Threat Level Thursday: NIST Champions IT Security and Rash Heartbleed Responses
Welcome back to Threat Level Thursday, where this week we'll be talking more about the defensive end of cybersecurity, including a set of guidelines to improve critical systems and software security by the National Institute of Standards and Technology (NIST) and why quick responses to threats are great, but rash ones aren't.
The NIST released a draft titled "Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems" on Tuesday, the first step towards releasing a comprehensive document by the end of the year. The goal is to have the public make suggestions, which will then be integrated over the next three drafts.
The 120-page document highlights 11 key areas concerning Internet Technology and how to bolster each sector's security. Jargon aside, the publication attacks the issue from one main angle: that IT security is part of the software side from the ground up, not an afterthought.
"My first car had seat belts and no airbags," NIST fellow Ron Ross, one of the three co-authors of the draft, said, referring to the fact some safety features that were initially add-ons and later became standard. "We'd like to have the same level of confidence in our software and systems."
"By integrating our best practices into a well-established engineering process, we then can start to communicate with the system engineers who speak a different language than security engineers," Ross said. "That dialogue is important to understanding what each discipline does and how they can work together to achieve a common goal. That's really one of the main objectives of this publication."
Why It's Important to Take Your Time
Remember Heartbleed? How it was the worst vulnerability ever found? For those who haven't heard (or forgot), Heartbleed is/was a coding error in a version of the widely used OpenSSL encryption system on the Internet. How widely used? It is estimated that at one time Heartbleed could potentially affecting around two-thirds of the world's servers.
Patches were applied and users were told to change passwords in case their personal data had already been compromised (a simple task ignored by many). Still, as it turns out, in the rush to fix the Heartbleed vulnerability, some 2,500 servers caught it thanks to a faulty patch. A report by security firm Netcraft reveals that around 30,000 servers are using the fix that contains a faulty loophole allowing hackers to still target Heartbleed.
"It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure," security analyst Yngve Nysaeter Pettersen said.
"This, perhaps combined with administrative pressure and a need to 'do something', led them to upgrade an unaffected server to a newer, but still buggy version of the system, perhaps because the system variant had not yet been officially patched."
For more stories like this, follow us on Twitter!
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!