Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How you need to respond to Heartbleed, and how you can explain it to others

Michael Santarcangelo | April 14, 2014
Your executive action plan to respond to Heartbleed: what you need to know, steps to take, and how to explain it to others.

Explaining this to less technically savvy people is likely to be a challenge. Ideally, someone develops an automated method to check for the patch *and* the certificate replacement. (Update: looks like LassPass offers this checking for their users. No endorsement, but I hope others do this, too).

In the meantime, Soroko suggests checking and making sure that certificate revocation checking is turned on in whatever browser you use. 

3. Change your password(s)   see ideas on passwords below

Scout for phishing emails masquerading as Heartbleed password change notices. If unsure, type the URL for the site by hand.

Keep in mind that if you have shared or reused passwords across sites (and one of them was or may have been affected), then both need to change. It's a good opportunity to build, manage, and use better passwords; unique for each site.

What is the reasonable timeframe (for personal action)?
It seems reasonable to prioritize based on site, use, and purpose. Anything relied on or with financial information takes a higher priority.

In my case, I have over 600 passwords stored in my password manager. As sites apply the patch and re-issue their certificates over the next few weeks, I will slowly work through my passwords and make changes.

Explaining Heartbleed to others
Heartbleed poses a series of challenges when it comes to communicating with others. It caught frenetic mainstream attention during the early stages of assessing and understanding the impact. It gives new meaning to the phrase, "if it bleeds, it leads" if only because of the name. 

Couple that with the reality that much of the advice is similar to what our colleagues have heard for the last two decades. That means just telling people to "change their passwords, avoid clicking on links, and use caution on the Internet," is basically noise easily tuned out. 

The good news is that in every organizational assessment and analysis I've completed over the last decade, the internal security team is regarded as a trusted source of information. It means we have some real opportunities here. To rethink how we approach and provide guidance. Given the hype and coverage of Heartbleed, we need to provide measured, sound advice.

Our colleagues and clients use our resources, and often use the same credentials on other sites. More than suggesting that they change passwords is the importance of explaining why the timing of the change matters.
Revisit how we explain the elements of TLS (https://), how to examine the certificates from the browser (and why they might want to). Share why it makes sense (instead of simply telling them) to manually type in the URL they want to visit if they are uncertain if the site is safe.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.