For all of the chaos and exposure that came with the Heartbleed OpenSSL vulnerability, there is one thing that the security community got right – broad, loud communication to everyone and their mother. Literally. As my mom called me up to ask whether she should change her passwords, I couldn’t help but think that this global news item would eventually help drive the awareness we need to protect ourselves.
Nobody likes sharing bad news, particularly around security issues. What if you damage your reputation? What if the wrong people find out and use it to others’ detriment? But in reality, hiding the information isn’t going to work for any extended period of time – there are people far more capable of discovering it than you, and they’re the wrong sorts of people.
So when the time comes to share – and that time is almost certainly sooner than you think – you need to make sure you share enough information and broadly enough that the people you need to protect can act.
The situation is not unlike all of the times you want to hide information from your children. It was a beautiful Portland summer day when my 3-year old son taught me this lesson. He was climbing out of the pool, shivering, taking adorable huddled steps over to me. As I wrapped his swim towel around his shoulders, he looked into my eyes and said, sweetly, “It’s f*cking cold out here.”
Now, just like with a security incident I could have responded in a few different ways. I could have ignored it and hoped that the problem wouldn’t continue or get bigger. I could have tried to obfuscate the problem and hope that he would be misled into a different behavior (“Don’t you mean fiddly-sticks?”).
But what I realized was that it was f*cking cold out there – he wasn’t mimicking something he had heard. He not only knew the word but how to use it in the right context. There was no avoiding the straightforward, honest and yes, awkward and embarrassing conversation.
My son no longer needed me to hide information. What he needed from me was more information – that the word would offend people and that he shouldn’t trot it out at the swimming pool no matter how cold it got (save it for rush hour traffic, son). And if he knew the word, no doubt his sister did too. The information she already had put her at risk of offending others and she needed additional information to prevent it.
So when that moment comes when we have uncomfortable information to share – when the breach occurs or the vulnerability gets discovered – let’s follow the model that Heartbleed and our parenting experiences have shown us.
Assume that others already have the information, find out who is at risk and give them as much information as they need to protect themselves. Loudly if need be. Better to have your mother call and ask about it than to have to help her clean up the mess when she becomes a victim.
- Heartbleed and Your SOHO Wireless Systems
- Stopping the Heartbleed
- Detecting Heartbleed Exploits in Real-Time
- How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock