap into that expertise.”

Expect Heartbleed – and the issues it raises – to come up in discussion at tonight’s RANT Forum event. As regular readers will be aware, this month’s special takes place not at our usual location in the City of London, but in Earl’s Court, handy for delegates leaving the second day of Infosecurity Europe. Full details are available here.