Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How you need to respond to Heartbleed, and how you can explain it to others

Michael Santarcangelo | April 14, 2014
Your executive action plan to respond to Heartbleed: what you need to know, steps to take, and how to explain it to others.

Is the Internet broken? According to some, it may be. A newly discovered bug dubbed Heartbleed is capturing attention. As each hour passes, more information is revealed. With the desire to provide useful insights, the tech world - and even the mainstream media - is awash with stories.

What's the deal?

Sometimes it's hard to cut through the flood of technical information to get a solid sense of what needs to be done. The challenge is distilling down to the actions we need to take for our organizations, ourselves, and how to guide those we serve.

Rather than rehash what others have done well, here are:

  • Five steps each organization needs to take (now)
  • Three actions each individual (including us) needs to consider
  • Insights into how we explain this to others (and the opportunity we have)

What's at stake?
Trust.
Transport Layer Security (TLS) is broadly used to encrypt and protect information in transit. The Heartbleed bug allows an attacker to gain access to the memory, siphoning off whatever happens to be stored: usernames, passwords, credit card information, and even the private keys of the server.

The popular comic xkcd explained the bug brilliantly today (see it here).

The way we respond and communicate with people has a direct impact on trust. It's imperative we get this right.

Note: Canada shut down the tax system in response to Heartbleed. The Canadian tax deadline is April 30. That means they made a nearly impossible decision during the busiest time of the year. They even shut down additional sites/systems this morning and plan to test and verify the elements. It's a courageous decision designed to maintain trust and ensure people are not at risk.

Perhaps liability.
Especially now that US Regulators have started to warn banks. They've even suggested banks should encourage their customers to change passwords (I heard the collective groan - see below for ideas).

It's possible that organizations that fail to act may be liable in the future. It's too soon to tell, for certain. The responsible action is to follow the actions below and avoid serving as the test case.

First step: the five immediate actions to take
Use this as a checklist to make sure your team took these actions. Or share it with your executives to show them the steps you took (and why). Then use it as a guideline for how to break it down and explain this to the people we serve.

1. Check for the bug in your own systems; this is broader than web servers
The specifics of the bug impact the TLS protocol with the heartbeat extension (hence the name Heartbleed). Initial coverage and focus was on the sheer number of Internet servers using openSSL and the large potential risk this bug poses.

 

1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.