It’s not everyday that security threats make it into headline news and stirs people into a panic. I’m talking about Heartbleed, which pretty much is behind us, but based on the headlines and the coverage, you’d think that somehow everyone’s social security numbers and credit reports were just sitting prey. I can’t help, but remark how effective the marketing was in this threat, which led to its rapid resolution and greater security awareness.
With a name like “Heartbleed” it would have to be serious, right? The naming comes from the fact the security vulnerability in TLS’ Heartbeat feature. (My technical understanding stops right about here.) Why not just call it the TLS Vulnerability? It depends on the desired outcome. The crux of the matter is that the resolution involves not one host, but likely millions on the web. OpenSSL is in use on nearly all secure websites and the action to address it went beyond the tech circles.
Heartbleed had a blend of intrigue, fatality and novelty all baked into it. Mind you, I know this is a serious software defect — I’m not downplaying that. Rather, with a witty name, it allowed non-technical people to become curious and take an interest in their own security. On a side note, this is the perfect landing page. Easy to read and packed with information. If there was one thing I’d add, is to add a quick domain test so users can quickly determine if they are vulnerable.
What better way to prioritize system updates (and obtain resources) than having CEOs ask their system admins, “Hey, are we covered here?” Basically, system security and patching became the number one priority for at least a week solid, which is more than Microsoft has ever asked of us with their Patch Tuesdays. I’ve seen the perception of folks in the IT security field elevate to be the much-respected protectors of data.
So, thinking about Heartbleed, I have these five observations:
- Give threats a personality. If Heartbleed was titled CVE-2014-0160, it might not be addressed for some time. At the least, it might have been patched, but it wouldn’t compel system admins to update their systems and re-key their SSL certificates. A security issue with an identity allows non-technical people to talk about it.
- Demonstrate the real-world impact, quickly. Answer the “so, what?” quickly so people don’t get lost with the ins and outs of TLS protocols. Answer what this means for everyday users and system administrators. For Heartbleed, I found that the real-world impact was significantly exaggerated, but since it compelled me and others to take action, it’s not so bad. I recall when urgent WordPress security updates are released, they often lack the “why” in their messaging.
- Make the remedy clear and feasible. Now that you have users and administrator’s attention, explain what they need to do. A lot of the advice I read stated to update OpenSSL, regenerate key pairs for SSL certificates, and after a couple of days or so, users to change their passwords as a good measure.
- Provide tools and resources for testing and diagnosis. I love the collaboration that occurs on the web. Once the threat was identified and received a good amount of attention, tools around the web sprung up to quickly diagnose the vulnerability. It allowed everyday web users to plug in the domain of their choice and determine if they are vulnerable. This is a great way to let a massive audience to take threat concerns to companies/system administrators for remedy.
- Communicate (excessively) to users. You would have to be living under a rock to not have received the post-Heartbleed vulnerability emails. This disclosure is a good way to prove you take threats seriously, but timing is everything. I received one yesterday from another company — a full three weeks after the threat. Yikes. When messaging to users, it’s important to get to the point quickly, not downplay or editorialize the threat, but communicate plainly as if you were going to call a family member and tell them they need to update their computer or change their password.
So, what’s my call to action here? I don’t want to encourage hyping up small scope threats at the risk of crying wolf. But, if there indeed is an important security vulnerability, you’ve got to communicate about it clearly to your audiences. Oh, and give security issues a name so people can memorize them.