It is very disappointing for an information security professional to repeatedly discover how organizations neglect security basics. Vulnerability management and patch management are basic hygiene components of IT governance. Yet, in many organizations they remain at basic level or do not cover all IT assets in their scope due to “cost optimization” and other risk management process deficiencies.
I have recently stumbled upon an article pointing out that 4 years old vulnerabilities such as Heartbleed and Shell Shock are thriving in Docker community. The author claims that out of 6000 images analyzed, 359 contained Heartbleed bug. This illustrates how sensational headlines in media are quickly forgotten in routine organizational rush to reduce “time to market” for IT deliverables. Back in 2014 news headlines were announcing “the collapse of the Internet”. Forbes announced: “Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again”. Fortune: “The bug that rocked the foundations of the web”. Reuters: ‘Heartbleed‘ bug in web technology seen as major threat to user data. Following those spectacular announcements IT systems were checked against these bugs, patches applied and dust has slowly covered news headlines.
At CISO Asia Summit in 2014 I’ve given a talk on the post-Heartbleed world from a CISO perspective highlighting on importance of basic security hygiene that must include continuous risk analysis of all fundamental ICT infrastructure building blocks such as cryptographic protocols. Security professionals cannot assume that basic component like OpenSSL is immune from implementation flaws just because it is widely used across entire ICT industry. One cannot protect organizational crown jewels with a security control assuming that someone else must have verified it’s security level so why repeating that basic task. Drill down to the root of the issue and rationally evaluate your risks. In my opinion, the most critical issue with the Heartbleed bug is not that parts of the memory captured may contain some sensitive corporate information. The real problem is that it may contain information on server’s private cryptographic key! Why is private key in the memory? The answer in the case of Heartbleed bug was in the implementation of the RSA (Rivest-Shamir-Adleman cryptosystem). The emphasis is on the word “implementation” not on the design of a cryptographic algorithm. Focus on the quality of implementation! There are many software implementations of cryptographic primitives. Choose the right one to protect your vital information.
Heartbleed, ShellShock, and Poodle vulnerabilities were not the first ones of the kind that illustrates deficiency of risk management basics. Back in 2001 RC4 algorithm implementation in Transport Layer Security was the root cause of the epic failure in “Wired Equivalent Privacy” for WiFi networks. In 2007 NIST 800-90a specified standard for random number generation was critically vulnerable. In 2012 Flame malware exploited vulnerability in MD5 algorithm.
Cryptography is complex. Cryptoprotocols have many components and their security relies on implementation of cryptographic primitives (such as Random Number Generator (RNG), HASH functions, cryptographic algorithms, key management, etc). Assessing security levels of cryptographic controls requires understanding of their security settings in terms of their resistance to the state of the art cryptanalysis attacks and the duration that confidentiality and integrity of information has to be protected.
Security evaluation of a cryptographic protocol consists of individual analysis of each component. Results should serve as input to the overall risk analysis process of the protocol with the objective to estimate the level of security of each component and to identify those components with the highest risk. A chain always breaks at the weakest link. That principle should guide the risk analysis of the protocol’s security.
Presentation slides from my 2014 talk on post-Heartbleed World could be downloaded here CISO summit Singapore 2014 (online)
2018 is the year of enforced privacy regulation. EU General Data Protection Regulation (GDPR) in its article 25 requires “privacy by design” in technology. Organizations could be fined for not planning and implementing technologies with data protection as priority. For the first time we have a regulation that imposes prioritizing security over financial benefits. It is still too early to claim that this kind of regulation will change organizational attitudes toward security basics and that we will not witness in the future high-impact bugs such as Heartbleed.