It’s been two years since the Heartbleed vulnerability made news, had companies scrambling for a fix, and sent computer users into a panic. It’s been a while since there has been a vulnerability of that magnitude to create headlines, but it doesn’t mean that vulnerabilities aren’t hiding in the software we use every day. Just this week alone, vulnerabilities have been found in Facebook Messenger, Google Chrome’s PDF reader PDFium, and as ZDNet described, “a vulnerability in public cloud infrastructures which it said allows a third party to eavesdrop on communications encrypted with transport layer security (TLS) protocol.”
How do you know whether or not your company is affected by a recently uncovered vulnerability?
Well, let’s take the Heartbleed situation as a specific example. There were tools to quickly detect or diagnose the exposures fairly quickly, explained Ken Pyle, security expert and partner with DFDR Consulting LLC, a company that specializes in digital forensics, eDiscovery, data recovery and network security consulting. That’s because vulnerability assessment companies produced code/tools quickly to address the problem.
At that point, it becomes a matter of taking things into your own hands. “I don't wait on someone else to secure my devices, particularly if it's a major issue,” said Pyle. “A company has to decide how to mitigate or remediate. No one else is going to make that decision for them.”
If there is word of a new vulnerability, it is better to assume the need for technical remediation and take action. The reason is simple: companies can’t take a "just deal with it" attitude and see what happens. “Unfortunately, I've seen this discussion and way of thinking executed by decision makers that are out of touch or just do not take security seriously,” Pyle said. “There's always action to be taken to reduce exposure. With breach laws, reputation hits and the like coming to the forefront, a company puts itself in dire straits through inaction.”
If you can't mitigate the risk, the goal is then to reduce the risk. This requires having a good control system in place, including SIEM, IDS, firewalls, and security policies to start.
Should a vulnerability be found, the first step is to make sure corporate management is aware of the problem and that they are involved throughout the entire process from the very beginning. Leadership needs to buy-in to the security team’s approach and the organization needs to work together to enact the threat-emergency strategy that should already be in place before an incident occurs.
What you don’t want to do, according to Pyle, is wait for the software vendor to remediate the situation. If a vendor can't provide a patch, press them to do so. If not, don’t hesitate to shut down the service or replace the software. There are a large number of vendors who still haven't provided patches to major exploits, including Heartbleed. They have plenty of reasons why they haven’t, ranging from old hardware to development time and resources to lack of man power. If your company suffers a breach because a known-vulnerability hasn’t been patched, it certainly isn’t going to be the vendor who is held accountable to your customers or the public. That’s why you have to be on top of every potential risk.
“Our job on the security side of things is always based in reaction,” said Pyle. But the process in handling a vulnerability has to be as proactive as possible, so that when the vulnerability – or any type of security threat – is discovered, it is vital to mitigate the risk as quickly as possible.
Unfortunately, Pyle added, the amount of time it takes from discovery, release, discussion and patching can take weeks, if not months. “Not every software company or manufacturer is up to date, much less immediately receptive to announcements and discoveries,” he said. “I've announced a few vulnerabilities over the years and software companies have been downright hostile or dismissive due to the public exposure, inability to quickly mitigate or ‘making them look bad.’ It's a sad state of affairs for a significant percentage of companies and eventually, they pay the price!”
Learn about how vulnerabilities get into software.