I put this out not to show what I know, but to start a discussion if possible. What did you learn from Heartbleed?
Never waste a good crisis. I forget who said that, but it’s advice I’ve given many, many times. I hope it’s also advice I’ve taken.
Now that the Hearbleed crisis has settled down, it’s time to reflect. I’m asking: What did we learn? How are we better?
One lesson I hope we didn’t learn is that open source software is somehow suspect. A great deal was made about the lack of support and the programming mistake in the Open SSL library. And yes, there is someone kicking themself now for this obvious mistake, but that person isn’t the only one to look at that code. In fact, open source code gets a wide review and often by talented programmers.
The fact is that all code – open source or proprietary code has weaknesses. Programming is all too often “the art of introducing bugs into perfectly good code.” What we should have learned is that everything is vulnerable. You have to act like you can’t keep everyone out, you can only slow them down.
I do hope that makers of proprietary software don’t take this opportunity to brag that it wasn’t them. I hope that it shows true class and restraint. But it may also just be smart. You might as well paint a bulls-eye on your software if you did.
We need multi-layer defenses. In every interview I do I remind people they need multi-layer password strategies. Ideally you use a password manager and have unique passwords for everything. Failing that you should at least separate into five categories – work, personal finance, e-commerce, email and social sites. Each category should have hard to guess and unique passwords. The strategy is to slow someone down. If they get your email, they don’t get your bank and so on.
Hopefully we all learned to start using dual verification on key sites. Having reread the story of someone whose Gmail ID had been stolen I wondered what was holding me back. I admit I was lax on this and didn’t have it on everything. Heartbleed changed that for me. I have dual verification on my blog and on my public Gmail. I’m moving through all other accounts rolling out this strategy wherever it is available.
On a corporate level, I took to heart a piece of advice that a friend gave me. “The bad guys don’t have policies. That’s why they are always ahead of you.” As I went through the Canada Revenue Agency story in interviews, what struck me was how quickly they moved, given the fact that they are a government organization. No offence, but we’ve all heard the story that it takes two days to get a tweet out of some government departments.
As all the “second guessing” went on, I had so much sympathy for the people who had to stand up and recommend that they take the site off-line, in the month before tax time. Easy for us to say it was right, but go ahead and recommend taking your network connections down for a day or two just to be safe. And if you are wrong about the threat, will you have to leave a forwarding email so we can find you at your next job.
I hope that in every security department, people laughed when they read that line. I hope they said that I was nuts and that they didn’t fear losing their job by making a smart call, even if it proved to be wrong.
I hope wise business executives are telling the story of the Japanese automaker that first allowed their employees to stop the production line when they saw a problem. Until that point, the idea of a worker stopping the line was unheard of – especially in North America. So huge safety and quality problems went right on down the line, even when workers knew about them. Today, in many plants workers can and do stop assembly lines even though it costs a lot of money to stop the line.
I hope that everyone in charge is having a talk with their staff – emphasizing that security is everyone’s responsibility and empowering key staff to make prompt decisions when needed.
Not that easy? You are right. That’s why it’s important to discuss what to do is before it happens. I hope we’ve learned is to use the word when and not if for a major security breach.
That’s what I’ve been mulling over this week. I put this out as a post not to show you how much I know, but to start a discussion. Love to have your comments on what you learned from Heartbleed.
Jim Love is the CIO of IT World Canada
@CIOJimLove