Preemptive heartbleed
Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin
Recorded April 9 2014
XP’s last patch cycle for the public came out this week. https://www.pcworld.com/article/2140806/patch-tuesday-last-call-for-windows-xp.html
News dominated by very severe vulnerability with a widely used implementation of SSL and TLS (what keeps your confidential information private over things like https) called Heartbleed (https://heartbleed.com/).
Coverage for the public: https://www.reuters.com/article/2014/04/09/us-cybersecurity-internet-bug-idUSBREA3804U20140409
Best video for technical details: https://vimeo.com/91425662
EFF discovers some people potentially taking advantage of this over half a year before made public and puts a tin foil hat spin on it (not unlike I did): https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
Also affects client software (i.e. the stuff you run your your home computer) if there’s a malicious server taking advantage of you: https://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/
Security program fundamentals include having a healthy IT environment. You need:
Inventory management (the more complete the better)
Management support (the higher up the better)
A mesh of governance that supports IT including:
– Policies, standards, and procedures
– Vulnerability scanning and patch deployment automation
– Security awareness
– IT auditors
You may even have regulators of your industry inquiring how you keep your customers safe like https://business.financialpost.com/2014/04/09/heartbleed-bug-prompts-osfi-to-check-in-with-canadas-banks/