<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

Cooler Heads Will Prevail

By Jussi Valkiainen on December, 8 2014
Jussi Valkiainen

Head of Product Line, CryptoAuditor. Jussi Valkiainen is the head of product line for CryptoAuditor. He has worked at SSH Communications Security for over ten years and has held various positions in R&D, Marketing, and Product Management with increasing responsibility. Enthusiastic about user-centered design, Jussi works with Global 2000 customers to solve their cybersecurity needs and make it easy for security officers to achieve security and compliance. Prior to joining SSH, he worked at Nokia, and wrote user documentation for microwave radios used in GSM and 3G networks. Jussi holds a Master of Science in Engineering from Helsinki University of Technology (Aalto University).

When thinking of IT security trends, I don’t think I would be on the wrong track if I would dub the year 2014 as “The Year of Open Source Vulnerability”. In the same vein, past couple of years could be called “The Year of Snowden” and “The Year of Multiple Web Site Breaches which Resulted in Millions of Stolen Credit Card Numbers”, in no particular order.

Topics that have previously been covered only in IT-specific media, have gradually crept into traditional media too. And this year has been the first time when vulnerabilities in open source components or widely used protocols are receiving heavy coverage even in traditional newspapers. Heartbleed, Shellshock, and most recently POODLE, are now familiar words even to laymen.

As the usage of open source components has proliferated, it may be difficult to keep track in exactly which places those are being used. This is sometimes a challenge even to IT vendors who are using open source in their products. And in enterprises, BYOD makes matters even worse.

The vulnerabilities should be taken seriously, but with all this media attention, it is easy to get distracted and even panicked. But let’s take a deep breath and consider a few points:

  1. Not all vulnerabilities are equally severe.
  2. Publicity they are getting is not necessarily proportional to their severity; moreover their severity to your environment may be totally different than the severity to world. If you are running Windows-only environment, you don’t need to care about Shellshock at all. (But are you sure? How about that new Sales Director’s BYOD MacBook?)
  3. There are numerous vulnerabilities that do not get heavy publicity, but still should be fixed in your environment. Microsoft Patch Tuesday fixes several possibly severe Windows vulnerabilities every month and you don’t see news about this in your morning paper. (One recent exception to this is the Schannel vulnerability, dubbed WinShock by some, which ended up in morning papers a few weeks ago.)

So when faced with a vulnerability, you need to understand its severity for your environment and then decide your actions. Shall you calmly wait for the vendor to patch, or is this so critical that you actually need to take your systems offline until the patch arrives?

Even as a cyber-security expert, you cannot always do the analysis yourself. “So what if SSL 3.0 allows arbitrary content for the padding of the cipher block?!?” And even if you can, you don’t have time to do that for all possible vulnerabilities. For example, in 2013, Secunia reports 13,073 vulnerabilities found in 2,289 products!

Luckily, the bodies that issue the vulnerability warnings also provide analysis on their severity. For example, U.S. NIST uses a rating called Common Vulnerability Scoring System (CVSS). To use the four above-mentioned vulnerabilities as examples, Heartbleed got 5.0, Shellshock got 10.0, POODLE got 4.3, and WinShock got 10.0. Note that boiling down an impact of a vulnerability to one number also has its limitations, as pointed out by some experts.

Still these numbers can help you decide the severity of the vulnerability to your environment. Allowing your web servers to downgrade to SSL 3.0 is not a good idea in the long run, but running unpatched Bash is very risky, and you should patch immediately, even check that the Sales Director does that for his own MAC OS X laptop.

Bruce Schneier gave advice on reacting to security vulnerabilities already five years ago. It was more aimed at the end user, but the final advice applies also to enterprises, and here is my interpretation of it:

  1. Expect your vendor to patch.
  2. Expect them to notify you when there is serious impact in their products.
  3. When the patch is out, apply it to your systems.

If there is a severity 10.0 vulnerability, you may have to consider taking your systems offline, but this is very seldom needed.

During World War II, the British government ordered a motivational poster with a Tudor Crown and the text “Keep Calm and Carry On” below it. This poster was never published during war time but has recently found new life in countless of variations, with “Carry On” being replaced with whatever seems appropriate. Well, I am going to repeat the line here without modifications. When facing vulnerabilities, Keep Calm and Carry On, since cooler heads will prevail in the end.

By the way, out of the three publicized open source or protocol vulnerabilities mentioned, CryptoAuditor avoided Heartbleed and Shellshock but was affected by POODLE. This was fixed in CryptoAuditor 1.4.1 and all customers should upgrade to this new version.

Submit a Comment

Stay up to date