After Heartbleed: Can this relationship be saved?
By Laura Haight
All relationships are built on trust.
Just as in our personal lives, trust is a major element in our digital lives. Networks — from internet backbones to your home entertainment system— are built on “trust”. Based on input from us, they identify devices and other networks as “trusted” and allow them access. Applications and systems are always asking us to trust them and most often, without giving it too much thought, we say “sure”!
Now we are several weeks past the general public becoming aware of the Heartbleed bug, and it might be time to ask ourselves what is next. Can this relationship we have with technology be saved?
As is the case with any damaged partnership, the answer is yes, but don’t kid yourself: It will never be the same.
Heartbleed is a vulnerability in the very security code web developers and system designers used to protect us. Some 66 percent of all websites use the targeted Open SSL — making a staggering number of potential exploits. The problems go beyond websites into the nerves and bones that make up our digital lives. Some of the biggest network hardware companies in the world - Cisco, Juniper, Citrix, VMware, to name a few — have vulnerable hardware and software.
If you are a business with an internal network, local servers, cloud servers, virtual private networks, mobile users or employees, you should be looking at an evaluation and remediation plan. For example, VMware, the server virtualization company, released its very first patch for vulnerable systems on April 14. The company notes that some servers will have to be upgraded to install the patch on both the server and client side, but the client (for everything from Windows to mobile devices) are not ready yet.
Every business or non-profit regardless of size needs know its hardware and software assets, what version you are on, what your support or maintenance agreement covers, and how each element interacts with other elements. Your IT department should have this. Armed with that report you can complete these next steps.
Ask your IT staff or outsourced service for a report on the status of all your hardware and software components and services.
Working together, develop a remediation plan — this will be a work in progress as some services (like VMware) don’t have all their patches together yet. Don’t wait for everything to be in place before you get started, but also don't just power through and make changes. If the target server or service hasn't been patched, you will only have to do it again.
If your IT staff or service cannot provide a status report because elements of your network, software or cloud assets are not all identified, then start with updating that analysis. That should also be a work in progress and should be repeated every time new software, services or hardware are added to the system.
I know, that sounds like a lot of work on your part. And it is. In most good operational models there are checks and balances. But technology seems so complicated that we often cede control completely to someone else because we don’t even know the right questions to ask. When we get a response like: “Don’t worry, it’s all taken care of”, we breathe a big sigh of relief and cross it off the to-do list. Don’t.
What’s next after Heartbleed? Our relationship with technology is battered and bruised. Our trust, if not broken, is being severely tested. It is past time that we accepted responsibility for the engine that drives so much of our business and personal lives.
Hope is not a strategy and trust is not a control.
The personal side of Heartbleed
Here’s a list of some things everyone should be doing to ensure personal digital security.
You need to know all your websites where you have logins. Believe me, it’s more than you think. I learned that when changed the passwords on 133 of them.
Use a checker like this one where you can enter a URL and find out if the site is OK, vulnerable and updated or still vulnerable. You can change passwords on the updated sites and keep checking back for the still vulnerable sites.
When you change these passwords, you need to make each one unique. I KNOW, I did this with 133 sites and, in honesty, it is a giant pain. That doesn’t mean it’s not necessary. Here’s a cautionary tale of one reason why this matters.
It’s time to get a password manager. A lot of people will disagree with this, but it is impossible to make scores of strong unique passwords that you will definitely remember. Last Pass, 1 Password, RoboForm are all strong contenders. I use Last Pass, which I think has been the most proactive during the current outbreak. It provides a security tool that checks all your websites at once and provides a status for Heartbleed.
Make sure you make your password TO the password manager really strong and that you don’t use it for anything else. Do not store it in your computer or mobile device so you don’t have to remember it. Even if you have to write it down and stick it in your wallet - what are the odds someone will have your wallet, your computer and your smartphone?
Don’t think that you aren’t vulnerable because you do everything in apps on your phone or tablet. Those apps are accessing internet services and it is those services that may be vulnerable. Here’s a list of some. Good news for Apple users: iOS and OSX never “incorporated the vulnerable components” and the in-app payment system keeps you on Apple’s secure servers, rather than sending you to an external system to make purchases.