Blog Insight

Heartbleed: A Test for Digital Agencies

What is Heartbleed?

The short answer is that CVE-2014-0160, or "Heartbleed," is a server-side vulnerability that has wide-ranging impact on much of the web.

The longer answer requires a bit of technical explanation.

In the bad old days of the internet, and the web in particular, data flowed between clients and servers in an open manner—unencrypted and easy pickings for bad guys.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which succeeded clear text traffic, created a more secure environment and gave us all the confidence to share more of ourselves digitally. From credit card information to business plans to baby pictures, we have been able to, by and large, put sensitive data online without (too much) fear by relying on the Hypertext Transfer Protocol Secure (HTTPS) standard in our browsers and our websites.

Heartbleed has put a dent in that confidence for many users, and it only serves to highlight what has become a period of disruption in encryption and data security.

OpenSSL, an organization with an open-source toolkit for TLS/SSL implementation that is widely adopted across the web, announced on April 7 that there was a vulnerability in its release that could allow attackers to glean cookies or even encryption keys. These keys let hackers decrypt any data that they have captured or will capture in the future—unless steps are taken to prevent it.

Even worse? The Heartbleed bug has been around for over two years and no one noticed—at least not anyone who was interested in fixing it. To top it off, any exploitation of this bug leaves no trace, or forensic trail, on a server that anything out of the ordinary has occurred. When faced with a known vulnerability and no data, security pros can only assume the worst: that data has indeed been compromised at some point.

It’s serious stuff.

How did GLG respond?

At The Garrigan Lyman Group, we reacted quickly. As individuals, we took steps for our personal and business-related online usage (avoiding using certain sites until they were fixed, changing passwords across a variety of sites, etc.). As an agency, we had a responsibility to protect our clients and their customers. It’s what we do.

Shortly after learning about Heartbleed, our senior technology team met to assess the threat to our clients and allocate internal resources to mitigate that threat. We host a variety of sites for different clients, and we identified which sites were potentially at risk and which were safe.

For the safe sites, we communicated the situation to our clients. We let them know that they may or may not have heard about Heartbleed, but that their sites were not vulnerable. For the sites that were potentially at risk, we created an action plan and then ran our checklists. Test, notify, patch, test, notify. We communicated the situation to our clients, and we let them know that on a go-forward basis, our team was on it.

What did your agency do?

The web, along with each individual website, needs to have the confidence of its users. User confidence can be established to some extent with a great design, excellent user experience, and valuable features, but it can be undermined in an instant by technical and security issues.

Because of the high stakes involved with your website, it is important for your agency to have a plan and a team to support the plan.

- Be proactive. Poke and prod and stress servers and components to confirm that they work as expected. Actively monitor sites during periods when extra strain on servers is anticipated. It is important to find problems before they have a real-world impact.
- React quickly and in an orderly fashion. Because the technology is complicated and the world is a big place, issues are going to arise unexpectedly. It is important to be aware of when things go wrong and then to systematically and thoroughly address the issues. War rooms and risk assessments and continual access to resources capable of solving problems are the best way to deal with critical issues.
- Communicate. Some clients are affected by the issues; some are not. Some are aware of potential issues; some are not. It is important for an agency to let its clients know the situation—the good, the bad, and the potentially ugly—and what steps are being taken. Making sure that clients don’t have to speculate is the root of building trust.

GLG takes pride in its ability to avoid major issues but even more so in its ability to respond to them when they occur. And it helped us deal efficiently with Heartbleed.

What did your agency do?