The first part of the WSTR 2015 is finally available, and dedicates a chapter to 2014 vulnerabilities and how they have changed our vision of threat response. You can read the first part of the WSTR here.
The good news is that we have discovered fewer vulnerabilities in 2014 than in 2013 (we have observed a 3.6% decrease). However, the bad news is that it doesn’t mean the discovered vulnerabilities were less dangerous. Three words are enough to make any IT manager shiver to the thought of what they have had to endure in 2014: Heartbleed, Shellshock, and Poodle.
Heartbleed is by far the vulnerability we have heard the most about. Discovered in April 2014, this bug received quite a lot of media attention as it impacted both users and servers, and didn’t require a man-in-the-middle position to exploit the vulnerability. It has been a year since the discovery of Heartbleed, and this bug is still raising concerns as it seems that many organizations didn’t remediate properly to the situation.
Shellshock and POODLE were discovered later in 2014 – POODLE got a second round of attention in December when we discovered the vulnerability could affect TLS connections as well. Although less dangerous than Heartbleed, these vulnerabilities remained critical for website security and required immediate attention.
The 3 vulnerabilities shared a key similarity: they were related to technologies and software which have been widely accepted and used around the world, leading to serious and potentially dramatic data breaches if no action was taken to fix them.
This should, however, not be a reason to start panicking and foreseeing the end of website security as we know it today. Although its implementation has revealed critical flaws last year, the SSL/TLS protocol itself remains trusted and secure.
Furthermore, what the first part of the WSTR highlights here is:
- No matter what, we remain in a very fast-paced, rapidly-evolving sector with numerous third-parties – including hackers – and constant changes in norms and standards. To be realistic, these vulnerabilities discovered in 2014 are not the first and not the last we will hear about.
- We have learned from these vulnerabilities, and we are moving forward to a new type of management of our infrastructures. We can notably mention the faster response time of Microsoft and other major actors of the sector during such critical times, as well as the rise in awareness about the lack of funding for some Open-source projects and the dangers of re-using code as a general practice. What Tim Gallo jokingly refers as the “dirty secrets of application development” in pages 19-20 of the WSTR, part 1.
Reusing code is indeed a well-known but deliberately concealed risk of Open-source projects. It is a convenient habit that no one really wanted to bring out from the shadow until Heartbleed put it under the spotlight. Yet instead of blaming each other for not having detected such a fatal flaw in OpenSSL, the website security industry didn’t stay inactive, and tried its best to learn and evolve. As Tim Galo underlined in the report, it had made everyone realize how we need a better organization of our network infrastructures. “Better enforcement of configuration, policy, and patching across entire infrastructures will help. The moving of infrastructure to the cloud also helps an overworked IT professional manage these issues as well”. The Core Infrastructure Initiative is, for example, a very positive result of the industry leaders’ reaction to Heartbleed.
Symantec strongly encourages such initiatives. We believe it is vital to react quickly, develop threat intelligence, document previous vulnerabilities and share as much data as possible in order to fight against the ever-evolving threat landscape. The WSTR we publish every year belongs to such initiatives and we would like not only every IT manager and application developer to read it, but also employees and individuals. Because we’re all concerned by the security of our data at some point – even if at different levels.