HPE Business Insights
Showing results for 
Search instead for 
Do you mean 

Unbreak my Heartbleed

on ‎04-17-2014 08:39 AM

The Heartbleed bug has broken the Internet’s heart. At the bedrock of the web’s security, we have SSL—the trusted padlock in the browser. It has been the Holy Trinity of trust across the Internet for years, and now the day has arrived when the ultimate blasphemy has occurred: SSL has been cracked and it has broken the Internet’s heart.

 

This is a scary thought, as this brings into stark light the relative fragility of IT. From a security perspective it reinforces the simple premise of “trust no one.” This is a massive quake to the online world, the ripples of which are being felt across the globe.

 

There are conspiracies suggesting that certain three-letter government agencies have known about this for a while and have been using it to gather data on us all. Honestly, I think this is a credit to them if they have been for having found this gap. Regardless of whether they did or didn’t know, it is now in the wild and those with a lack of moral integrity now have the master key to our online existence.

 

Heart surgery

As a user, this is a nightmare. We all have to change our passwords. What we need to do is change them all immediately. Then, when our online service providers patch their systems, we need to change them all again to be sure. This is onerous and tedious and fraught with opportunity for error.

 

For businesses, it is much more complex. Not only must businesses execute this password two-step flawlessly, but they must also do the patching bit too!

 

Patching introduces change. Change in turn introduces risk. Risk is mitigated through remediation and testing. Testing is time-consuming, so we have to get moving fast. I was reading a well-known satirical blog that characterized the Heartbleed exploit as failing to carry out a correct bounds-checking. When exploited, this can allow unauthorized access to memory contents containing user credentials. This may be incredibly oversimplified—to the point it is somewhat inaccurate—but it suggests that, by using the latest generation web application firewalls and intrusion prevention systems such as HP TippingPoint, we can at least start to implement some form of perimeter defences. We can offer some protection whilst we start to address the colossal task ahead of us in changing out a widespread component to our infrastructure. Bear mind the time-consuming part of a change is quite often the required approvals and processes surrounding the change rather than the change itself.

 

Companies like HP are frantically closing the hole to protect our customers, and we are assessing and remediating gaps wherever possible. We are starting to see published lists of unaffected software the likes of which we haven’t seen since Y2K.

 

In response to this, I think we need to take a measured approach to addressing the problem, which I believe boils down to six key steps:

 

  1. Secure the perimeter. There is a storm coming, so it’s time to get the sandbags piled at the door; perimeter defences need to be implemented as quickly and effectively as possible.
  2. Understand what systems are affected. This can be done using existing asset discovery tools and analytics.
  3. Establish the fix and remediation processes, and get them tested using functional and performance testing toolsets.
  4. Implement change controls through service management systems and disciplines.
  5. Test the fix. Miss this step at your peril.
  6. Automate the roll out.

We have the technology. I see it in action every day.

 

Act fast

In short, we need to act—and act fast. I believe we can fix this and fix it fast; never before have we been better equipped to deal with a mass exploit like this, and we should take confidence in our capabilities.

 

Now all we have to do is get on with the task at hand. Good luck, everyone!

 

For more insightful articles about critical trends in enterprise software, subscribe to the Discover Performance newsletter.

 

Ken O'Hagan is director of software presales at UK&I at Hewlett-Packard. Before coming to HP, Ken amassed close to 10 years of technical experience, working for companies such as Perot Systems and The Bank of Ireland. During his time at the latter, he was responsible for architecture definition/validation, hardware specification, technical design, and implementation and was a key part of the team that successfully implemented the five largest programs ever delivered for Bank of Ireland.

0 Kudos
About the Author

HPE-SW-Guest

This account is for guest bloggers. The blog post will identify the blogger.

Labels
Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all