David Jacoby, senior security researcher: Global Research & Analysis Team at Kaspersky Lab, discusses the lessons we have learnt from the Heartbleed vulnerability.
At Kaspersky Lab, my job not only involves analysing malware and vulnerabilities, or merely talking about the latest security threats – but a big part of it is to also trying to explain and educate users on how to build security.
When doing so, some of the major topics I try to emphasise include the need to backup and protect against malicious code, as well as keep systems up-to-date with the latest security patches and, of course, use encryption. I am sure that many have heard this all before.
But what do we do when the security software we use becomes vulnerable and is the entry point for attackers?
This is a hot discussion right now, especially considering the recent OpenSSL Heartbleed attack that was made public last week. But why are these types of vulnerabilities so critical?
Before I divulge further into the Heartbleed attack, it is important to mention that the mind-set many users have today when looking at security products and solutions is broken. The way we evaluate security products or solutions is by looking at functions and features, and if they comply with what we are trying to achieve, then we tend to just ‘buy’ them.
The problem with this, however, is that we tend to forget all the key aspects that the security product or solutions won’t do for us. Therefore, we need to understand that security products and solutions should complement a secure mind-set.
Why am I addressing this regarding the OpenSSL Heartbleed vulnerability? I believe that we, in general, assume that the Internet is working and is a secure platform. We use the Internet for very personal things such as dating, shopping online, communicating via social networks, managing our finances and more. The problem with the Internet is that when something goes wrong, it can get very bad, very quickly.
In line with this, one big problem with the Internet is that it’s extremely fragmented. Some online resources have extreme security and very robust infrastructure, while other resources have been forgotten about and are extremely fragile and vulnerable.
We also have sites we consider very secure and robust that tend to become vulnerable because of the extreme number of dependencies of systems. It is impossible to secure every single component in our IT systems.
When using the Internet we need to assume the worst and take action accordingly, with immediate effect. The problem is that we also tend to use resources outside of the world of the Internet that we trust, like medical systems, as an example. However, they all use the Internet as well. So when something as major as the Heartbleed vulnerability happens, the impact is enormous.
It is quite difficult to say how widespread the Heartbleed attack is and what the impact will be when criminals start to exploit this vulnerability. But imagine that someone is able to copy keys to all the bank vaults in the entire world?
At first glance it sounds really bad, but it all depends on what’s in the vaults.
It is critically important to note and remember that software is just software and there will always be vulnerabilities in it. We need to start understanding that even though we backup, encrypt and protect against malicious code, we still have sensitive data – data that can leak.
And if this data gets leaked, we need to do everything we can to make the data as useless as possible for the person who obtains it.