Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security

Heartbleed. Internet Explorer vulnerability in Flash player. Security is in the news.

Suddenly I'm getting swamped with requests for information from people at work who never used to care about what I do. They are hearing about these vulnerabilities on the mainstream news, getting scared, and coming to me for advice. Is this good or bad?

Frankly, I don't understand why the mainstream media is picking on these particular vulnerabilities, when there are (and have been) so many others to choose from. It may be because of the buzz around the end of Windows XP security updates, and the news coverage of the security risks of unmatched vulnerabilities.

My first reaction to Heartbleed was, "Who cares?" Let's talk about some actual exploits, like the card number thefts at big retailers or the password thefts from AOL, LinkedIn, Facebook and Gmail. Those are a really big deal because they actually happened and caused great harm. Vulnerabilities? Sure, they are important, and professionals like me take them very seriously, but I don't see any reason why anybody else should be more concerned about them than any others. Vulnerabilities as a whole are bad, but the individual ones that are popping up in the news aren't something that should concern the average person. Exploits, yes; vulnerabilities, no.

My reaction to the recently announced Internet Explorer Flash vulnerability was similar. Why are we talking about this? The media is saying the vulnerability allows "remote command execution," which they say allows an attacker to completely take over a victim's computer. Yeah, so? We get a dozen of those announced every month from Microsoft and other platform vendors. Why is this one hitting the news?

I'm guessing here, but it may be the name. Heartbleed is a pretty cool moniker, isn't it? The average person who isn't into technology or security is going to perk up upon hearing that word. It invokes garish images, doesn't it? Maybe the first news reporter heard the name and thought it would get a lot of attention. He or she was right, if that's the case.

In any case, I've recently been finding myself walking through the door at work and answering throngs of concerned citizens wanting to know about these viruses. That's right, they think Heartbleed and the new Internet Explorer bug are viruses that are going to take over all the computers. I have to explain the difference between a vulnerability and an exploit, and I don't even want to get into all the varieties of actions that an exploit can take.

Talking, emailing and posting about these issues is starting to take up a lot of my time. That's good, and bad. On the positive side, I suddenly have a new opportunity to educate the general public about stuff that I care about (and they should care about), namely the cycle of software flaws that lead to discovered vulnerabilities and on to exploits, and the concept of "zero-day," which renders a lot of our defenses useless. It's also a good opportunity to explain how antivirus software works, what it protects against and its shortcomings (signature-based detection is only as good as the malware fingerprints within the antivirus database, and malware can do a lot of damage before a signature is deployed to detect it). I also like to take the opportunity to describe alternative malware detection and prevention technologies, such as behavior-based detection and command-and-control server callback detection. But when I get to that point, eyes start to glaze over and the listener starts looking at his watch. On the negative side, all this time spent discussing (and defanging) the news is biting into the time that I should be spending dealing with real security issues that affect my company.

I guess I really shouldn't complain -- with security in the news, more people will become aware of what we security managers and practitioners do all day, and hopefully start to value it more. "Good thing we have these security professionals keeping us all safe," I imagine them saying. We're getting our 15 minutes of fame, and while I don't really understand why, I can't wait to see what's next.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityLinkedInMalware and VulnerabilitiesFacebook

More about AOLFacebookMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place