Pratum Blog

We, the internet using community, have been bitten by the Heartbleed bug. It came fast and the implications are serious. Pratum’s team of security professionals has been working with customers over the past several days to identify vulnerable systems and determine a course of action.

This vulnerability in the implementation of OpenSSL should teach us a few things.

  1. Theory is great, but how that theory is implemented will determine long term success or failure. The encryption methods of OpenSSL weren’t bad, there was simply a mistake in the code which caused all the problems.

  2. We need to stop treating the internet as if it is just the “Internet of Things”. It is not. It is critical infrastructure. We all agree that power grids, banking systems, transportation systems, etc. are critical. What if we couldn’t trust common security systems used on the internet? E-commerce would fail and economies across the world would have severe impacts. The internet is critical infrastructure whether we care to admit it or not. We need to take security seriously.

  3. How security and technology vendors responded to Heartbleed should tell you a lot about how that company deals with risk management and security. Did they notify you of the vulnerability quickly? Did they provide updates and patches in a timely fashion? If they were slow getting to the party, one has to wonder why. Don’t be afraid to ask your firewall vendor why they were the last major vendor to supply a patch.

There will be consequences of this vulnerability. Systems were hacked. Data was stolen. We may not know for a while what the full impact was but there was an impact. If you’ve been worried about zero-day threats but not been able to get management to understand the risks, this incident should help.

If you need more information on the Heartbleed bug, you can follow the developments on CVE-2014-0160 at the NIST National Vulnerability Database.

I want to clear some things up on the Target breach front.  There are hundreds of bloggers making accusations and assumptions that are unfounded and simply incorrect.  I get I’m just going to give you a list here.  No fluff, no opinion, just fact.

False Statement #1: Target couldn’t have been PCI compliant because attackers stole CVV numbers and storing of numbers violates PCI.

Facts: Nowhere have I read a factual account from Target or law enforcement that says the CVV was being stored.  The CVV is read from the magnetic stripe at the PIN pad and transmitted to the POS.  It could have been intercepted during transmission.  Now, the data transmission between the PIN pad and POS is typically encrypted so we can assume that the data was probably stored somewhere and stolen.  If you are going to make assumptions, state them in your post or article.

False Statement #2:  Target couldn’t have been PCI compliant because it took them 18 days to discover the breach.  They obviously weren’t doing their daily security monitoring.

Facts: Networks are complex. Applications are complex.  Attacks are complex.  Obviously there was some security monitoring going on.  Sometimes it takes time to recognize an attack, investigate it and address the issues.  This isn’t Hollywood.  We don’t save the world in a 42 minute episode.  Is it likely that Target will need to change their security monitoring procedures?  Yep.  Can anyone say they weren’t monitoring at all?  Nope.

False Statement #3:  This breach was timed specifically for the holiday shopping season.

Facts: Did the hackers themselves proclaim this?  While it is entirely possible that this was a timed breach, it’s also just as likely that the hackers were simply lucky.  Hackers strike while they can.  It only takes one patch to foil a well-planned breach attempt. I’m not saying the intent may have been to hack during the holiday season but we don’t know that for certain just because it occurred during the holiday season. 

In essence, I’ve been very frustrated with the coverage of all this over the past 10 days.  Expert after expert has been on this news program and that claiming all these “facts” when in fact all they have at this point are opinions.  Oh…and because it’s sensational news, the journalists are calling them out on it.  They let the opinions stand as fact.  What has become of journalistic integrity?

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was recently introduced into the House this past week.  While I applaud the attempt to push cybersecurity awareness, I have concerns with the bill at a very high level.  Granted, I haven’t fully read all 56 pages yet but here is my first concern.  The following sectors are going to be classified as critical infrastructure.

(1) Chemical.

(2) Commercial facilities.

(3) Communications.

(4) Critical manufacturing.

(5) Dams.

(6) Defense Industrial Base.

(7) Emergency services.

(8) Energy.

(9) Financial services.

(10) Food and agriculture.

(11) Government facilities

(12) Healthcare and public health.

(13) Information technology.

(14) Nuclear reactors, materials, and waste.

(15) Transportation systems.

(16) Water and wastewater systems.

(17) Such other sectors as the Secretary determines appropriate.

Don’t get me wrong, I agree with a lot of this.  And classifying sectors for the purpose of information sharing isn’t a bad idea.  There could be some unintended consequences of pushing this information security measure though.

First, if everything is critical, nothing is critical.  It seems these sectors would include a vast majority of the business ventures in the US.  We don’t have the time or resources to apply information security controls to everyone and everything.  There’s always going to be an element of risk.  We need to be careful that we’re not trying to eliminate all risk.

The second is that once something is deemed critical infrastructure, it will be very easy to regulate it in the future.  Much in the same way Business Associates are now regulated under HIPAA, many of these sectors could come under the scope of say the Federal Information Systems Management Act, FISMA with one small change to a bill in a future legislative session.

On one hand this bill is too general and on another it’s too specific.  Sounds crazy but think about it.  Do you really want your local deli to have to follow information security guidelines similar to a bank just because they got swept into the Food & Agriculture sector?  Think something crazy like wouldn’t happen?  Just think about how many unintended consequences laws like the Affordable Care Act (Obamacare) have had.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.