Data Center Security Lessons from Heartbleed and Target

Add Your Comments

WINSTON SAUNDERS<br/>IntelWINSTON SAUNDERS
Intel

Winston Saunders has worked at Intel for nearly two decades and currently works on making the data center more secure and efficient. Winston is a graduate of UC Berkeley and the University of Washington. You can find him online at “Winston on Energy” on Twitter.

Data center security is of increasing concern, with data breaches and cyber vulnerabilities more and more in the news headlines. The recent Symantec’s threat report (PDF)  highlighted more “zero day” attacks in 2013 than in the two previous years combined. Verizon’s Data Breach Investigations Report  shows data breached and  cyber attacks at levels substantially above previous years.

While this dire news can leave one feeling helpless, it’s useful to look deeper into the causes of some of the more prevalent cyber events to understand what proactive roles we can play in preventing or mitigating them, both from the standpoint of our industry and from the standpoint of business responsibilities.

Two of most infamous and far-reaching cyber-security events of recent memory are the Point of Sale attack on Target  during the 2013 Holiday season and the even more recent Heartbleed vulnerability discovered in the OpenSSL library. Both affected millions of people’s information privacy, were well publicized, and were preventable by known, low cost and common best practices.

In the case of Target, as is still the case with many companies, the responsibility for information security was reported to have fallen to many individuals. Although not explicitly stated, it’s reasonable to guess that none of the many executives had information security as their primary job role.

In an excellent podcast, Eric Cole highlights why this is a problem. In his example, the CIO is primarily responsible for system availability. While availability is certainly important, it is only one-third of the CIA-triad of Confidentiality, Integrity and Availability. Information security mandates these interests be balanced, and the only way to ensure split organizational incentives to not get in the way, Cole argues, is to ensure the CSO and CIO work at peer levels. Could simple organizational change have helped Target? It’s impossible to say in retrospect, but Target does appear to be heading in that direction.

The case of Heartbleed is even more important to understand the root causes. According to many reports, the vulnerability was exposed when a new version of the code was “checked in” which neglect to do a check on the keep alive heartbeat data length. Allowing data fields to exceed their intended length is one of the most basic kind of attack. In fact, it is such a common an basic coding practice that even the most basic security audit would expose the vulnerability.

Why was it missed? Nobody knows for sure. But as The New York Times reported , the attention and funding given OpenSSL was far less than other important elements of the open source world. The assumption is that because the code is “open,” many eyes will quickly discover all vulnerabilities. But the result again was the same; when everyone is responsible, nobody is. Security for whatever reason was not given the attention it was due.

Both Heartbleed and the Target breach share a common root cause: preventable vulnerabilities. If we adopt the frame of mind that “all vulnerabilities are preventable” we can see that shared responsibility, whether among multiple individuals or a single individual with too many responsibilities, can diminish the attention needed to do a thorough job. And as the above examples highlight, detecting vulnerabilities is serious work, for the consequences of failure can be quite severe.

What is the lesson learned and challenge for your company? It all boils down to risk management. Who has the responsibility to identify and manage information security risk in your company and do they have adequate resources to do their job effectively? If the answer is not an easy, “yes,” it may be worth a deeper look, lest your company end up in what may be a long series of headlines.

Note: After this post was filed, Target removed its CEO, Gregg Steinhafel, making him the first CEO to be fired over a significant data breach.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)