Do you feel lucky?

Alexander Freund

Now that the dust is settling over the latest internet security scare, namely Heartbleed, many if not most business owners feel lucky to have been unaffected and probably aren’t spending a whole lot of time worrying about it. Most of us are vaguely aware of the parade of security patches released by Microsoft and other software vendors closing security holes that are continuously discovered in their desktop software, but now that there are three dominant web browsers in the marketplace, namely Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox, a single vulnerability discovered in one of those browsers will not be as broad a security problem as it has been in the past. Heartbleed was somewhat unique in that it was discovered in the software that is used to run secure websites, not software that runs on a desktop for accessing the internet. The bug was discovered in the implementation of OpenSSL, a widely used library of cryptography programs that handle secure website communications. Because OpenSSL is widely used in millions of popular websites, the scope of the vulnerability was significant, and because the bug was embedded in the encryption component, generating a patch to fix the vulnerability took longer than normal.

Vulnerabilities like Heartbleed are the holy grail of hacking. They provide good windows of opportunity for the hacking community to steal really valuable information (passwords, encryption keys, and session cookies), they are not easily fixed, and even once a patch is available, it takes time for the commercial website providers to implement the fix. The Electronic Frontier Foundation declared Heartbleed the worst vulnerability found since commercial traffic began to flow on the internet. We can expect to see more of these types of software bugs discovered as the hacking community targets commercial internet traffic.
As a managed service provider, Heartbleed could have been a disastrous security problem for our customers. So the obvious question for those of us tasked with managing IT infrastructure is what can be done to reduce or eliminate the risk and potential damage from this type of security flaw? Well, as it turns out, lots.

First, anything that can be done must be done quickly. Once the security vulnerability is made public, a race begins in the hacking community to figure out how it can be used. From the desktop computer perspective, the way in which Heartbleed could be used to steal information or take control of a desktop was via a common plug-in that was part of Internet Explorer. So disabling that plug-in on all desktop computers would have been a valid strategy to prevent exploitation of the flaw. Using a different default browser other than internet explorer would have been a valid strategy as well. If you have 5 desktop computers, this is easily accomplished manually if you know where to go to disable the plug-in, or how to install a different browser and change the default. Both of these strategies can impact end-users by making other websites not function as expected, including internal software that is accessed by using an internet browser. Now think about implementing this on 50 desktops, or 500 desktops!
We were actually able to implement both strategies on over 2000 desktops in about an hour. Across our entire customer base, including all of the desktops and laptops at 4IT, we installed Google Chrome and disabled the offending Internet Explorer plug-in.
How you might ask?

We were able to do this because we load specialized desktop management software on every desktop that we manage. That software continuously monitors the health, status, and performance of the desktop, but also provides us with the ability to script the installation of software, manipulate files and settings, and even disable internet explorer plug-ins. All of this can be accomplished by writing and executing a custom “script” which is a fancy name for a program that one of our engineers wrote that automated the specific actions that we wanted to perform on the desktop. We wrote and executed that script in under 24 hours. About 3 weeks later, the Internet Explorer patch that fixed the Heartbleed vulnerability was released by Microsoft. Again, in about an hour, we pushed that patch out the day it was released to all of our managed desktops, and re-enabled the internet explorer plug-in. The management software we use is not just available for desktops and laptops. The same agent can be loaded on tablets and phones, and can be used in the same way.

This highlights one of the real differences between managed and unmanaged IT infrastructure. If your infrastructure is unmanaged, ask yourself the following question:

Do you feel lucky?

Share this post