Post-Heartbleed, we know that another security incident will come to light, sooner or lighter. But we don’t know what it is. How can we prepare?
US Secretary of Defense Donald Rumsfeld may not have personally anticipated the Heartbleed bug, but he certainly understood the broader concept of devastating security threats that suddenly emerge from the shadows. “There are known knowns,” he famously said: “There are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.”
Heartbleed could be described as an unknown unknown, but only by the uninformed. The bug, in a piece of software used in one form or another by two thirds of the Internet, allowed people to steal a server’s ‘crown jewels’ directly from memory, leaving no trace.
The Heartbleed vulnerability existed for two years before white hat researchers discovered it. It isn’t known how long sophisticated criminal groups and state nations knew about it before this point, if at all. But this isn’t the first major security flaw to hit the Internet.
two types of flaw
Show-stopping security bugs fall into two main camps: design flaws, and implementation bugs. Security guru Dan Kaminsky, who was working as director of penetration testing at security firm IOActive in 2008, found a critical design error in DNS that could have allowed an attacker to effectively own the dot com top level domain (TLD), or any other. He had to pull together a critical effort in secret among the world’s top online companies to work around the problem.
Conficker was an implementation flaw, discovered in the same year. This malware, which spread rapidly used a fundamental vulnerability in Windows that permitted computers to infect each other. There have been several other scares along the way.
The response to these flaws, and to Heartbleed, was largely reactive; a panicked flurry of patching, the setting up of an educational web site, and a spate of finger-wagging articles in the press. But if these incidents tell us anything, it’s that the next major security bug, and the next, are what Rumsfeld would have termed “known unknowns”. We know they’re out there - we just don’t know what they are.
rethinking open source
Faced with this knowledge, corporate board members are personally liable for future losses from such flaws, says Jim Koenig, a principal at Booz Allen Hamilton, who co-leads its cybersecurity and Internet response effort.
“Boards of directors will be held responsible for noticing and considering cybersecurity risks,” he says. “And that includes those that come from open software.”
As an open source project, OpenSSL’s security flaw throws the whole concept of open source into a new light. The project had four software engineers, and an annual budget of around $1m.
“Maybe when that first started, that might have been appropriate,” Koenig argues. “But given now that it's the primary product selection for SSL, there's now a question of whether additional corporate and government resources should be made available, because the risk and consumer dependency on it has outgrown that.”
He argues that companies should invest their own dollars in bettering the security of any open source products on which they rely. It could even be included as a review fee, imposed whenever any corporation licenses it.
This may help to secure open source, but not all major security flaws come from this realm. The vulnerabilities in MS-CHAP 2.0 didn’t, and Catalin Cosoi, chief security strategist at BitDefender, cites this as one of the more serious bugs in the last few yeaars.
The world is moving towards cloud computing and managed services, says Cosoi, who argues that many of the future ‘known unknowns’ will emerge in that space. This trend carries positive and negative connotations.
“We believe it's a wash. On the one hand, you have the obvious dangers of centralized mistake making,” he says. On the other, many companies get access to services that they otherwise couldn’t have afforded.
There are other advantages, points out Will Dormann, vulnerability analyst in the CERT Division of the Software Engineering Institute at Carnegie Mellon University. “Consolidation of traffic into a handful of large providers can help when it comes to both monitoring and patching,” he points out.
enterprises must be prepared
But at the end of the day, it is up to enterprise users themselves to prepare for these known unknowns. Paco Hope, principal consultant at IT security firm Cigital, borrows from Nassim Nicolas Taleb, the author of “The Black Swan”, when he advises companies to be “anti-fragile” in their approach to security.
“We can't assume that nothing will ever fail,” he says. “Instead, we reduce the vulnerability and accept the fact that we will mess up. So we build in a reaction program, a repair as it were, and we practice those things, with lots of fire drills. So people are then doing things that they fully understand, that they practiced all the time.”
Heartbleed has proven to us yet again that we live in a world of known unknowns, not to mention unknown ones. In such an uncertain environment, it pays to be ready to adapt, and to treat the very things that could disrupt your environment as things that can make you stronger.