By now you might have heard of the Heartbleed bug (CVE-2014-0160). The bug is a vulnerability in the popular OpenSSL cryptographic software library. The Heartbleed bug affects any sites and services running specific versions of OpenSSL (1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1). The bug received its name from an SSL function called heartbeat, which sends out a pulse to check the connection status. The bug allows spoofing of this “heartbeat” function and potential access to the server. The bug was a programming mistake in the OpenSSL library that provides cryptographic services. There is a fix available now and affected systems should upgrade to OpenSSL 1.0.1g. Systems unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. For now, you should treat every website you have visited as being insecure. We recommend that you generate new passwords for your most critical websites after the vendors have updated their servers. Also, develop a plan on how to respond to your customers.
Here is a list of major services affected including whether or not you need to change your password with them:
It is important to realize that Information Security is a process… not a project. I say this because some folk can feel defensive when we present our consulting recommendations. As is often the case with conflict, I think this is attributable to miscommunication.
Information Security follows a lifecycle similar to other business processes. This lifecycle will differ based on the process framework you are working with, but in general it should follow something similar to CobiT’s model:
- Plan and Organize
- Acquire and/or Implement
- Deliver and Support
- Monitor and Evaluate
We provide services in all of these phases, but it seems that findings in the “monitor and evaluate” are of the variety that most often lead to a defensive posture. However, these “findings” or “recommendations” are a normal part of the lifecycle. Without this step the cycle is incomplete and your architecture cannot provide the assurance it’s hopefully designed to provide.
With this step, we can be assured that the lifecycle is working at it should and that it is continually improving. Each recommendation is an opportunity to revisit the planning and organizing process. This helps ensure that we are leveraging information security to achieve the assurance an organization needs to serve it’s larger purpose(s).
In my opinion, it is the absence of “recommendations” or “findings” that should be most concerning as it may reflect complacency in your organization or your vendor… or both. Your Information Security Lifecycle cannot improve without them.