At the start of the year I said to anyone who would listen (and that was a fair amount of people) that 2014 would be a milestone year for security and unified communications (UC). We will come back to UC another day, but security is really living up to the prophecy. 2014 is common to previous years with visible attacks, invisible attacks, well published breaches, hidden breaches and all of the above now carefully positioned under the Cyber Threat banner (the advanced persistent threat moniker of yesteryear now seems out of fashion).
And already as we cross into quarter two of the year we face the first “cause for concern” security breach that isn’t just affecting the IT rich major corporates, but has the potential to affect anyone who uses the internet in earnest. Heartbleed is that security breach and exposes vulnerabilities in OPENSSL, the security used to maintain secure encrypted conversations (passwords, usernames, etc.) by some web servers. OPENSSL gives informed users and laymen alike confidence to access the World Wide Web assured that a secure interaction is happening so a problem like Heartbleed potentially has major ramifications. We have always aligned with the view that the use of SSL, https, closed padlock signs on browsers, etc. should have signalled a “secure transaction” but sadly now that perspective is under scrutiny based on a vulnerability in OPENSSL that may have been evident for two years. That is two years when attackers “could” have been accessing hidden digital keys in those seemingly secure browsing or web interactions and “could” have been using those keys to hack the user/sites in question. A quick search across the web for a list of potentially vulnerable sites presents a “who’s who” of many of the biggest and best know destinations on the web.
Good news, the vulnerability was announced and highlighted last week (and most of the key sites have all but eliminated the vulnerability) – bad news, few know or are saying what or if the vulnerability has been used to attack to date.
So where does that leave us – thankfully informed and with that equipped with a “call to action” to ensure we are protected against the Heartbleed threat. But it shouldn’t stop there, if a threat of such magnitude has been hidden / secret for two years what else lies beneath your network, systems, and data – could that next “security threat alarm bell” ring for you. Do you know with confidence if your IT systems, company data, personal data are really secure? I rarely plug IT services and solutions on this blog but it may be time you gave us a call.
Until next time.