Heartbleed: Lessons learnt from first contact

One thing I insist on in any security testing or activity is the need for continuous learning or understanding. When the Heartbleed vulnerability exploded, I had the opportunity to go through such a process.

April 9, 2014. It’s a balmy Wednesday morning in Sydney. I had started working for a new company the week before. That morning I walked in to an energetic boss who exclaimed ‘the internet is on fire!’ It was Heartbleed and developments overnight had been interesting. I had started following Heartbleed on Tuesday afternoon but had no idea that it would blow up like it did. Exploits had evolved and become widely available, mailing lists had fired up and for the next 24 hours things would be interesting.

Short of a zombie apocalypse, this is the event that any IT security enthusiast gets motivated by − an in the wild, reliable exploit that a lot of organisations had next to no time to respond to. My excitement was not about the cataclysmic ‘end of the world’ scenario that so many people had proclaimed; rather, it was about the fact there was work to be done, research to be completed, people to help and lessons to learn.

At 9am on the Wednesday, a team meeting set the goals for the day, consulting work was halted and we trawled through old reports to help our customers prepare for the dangers ahead. The internet had indeed burst into flame and our own chat services were busy as our coordinated effort to identify and help existing customers evolved into well organised crisis management. We found that:

  • Approximately 20% of our existing customer base was vulnerable
  • The majority of this number were unaware they were running the vulnerable version of OpenSSL
  • Information was still unclear in the minds of many as to the nature and risk of the vulnerability

As we progressed into the afternoon, I had found a payment gateway that reported version 1.0.1e of OpenSSL in the HTML header. I noted it and called the client, only to hear the response that a change request had been planned on the weekend when it wouldn't affect their core business.

Despite my best efforts, I could not sway this person from their firmly held belief that a patch couldn't be installed except on weekends. Needless to say, their payment gateway was still reporting the vulnerable version during late night shopping on Thursday.

Based on my experience of April 2014, I have learned that:

  1. First and foremost, organisations need to know their environment. Just this year I have successfully acquired administrative credentials for a system because no one at the customer was aware that the system needed to be patched.
  2. Everyone needs to keep abreast of what is happening outside your environment. Subscription to alerting services or even reading mail lists and tweets provides a valuable source of information.
  3. Security patching according to schedule or ‘within 48 hours’ is no longer applicable. Patch management must now incorporate an appreciation of the threat outside risk ratings or vague descriptions of consequence.
  4. Detach emotion and be as objective as possible: the fastest way to burn your mind is to head down the self destructive path that many gain solace from in information security. The more you remove yourself from the ‘world is burning’ or ‘safeguard the homeland’ mentality the more effective you’ll be at fixing problems.

Since these events, I have observed these lessons have not necessarily been taken onboard by many. Emotion, salesmanship and a lack of awareness in information security continue to undermine our ability to protect the environments we’ve been charged with. Many sales teams since the events of April 2014 have claimed that their products protected customers against Heartbleed, instead of the patch, and oothers have neglected to learn from these events.

About the author

Edward Farrell is a seasoned penetration tester and information security consultant with nearly 10 years’ experience. In 2015 Edward sought to go out on his own and created Mercury Information Security Services. Edward’s new organisation provides customised information security services and advice for Australian businesses.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Heartbleedvulnerability

More about CSOEnex TestLabindeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Edward Farrell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts