Thursday, April 24, 2014

Heartbleed: Lessons Learned

Fixing Heartbleed has received a lot of investment in a very short amount of time, both money and time wise. In my own company a number of senior Incident Response handlers and network admins were basically given a blank check on resources by management and told to solve the problem as fast as possible, regardless of the cost (Pretty unusual at my company).

Recently a number of large technology companies have created a fund to try and help different open source projects prevent the next Heartbleed 

And there is no arguing that the impact of Heartbleed remediation has a number of hidden costs.

Any time this much money and time are thrown at an issue we should pay close attention (no pun intended). The question we are behooved to ask is why. What combination factors open the budget floodgates on this particular issue and should any of those factors be applied anywhere else. I'll take a stab at listing some.

Recent Target Breach
There's no denying the Target Breach brought Cyber Security to the front of everyone's mind. The phrase, "This vulnerability could turn you into the next Target" creates a connection to an event people have spent a lot of time to understand. This helps reduce the learning curve about why vulnerabilities like this are important to fix.

Widespread Issue
During the heat of the issue numbers like 2/3 of the internet being impacted were thrown around. While I doubt these estimates, they do grab your attention. And it's hard to argue that a huge portion of the internet was impacted

Catchy Name
Heartbleed? Are you kidding me? That's awesome to say you're working on the Heartbleed vulnerability. It also makes for a great hashtag. The images of a heart painted in red with streaks coming from it didn't hurt either.

Availability of a Fix
It's more comfortable to talk about an issue that has a fix available than one that will take some thought power to solve. It's easier to say, "You're vulnerable, here's how you can find out, and here's how you fix it." Than "BGP is based on trusting untrustworthy actors and we're not sure how to solve that yet."

Central website was an easy website to remember and repost. Having a central location to go for the issue made it easier to discuss with different people.

Media Coverage
Security blogs are for Security people. But the individuals who get to write the checks to pay the security people often pay more attention to mainstream new sources. My own management become more interested in Heartbleed when the New York Times ran an article about it. The mainstream media coverage definitely helped Heartbleed get the necessary attention.

All of that adds up to a lot of attention being paid to this issue. The Security Community should probably take some notes on Heartbleed for next time. As soon as you hear of a large scale issue, higher a graphic designer to make a cool picture and reserve a domain name for a central location on the issue.