Suddenly I'm getting swamped with requests for information from people at work who never used to care about what I do. They are hearing about these vulnerabilities on the mainstream news, getting scared, and coming to me for advice. Is this good or bad?
Frankly, I don't understand why the mainstream media is picking on these particular vulnerabilities, when there are (and have been) so many others to choose from. It may be because of the buzz around the end of Windows XP security updates, and the news coverage of the security risks of unmatched vulnerabilities.
My first reaction to Heartbleed was, "Who cares?" Let's talk about some actual exploits, like the card number thefts at big retailers or the password thefts from AOL, LinkedIn, Facebook and Gmail. Those are a really big deal because they actually happened and caused great harm. Vulnerabilities? Sure, they are important, and professionals like me take them very seriously, but I don't see any reason why anybody else should be more concerned about them than any others. Vulnerabilities as a whole are bad, but the individual ones that are popping up in the news aren't something that should concern the average person. Exploits, yes; vulnerabilities, no.
My reaction to the recently announced Internet Explorer Flash vulnerability was similar. Why are we talking about this? The media is saying the vulnerability allows "remote command execution," which they say allows an attacker to completely take over a victim's computer. Yeah, so? We get a dozen of those announced every month from Microsoft and other platform vendors. Why is this one hitting the news?
I'm guessing here, but it may be the name. Heartbleed is a pretty cool moniker, isn't it? The average person who isn't into technology or security is going to perk up upon hearing that word. It invokes garish images, doesn't it? Maybe the first news reporter heard the name and thought it would get a lot of attention. He or she was right, if that's the case.
In any case, I've recently been finding myself walking through the door at work and answering throngs of concerned citizens wanting to know about these viruses. That's right, they think Heartbleed and the new Internet Explorer bug are viruses that are going to take over all the computers. I have to explain the difference between a vulnerability and an exploit, and I don't even want to get into all the varieties of actions that an exploit can take.
Talking, emailing and posting about these issues is starting to take up a lot of my time. That's good, and bad. On the positive side, I suddenly have a new opportunity to educate the general public about stuff that I care about (and they should care about), namely the cycle of software flaws that lead to discovered vulnerabilities and on to exploits, and the concept of "zero-day," which renders a lot of our defenses useless. It's also a good opportunity to explain how antivirus software works, what it protects against and its shortcomings (signature-based detection is only as good as the malware fingerprints within the antivirus database, and malware can do a lot of damage before a signature is deployed to detect it). I also like to take the opportunity to describe alternative malware detection and prevention technologies, such as behavior-based detection and command-and-control server callback detection. But when I get to that point, eyes start to glaze over and the listener starts looking at his watch. On the negative side, all this time spent discussing (and defanging) the news is biting into the time that I should be spending dealing with real security issues that affect my company.
I guess I really shouldn't complain -- with security in the news, more people will become aware of what we security managers and practitioners do all day, and hopefully start to value it more. "Good thing we have these security professionals keeping us all safe," I imagine them saying. We're getting our 15 minutes of fame, and while I don't really understand why, I can't wait to see what's next.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.