[This article was originally written by Cloud Passage blogger "carsonator."]
The discovery of the Heartbleed vulnerability was one of the most impactful events in recent security history.
Although roughly 51,000 software vulnerabilities were reported to NIST in the last decade, few have had the broad impact of Heartbleed. The vulnerability affected roughly 17.5% of secure web servers and an estimated half-million or more sites1.
Dubbed “catastrophic” by undisputed security experts, the initial reaction to Heartbleed has been monumental –in some cases premature or misguided, in most cases panicked. Boards were briefed on user exposure, business impact, and remediation strategies. User experience, legal, marketing, and PR teams all became involved. The lack-luster work of infrastructure security was suddenly spiked to mission-critical levels. Security became a hot topic at all levels again.
Heartbleed was the kind of vulnerability that many would have considered highly improbable, if not impossible, until it happened. Exposures of this nature and scale have consequences that outlive their headlines. And as many who work outside the cyber security community have recently learned, such an event has broad and profound impacts.
But these impacts won’t wane when the Heartbleed patching and user advisories are finished. As with all security events of this magnitude, waves of additional threats and reactions will be triggered.
So what kind of things, good or bad, will spring forth from Heartbleed?
Security will remain in the spotlight – momentarily. The Heartbleed event put security at top-of-mind for consumers, business executives and IT professionals alike. Some organizations were spurred to scrutinize their own security practices and tools, but this newfound enthusiasm has historically not driven deeper shifts in thinking. Initial panic and fear subsides, and day-to-day pressures and tactical needs push security to the back burner again – at least until the next disaster.
This is an opportunity for business leaders to step back and consider that security means more than reacting to the latest hot topic – it’s something that increasingly must be considered a core part of doing business.
Attackers will exploit Heartbleed remediation efforts. Companies are often shocked to learn the panicked frenzy of activity around a major new vulnerability is a great attack vector. In the case of Heartbleed, attackers are most likely to exploit the mad dash to have users reset potentially exploited passwords and other credentials.
Blasting users with email advisories with password-reset links is indeed necessary, but since people are expecting these emails, crafty phishing attacks will subvert this necessity to their nefarious advantage. The aftermath of Heartbleed offers attackers a prime opportunity to harvest usernames and passwords for SaaS and consumer applications. Exploiting user expectations of Heartbleed emails will make for highly successful phishing campaigns in the coming months. If history is any indication, these campaigns will not only harvest end-user credentials, but also those delivering privileged access to critical systems.
Smart companies will implement additional monitoring for the fingerprints of phishing attacks and will consider controls that kill the phishing vector, such as multi-factor authentication.
Creatively seeking additional vectors. Heartbleed has violently punctuated our dependence on SSL and other security software used as fundamental building blocks. These technologies are often wrongly considered invulnerable – after all, security experts created them, right?
But security experts make errors too, and now that there’s blood in the water, the sharks will come. Attackers are already researching variants of the Heartbleed vulnerability, leveraging sophisticated automation to conduct fuzz testing of SSL-enabled systems. The scope of Heartbleed exploit efforts will expand further to to non-human interfaces – specifically, machine-to-machine APIs. In the intense focus to protect humans’ security credentials, machine-to-machine interfaces are often forgotten. However, they also depend on OpenSSL and therefore offer attackers a vulnerable attack vector. These API interfaces exist within everything from social media services to medical devices to critical homeland infrastructure. The implications are terrifying.
The smart response is to expect these attacks to come. More efficient and consistent visibility into exposed systems can be achieved through security automation. Companies should also ruthlessly assess where additional layers of security are needed to shore up weaknesses at probable attack points.
Open source will remain under scrutiny. Heartbleed was even more disturbing in that the vulnerability existed for many months in one of the most relied-upon security technologies in the world – OpenSSL. The very software created to prevent data theft actually enabled theft of secret cryptographic material, authenticated session keys, and user access credentials. Given the trust placed in OpenSSL and the breadth of its deployment, Heartbleed also created tremendous fear, uncertainty and doubt about other major software dependencies.
In this regard, Heartbleed was an important wake-up call to consumers of this and similar open source code: just because a code library is “available for public scrutiny” does not necessarily mean the user community is actually scrutinizing or testing it to its full potential. This kind of testing requires a unique pool of talent and specific automation environments – both that demand investments.
Organizations will not abandon open source security tools, of course. But Heartbleed may well have created the impetus for industry consortia and possibly even commercial vendors to invest in tacking the issue of open source security assurance.
As Heartbleed continues to create major disruption throughout the tech world, the aftermath of this event will also change the status quo, for better or worse.
The intense focus on security that Heartbleed has created could drive re-evaluation of security postures and approaches, particularly pertaining to excessive dependency on too few mechanisms. Anticipating the attacks that will springboard off of Heartbleed could lead companies to gain broader and deeper visibility through automation. New products, services, and industry efforts may evolve that focus on greater assurance for industry-critical open source security software.
But none of these silver linings can emerge without focus on the bigger picture, even as the initial mop-up of Heartbleed concludes.
What happens next – good or bad – is largely up to us.