Heartbleed, mumsnet and many of the others, could it have been prevented

Simply put: yes.

Poor old mumsnet, getting heartbled. Unlike many others, mumsnet has been one of the most public. This only highlights for me the serious lack of understanding in securing systems. So many companies, once they get to a certain size, are not reactive to network security.

My house for example, is secure as far as the genpop is concerned, the windows are closed, the front and back door is locked, but if someone really wanted to break in they can. Climb over the fence and smash a window for a bruteforce entry. Buy a set of common lockpicks, learn how to pick the most common lock and in you are.

There are even more complicated ways to break in. The vast majority of network and software systems employ exactly the same common use security.

If I’m in the public eye, then I would employ more complex security, employ guards to patrol. Yet in network administration, businesses don’t employ people to patrol the edge of their domain. Why is that?

Reason 1, people are expensive to employ, the reliance on logfiles to check on whose coming and going and then munging them is a reactive way of doing it. By the time a reaction is made by the business the damage is done.

Reason 2 the decision makers don’t truly comprehend the information they are given. I once sat in a meeting, with a security consultant, an enterpise architect, the infrastructure architect and the CIO. The problem was described to the security consultant. He said what the business wanted couldn’t he done easily and custom research and work would have to be done. Everyone nodded and agreed, except my big mouth. I asked the consultant if he had read Thor’s Microsoft Security Bible, published by Syngress. He said no, I then explained that chapter 7 Securing RDP, explains in fine detail how to implement what the company wanted, here I said its in kindle on my phone. Passing it to him with it already loaded at the first page (the meeting name in the company calendar was actually called securing RDP). The security consultant said that’s not right, its not the right way to do it, followed by the fact he didn’t know how to secure Microsoft systems and would have to put a team together to research it. I was given a ticking off after the meeting for being embarrassing to the company. I wasn’t a technical decision maker, but the technical decision makers didn’t know anything about the technicalities, just wanting to be spoonfed an answer.

Reason 3 to much belief the system automation does what is required. If you believe your lock wont get picked because because it uses a secure socket layer and that uses cryptography. Then you are not going to put monitors in place, that will be specifically set to look for incursions to your security systems.

The final point I’m going to raise is that network infrastructure use many parts, my lock is no good if someone knows how to remove the trim around the glass, undo three torx screws, push and pop the glass out.. on every server a company uses, whether physical or virtual, colocated or cloud have many many pieces of software installed, knowing them and understanding them is very specialised and mumsnet fell foul of that complexity.

Advertisements