May 06 2014

What Heartbleed Felt Like in Federal IT

Recent vulnerabilities expose a fundamental issue that points to more headaches on the horizon.

Heartbleed, the notorious security vulnerability in OpenSSL software that allowed hackers to access memory in web servers, caused ripples throughout the IT world when it was discovered in April. And last week, Microsoft released a fix for Internet Explorer after the Department of Homeland Security recommended users find another browser until the software giant patched a separate vulnerability, which could allow remote code execution on exposed PCs.

The federal government did not go unscathed, and the outbreak has left a lasting impression on some.

“The problem, when these two things occurred, was that I did not have a choice. It was either shut down Internet Explorer and kill my business or use an alternative browser and not do business,” said Alen Kirkorian, chief information security officer at the Overseas Private Investment Corporation (OPIC), an independent government agency that facilitates developmental finance. “It’s a very hard choice for a CISO to then go to a CIO and say, ‘I have bad news, or I have worse news.’

Kirkorian told attendees of the GITEC 2014 Summit in Baltimore that one significant flaw in online applications is the way some are tied to certain web browsers, effectively backing security professionals into a corner when software flaws are discovered.

“Ultimately when it comes down to it, a lot of these enterprise applications really need to be developed so they’re agnostic,” Kirkorian said. “So it doesn’t matter what kind of browser you’re using; it doesn’t matter what kind of technology you’re using. If there are vulnerabilities found 'zero-day,' we can move very quickly to something else and get the business going again.”

Beyond ensuring that they adopt technology-agnostic critical applications, agencies need to know exactly what they’re running on their networks so they understand which systems might be susceptible to security breaches.

“With Heartbleed, a lot of us did not know some of the systems that were affected by it,” Kirkorian said. “Folks didn’t realize that a lot of the appliances we have — systems and services — were based on this little piece of code that was managed by [the open source community]. And it caused a big problem for us.”

aaa 1