Earlier this week, engineers at Google Security and Finnish cybersecurity company Codenomicon independently discovered a software bug called Heartbleed, and in the span of just a few days, it has become one of the hottest topics on the internet.
Heartbleed is a software bug in the open-source cryptography library OpenSSL. OpenSSL is a software built into Apache, the server software that about two-thirds of the world’s websites use to deliver Web pages to your computer, according to a report in the Boston Globe. When working properly, OpenSSL creates an encrypted data channel between your machine and the remote server, so that data passing from one to the other can’t be read except by authorized computers with keys for decoding the information. The Heartbleed bug allows an attacker to read the memory of a server or a client, allowing them to retrieve the encryption keys needed to decode the data stream, including e-mails, financial data, phone numbers, you name it.
As the Internet’s biggest companies scramble to apply patches that will fix the problem, individual consumers are being urged to upgrade their own security, including considering changing their passwords to online retailers, social networking sites, financial institutions, and more.
Not unlike the Target breach a few months ago, fallout in the wake of the Heartbleed discovery tells us a few key things about the overall IT climate:
- Too often, it’s more reactive than proactive.
- Concerns about security are palpable.
- Company Boards are asking the wrong questions: They are asking, “Are we prepared for disaster?” when they should be asking, “Does our IT infrastructure position us for sustainable growth?”
- There’s still too great a gap between business goals and technology infrastructure.
- Most companies only notice technology when it fails.
How did your company react in the weeks following the Target security breach? What will your response be to the Heartbleed bug? How can you take a more proactive approach to ensuring the security of your data?