Experts from 3 key areas of IT security have commented below on the Heartbleed security flaw. Please feel free to attribute the comments in any stories or blog posts, and let me know if you have specific questions for any/all of them, and or if you’d like to speak by phone:
Password/privileged identity management expert Philip Lieberman, president of Lieberman Software (www.liebsoft.com):
“This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home and commercial Internet connected devices on a global scale means that the Internet is a different place today.”
Unstructured data governance expert Jonathan Sander, strategy and research officer, STEALTHbits Technologies (www.stealthbits.com):
“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it. Having common technology is typically viewed as a good thing. But it can also lead to assumptions. People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”
Encryption and tokenization expert Mark Bower, VP of product management and solution architecture, Voltage Security (www.voltage.com):
“While ‘Heartbleed’ presents clear and present risk of exploit and active attack to systems to steal data, the big danger is to systems that have been relying on secure communications for things like key and credential exchange since the first affected version of OpenSSL was deployed. So affected entities need, in particular, to consider the external use of affected versions of OpenSSL in use, and establish what might have been transported and been potentially at risk in past SSL sessions with client systems or other servers. That itself might be very difficult, and requires consideration for changing transported credentials, certificates or monitoring other sensitive data which if exposed could lead to secondary compromises, theft, or further malware infestation.
Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL – for example, encrypting the data well before it enters and exits the SSL tunnel so that even if the transport is compromised, the data itself has no value to an attacker. This ‘data-centric’ or end-to-end protection model can reduce the need for SSL in the first place in some cases, and also protect data well beyond where SSL starts and stops. And for cases where SSL plays a critical and essential role, use transport mechanisms that are unaffected or patched against this particular risk as soon as possible.”